What is DORA (Digital Operational Resilience Act)?
EU regulation (2022/2554) effective January 17 2025. Requires financial entities (banks, insurers, investment firms, crypto-asset service providers) and their critical ICT third-party providers to demonstrate operational resilience. Penalties up to 1% of average daily worldwide turnover per day for serious breaches.
Full explanation
DORA's five pillars: ICT risk management, ICT-related incident reporting, digital operational resilience testing (including threat-led penetration testing — TLPT), management of ICT third-party risk, and information sharing. The third-party risk pillar is the most disruptive for SaaS vendors — financial entities must conduct due diligence on every critical ICT provider, including code-security and incident-response posture. Effectively means SaaS vendors selling into EU finance need to provide DORA-friendly documentation: SBOM, AIBOM (where AI is used), incident-response runbooks, third-party-risk assessments. Threat-led pen tests are required at the larger end (significant credit institutions).
Example
A fintech startup signs a contract with a German Tier-1 bank. The bank's vendor onboarding includes DORA Article 28 due diligence: incident-response timelines, sub-processor inventory, ICT-risk management evidence, exit/portability plans. The startup provides its SOC 2 Type II report, ISO 27001 certificate, sub-processor list, and incident-response runbook. Without this evidence, the deal stalls.
FAQ
Does DORA apply to non-EU vendors?
Indirectly — through the third-party-risk pillar. EU financial entities must conduct due diligence on every critical ICT provider regardless of provider domicile. Non-EU vendors selling into EU finance need DORA-friendly evidence even though the regulation doesn't directly bind them.
What's TLPT?
Threat-Led Penetration Testing — a mandated red-team exercise modeled on TIBER-EU. Required for the largest financial entities. Out of scope for most SaaS vendors but expected as a customer flow-down for critical providers.