DORA Compliance Is Here: How Finance and Crypto Must Adapt

DORA Regulation Scope

First, the fundamentals: what is DORA?

The Digital Operational Resilience Act (DORA) is the EU’s regulatory response to a rapidly digitizing financial sector — one that’s increasingly exposed to systemic Information and Communication Technology (ICT) disruptions, supply chain attacks, and evolving cyber threats. Effective since January 2023 and fully enforceable from January 2025, the DORA Act introduces a legally binding framework to ensure that financial institutions can withstand, respond to, and recover from operational disruptions tied to information and communication technologies.

Unlike earlier fragmented approaches to IT security and business continuity, DORA brings everything under one roof – risk management, incident reporting, resilience testing, and third-party governance – and makes them legally enforceable for all in-scope entities. These include banks, insurers, asset managers, crypto service providers, and even critical third-party ICT vendors.

As EY puts it,

DORA marks a shift from a focus on security controls to a more comprehensive approach to ICT risk management and the development of resilient enterprises.

Compliance under DORA goes beyond formal checklists. It means embedding resilience into daily workflows, turning risk management into a continuous operational function, transforming audits into continuous operational controls. Deloitte calls this transition the real beginning:

Compliance is not just a one-off legal exercise; it requires ongoing adaptation to new technologies, increasing threats, and active digital risk management.

And while it’s an EU regulation, its reach is far wider. For example, Swiss and UK-based ICT providers that serve EU financial institutions must also comply, even if they’re legally outside the EU. EY notes that “centralized ICT services provided by Swiss-based legal entities to EU subsidiaries fall within DORA’s scope.”

DORA also elevates standards globally. Analysts at Computer Weekly note that other regulators – from the UK’s Bank of England to the US SEC – are already exploring similar cyber resiliency regimes, using DORA as a blueprint.

DORA defines a new baseline for operational integrity – enforced not only on paper, but through testable practices across operations. If your system powers a critical financial service in the EU – directly or indirectly – you’re now expected to prove it can take a hit and keep going.

Current State of DORA

Eighteen months after its formal adoption and six months into its full application, the Digital Operational Resilience Act (DORA) has moved from policy to active pressure point for financial institutions across the EU – and beyond. What was once a regulation on paper is now a daily operational reality, reshaping how firms think about technology risk, vendor accountability, and systemic continuity.

Across the EU, most in-scope entities (including banks, insurers, crypto-asset service providers, and ICT vendors) have completed their Register of Information submissions, detailing third-party ICT arrangements. But as Deloitte notes,

The real work begins after RoI.

Submitting the registry is just the gateway: DORA’s implementation phase requires firms to actively manage, monitor, and, if necessary, renegotiate hundreds of vendor contracts to align with DORA’s precise provisions. Addendums specifying audit rights, exit clauses, and service descriptions are now being rolled out across the financial sector.

For many institutions, this isn’t a cosmetic change. It’s structural. EY observes that less mature organizations face steep learning curves, often lacking foundational elements like Business Impact Analyses, cross-functional ICT governance, or tested incident response protocols. DORA has exposed these gaps. Some firms are still wrestling with definitions – like what qualifies as a “critical function” – while others are building entire DOR testing programs from scratch, including threat-led penetration testing (TLPT).

Meanwhile, supervisory bodies are adjusting too. National regulators like BaFin, ACPR, and CSSF are aligning their review processes with DORA’s unified standard. In Switzerland, which is not an EU member but deeply integrated into its financial system, DORA regulations now apply indirectly – especially to Swiss-based ICT service providers supporting EU legal entities.

On the vendor side, pressure is mounting. Providers are being asked to update terms, submit to more rigorous audit standards, and even restructure service models – especially those outside the EU who must now comply via contractual alignment. As Computer Weekly reported, non-compliance by critical IT vendors is already forcing institutions to consider painful decisions, like contract terminations or infrastructure rewrites.

In short, DORA’s compliance timeline has passed. What’s unfolding now is the era of operationalization – where resilience isn’t a checklist, but a new baseline for measurable resilience.

Incident Response and Reporting – Explained

Under the DORA EU framework, incident reporting isn’t just a regulatory checkbox – it’s a foundational part of building operational resilience across the financial sector. The regulation sets out strict, time-bound procedures for identifying, classifying, and reporting major ICT-related incidents to supervisory authorities. These processes aren’t theoretical – they’re expected to function under pressure, in real crisis conditions.

As Deloitte emphasizes,

When a serious cyber incident or IT outage happens, the clock starts ticking.

Financial institutions must rapidly assess the impact, determine whether the event meets DORA’s classification thresholds, and, if so, notify the relevant authorities – sometimes while the incident is still unfolding. This means firms need more than compliant policies on paper: they need rehearsed, executable playbooks.

Effective incident response under DORA requires three things:

• Clear internal protocols and decision trees for impact assessment.
• Designated individuals with access to EU reporting platforms such as eDesk or IMAS.
• Simulated testing through cyber incident drills and tabletop exercises.

EY’s analysis shows that many organizations struggle with fragmented data sources, making it hard to compile and report incident data under time pressure. Their recommendation: use centralized tools like CMDBs (Configuration Management Databases) to streamline information flow and automate parts of the reporting chain.

A major stress test for DORA compliance came with the CrowdStrike incident, which disrupted global banking operations due to a third-party software fault. SecurityScorecard reports that ATM networks and payment systems in several countries experienced temporary outages – exposing the vulnerabilities in ICT supply chains and the urgency of incident classification frameworks.

DORA also mandates clarity in roles and responsibilities. If an ICT service provider experiences an outage that affects downstream services, the financial institution remains responsible for reporting – not the vendor. That’s why recent DORA-compliant contract templates include provisions requiring third parties to notify institutions immediately about any relevant events.

Beyond execution, DORA pushes institutions to treat incident handling as a strategic capability. This includes integrating ICT incident response with other frameworks, such as FINMA major incident protocols or internal BCP drills. EY’s data shows that only 42.2% of organizations currently test their business continuity plans for critical third parties – a gap many now prioritize.

DORA’s implementation expects institutions to move beyond theory: response plans must be tested in advance, responsibilities clearly assigned, and reporting executed without delay – even in real-time crisis conditions.

How Does DORA Affect Financial Industry

The Digital Operational Resilience Act reshapes how financial institutions across the EU (and beyond) approach ICT risk. While designed as a regulatory framework, its impact stretches into procurement, compliance, crisis management, and long-term strategy.

Financial institutions are now legally accountable for the resilience of their entire ICT supply chain, not just their internal systems. This includes conducting full risk assessments of third-party software and service providers, maintaining detailed inventories of critical ICT contracts, and embedding audit-ready controls into daily operations.

The real pressure point comes from the new expectations around third-party accountability. According to EY, many organizations are still struggling with foundational tasks: 

Only 47.8% of organizations maintain BCPs for critical third-parties, and a mere 42.2% actively test them.

SecurityScorecard adds that 98% of the top 100 European firms experienced third-party breaches within a year-pointing to supply chains as the most persistent weak link. To address these risks, DORA mandates stricter requirements for ICT providers – including their integration into testing procedures, contract oversight, and resilience reviews.

As implementation deepens, more institutions are turning to centralized tools to keep up. Grant Thornton, for instance, recommends IT asset management platforms to automate review cycles and minimize the risks of missed audits or outdated inventories.

Resilience now encompasses more than infrastructure-it extends to learning systems and evolving data environments. The AI Act is already beginning to expand the scope. As Deloitte notes, “digital resilience goes beyond basic ICT concerns” and increasingly includes systems powered by learning algorithms.

Thales, a European cybersecurity and defense technology firm, points to encryption, cryptographic key management, and secure data handling as critical components of ongoing DORA compliance – especially as algorithms and threat landscapes evolve.

The regulation redefines baseline expectations, requiring institutions to structure resilience as a continuous function. Risk management is no longer an internal affair-it’s a shared, legally enforced responsibility that reaches deep into infrastructure, partnerships, and design.

How Does DORA Affect Crypto

While what is DORA regulation initially seemed relevant only to traditional financial institutions, its scope deliberately includes crypto-asset service providers (CASPs) operating in the EU. As a result, many players in the crypto sector – from custodians to exchanges – now face the same digital operational resilience standards as banks and insurers.

This shift reflects the broader regulatory recognition of crypto’s systemic relevance. As noted by Latham & Watkins, even non-traditional financial entities like e-money institutions and crypto platforms are classified as in-scope financial entities under DORA. That means they must implement structured governance frameworks, perform regular incident simulations, and maintain a full audit trail across their ICT stack.

The complexity increases for decentralized or globally distributed providers. If they serve EU clients or interact with regulated entities in the bloc, they may fall under DORA’s jurisdiction – even without an EU legal entity. For example, cloud-based crypto custodians offering services to European fintechs must now account for contract remediation, data governance, and incident readiness in line with DORA requirements.

Moreover, integration with other regulations adds to the pressure. DORA doesn’t operate in isolation – it intersects with MiCA (Markets in Crypto-Assets Regulation) and, in some cases, the AI Act. Taken together, these frameworks demand that crypto services are not only secure but structured for resilience from the ground up.

The operational impact is substantial. From encrypted backups and secure APIs to third-party risk analysis and standardized response protocols, crypto firms must now adopt mature IT practices long expected of banks. EY’s analysis highlights that resilience planning must cover political instability, insolvency risk, and cyber disruptions across third-party providers – setting a high bar for smaller CASPs.

DORA’s inclusion of crypto is not symbolic. It signals a shift from experimental innovation to institutional-grade accountability. The message is clear: if you operate in the financial space, you must prove you can survive digital shocks – whether you issue stablecoins or manage staking infrastructure.

List of Sources

1. DORA: A new era of Digital Operational Resilience | EY – Switzerland
2. After DORA register of information submission: the real work begins | Deloitte Luxembourg | Future of Advice
3. A guide to DORA compliance | Computer Weekly
4. DORA European Survey – 2025 edition | Deloitte Luxembourg
5. Digital Operational Resilience Act (DORA)
6. The Digital Operational Resilience Act (DORA) | Deloitte UK