Digital Operational Resilience Act (DORA)
The Digital Operational Resilience Act is a European regulation imposing strict digital operational resilience requirements on financial entities. Applicable since 17 January 2025, it covers ICT risk management, incident reporting, resilience testing, and oversight of critical third-party providers.
DORA addresses the financial sector's growing dependence on digital technologies by establishing a harmonised operational resilience framework across the European Union. The regulation applies to over 20 categories of financial entities: banks, insurers, asset managers, trading platforms, payment service providers, and also critical third-party ICT providers.
The regulation rests on five pillars: ICT risk management (governance, management framework, security policies); reporting of major ICT incidents to competent authorities; digital operational resilience testing, including advanced penetration testing for significant entities; management of ICT third-party risks; and information sharing on cyber threats between financial entities.
For KYC and document verification service providers, DORA has direct implications: as ICT suppliers to the financial sector, they may be classified as critical providers and subject to direct supervision by European supervisory authorities. They must ensure service continuity, security of processed data, and the ability to withstand cyberattacks.
Regulations
Real-world examples
- 1.A European bank must map all its ICT providers, including its remote identity verification vendor, and assess concentration risk if that vendor supports multiple critical functions.
- 2.An insurer conducts advanced penetration testing on its online underwriting system, including the KYC module, to validate its ability to withstand a targeted cyberattack scenario.
- 3.A payment service provider reports a major ICT incident to the supervisory authority within 4 hours of detecting an outage in its identity verification service affecting new customer onboarding.