Executive Summary

DORA is the EU Digital Operational Resilience Act. It applies to a wide range of financial entities in the European Union and it also establishes oversight expectations for critical ICT third-party providers that support the financial sector. For FinTech teams, DORA shifts resilience from a best practice to an enforceable requirement with defined control areas.

This guide explains DORA from an implementation perspective. It covers the main control themes, how to approach third-party risk and contracts, and how to build a resilience program that can be demonstrated to customers and regulators.

---

What DORA is and why it matters to FinTech

Financial services depend on technology. Outages, cyber incidents, and third-party failures can disrupt payments, lending, trading, and customer access. DORA creates a consistent EU approach to operational resilience by setting requirements for ICT risk management, incident reporting, resilience testing, and third-party oversight.

DORA applies as of January 2025. That timing matters for vendors and service providers because EU financial entities will ask for evidence that their technology partners can meet DORA-driven expectations. Even if you are not directly regulated, your customers may require you to support their compliance.

DORA impact patterns we see in practice

• EU customer expansion: Selling into EU financial entities often triggers DORA-driven security and resilience questions.
• Cloud and managed service dependence: DORA increases scrutiny of third-party concentration and contract controls.
• Operational resilience as a product feature: Customers expect clear resilience commitments, not vague statements.

Core DORA control themes

DORA is broad, but it can be implemented through a set of practical control themes. The best approach is to map each theme to owners, processes, and evidence.

ICT risk management framework

DORA expects a documented framework for identifying, protecting, detecting, responding to, and recovering from ICT-related risk. This resembles a security program, but with additional focus on service continuity and resilience metrics.

Define governance, risk assessment routines, asset inventories, change control, and resilience objectives. Align controls to the criticality of the services you provide.

• Evidence to keep: ICT risk management policy, Risk register, Asset and service inventories, Resilience objectives and metrics

Incident classification and reporting readiness

Financial entities must classify and report major incidents. This creates downstream expectations for vendors, including rapid notification, clear timelines, and structured incident communications.

Define incident severity levels, communication runbooks, and notification timelines. Practice the process through exercises that include customer communications.

• Evidence to keep: Incident response plan, Notification templates, Tabletop exercise results, Post-incident review records

Operational resilience testing

DORA formalizes testing expectations. Testing is not only vulnerability scanning. It includes resilience validation such as disaster recovery exercises and, for some entities, advanced testing approaches.

Create a test calendar, run backup and restore tests, validate failover processes, and document remediation. Align testing depth to service criticality and customer commitments.

• Evidence to keep: BCDR test plans, Restore and failover test results, Remediation tracking, Penetration test reports where applicable

Third-party risk management and contract controls

Third-party oversight is a major DORA theme. Financial entities must understand their ICT dependencies and manage risk through due diligence, ongoing monitoring, and contract terms.

Maintain a vendor inventory, tier vendors by criticality, and implement a review cadence. Update contracts to include security requirements, audit rights, subcontractor controls, and exit planning.

• Evidence to keep: Vendor inventory and tiering, Due diligence records, Contract clauses and addenda, Exit plans and migration playbooks

Concentration risk and resilience planning

DORA raises awareness of concentration risk, especially around large cloud providers and single points of failure. Teams need to understand what happens if a major dependency fails.

Identify critical dependencies, assess failure scenarios, and implement mitigations such as multi-region architecture, backup providers, and tested recovery procedures.

• Evidence to keep: Dependency mapping, Resilience architecture diagrams, Failover strategies, BCDR metrics and reports

Information sharing and coordinated defense

DORA encourages information sharing about cyber threats. For vendors, the practical expectation is the ability to share relevant incident information with customers in a structured and timely way.

Define how you share threat intelligence and incident learnings with customers. Establish processes that protect sensitive information while still being useful.

• Evidence to keep: Customer security communications process, Threat intel sources and briefings, Incident summary templates

What to expect if you are an ICT third-party provider

DORA introduces an EU-level oversight framework for certain critical ICT third-party providers. You may not know in advance whether you will be classified as critical, but large financial sector dependencies and concentration can increase attention. The practical takeaway is that customers will ask more detailed questions about resilience, security governance, and subcontractor control.

Preparation steps that scale

• Clarify your service catalog: Define what services are provided, what is in scope for resilience commitments, and what is excluded.
• Document shared responsibility: Explain what the customer must configure and what you operate.
• Build evidence packs: Maintain a set of repeatable evidence artifacts such as test reports, monitoring summaries, and incident exercise results.
• Control subcontractors: Track sub-processors, assess their controls, and disclose them appropriately.

Resilience metrics that help in procurement

DORA pushes organizations toward measurable resilience. Even when a customer does not ask for DORA by name, they often ask for similar metrics.

• Recovery Time Objective (RTO): How long it takes to restore service after an outage.
• Recovery Point Objective (RPO): How much data loss is acceptable based on backups and replication.
• Uptime and availability commitments: Service levels that reflect real operating capability.
• Change failure rate: How often deployments cause incidents and how quickly teams recover.
• Mean time to detect and respond: How quickly incidents are identified and contained.

Common pitfalls in DORA readiness efforts

• Treating resilience as only a DR document: DORA expects operating routines, testing, and measured outcomes.
• Contracts that do not match reality: If you commit to timelines that you cannot meet, procurement will stall later.
• Unowned vendor inventories: Third-party risk programs fail when inventories are incomplete or not updated.
• Testing without learning: Tests are only valuable when findings are tracked to closure and repeated to prove improvement.
• Ignoring exit planning: Customers will ask how they can migrate away. A credible exit plan improves trust.

Implementation methodology for DORA readiness

Phase 1: Gap assessment and service mapping

Identify which services you provide to EU financial entities and what dependencies support those services. Build an inventory of systems, vendors, and data flows. Compare your current controls to DORA themes and produce a prioritized remediation plan.

Phase 2: Control implementation and contract alignment

Strengthen resilience controls, especially BCDR testing, incident communications, and third-party oversight. Update customer and vendor contracts to reflect security and resilience obligations, including audit rights and exit planning.

Phase 3: Evidence, metrics, and ongoing operations

Operationalize the program with recurring test cycles, metrics reporting, and continuous improvement. Centralize evidence so customer requests and audits do not become fire drills.

How Jacobian Engineering supports DORA-driven resilience programs

DORA readiness is a blend of security engineering, risk management, and operational discipline. Jacobian Engineering supports FinTech teams that need practical execution.

• Resilience and security assessments: Gap analysis against DORA themes and customer expectations.
• Cloud and infrastructure engineering: Architecture reviews, failover design, backup strategy, and logging improvements.
• Vendor risk management: Vendor tiering, contract clause guidance, and evidence review routines.
• Security testing: Penetration testing, configuration reviews, and remediation verification.
• Continuous compliance operations: Compliance calendars, evidence routines, and metrics reporting.

Business benefits

DORA-driven work can improve product reliability and customer trust when it is implemented as an operating model.

• Higher uptime and faster recovery: Resilience testing and measurable objectives improve reliability.
• Faster EU customer onboarding: Clear evidence and contract language reduces procurement friction.
• Reduced third-party surprises: Vendor inventories and exit plans reduce dependency risk.
• Better incident communications: Structured communications improves customer confidence during high-stress events.

FAQs

Does DORA apply to vendors outside the EU?

DORA obligations primarily apply to EU financial entities, but those entities may require vendors outside the EU to support DORA-driven controls through contracts. If you serve EU customers, expect increased scrutiny of resilience, incident reporting, and third-party risk.

What is the most common gap for SaaS and FinTech vendors?

Documented resilience evidence. Many vendors have backups and monitoring, but they cannot show tested recovery procedures, defined recovery objectives, and recurring evidence.

Do we need multi-cloud for DORA?

DORA does not mandate multi-cloud, but it does emphasize concentration risk. Some organizations mitigate risk through multi-region design, fallback procedures, and tested exit plans rather than full multi-cloud.

How does DORA relate to cybersecurity frameworks?

DORA includes security expectations, but it is broader than a security standard. It focuses on operational resilience, third-party oversight, and measurable testing. Security frameworks can provide supporting control structures.

How should we handle contract updates?

Start with critical services and high-risk relationships. Define required clauses for incident notification, audit rights, subcontractor controls, service levels, and termination support. Track which contracts have been updated and which require remediation plans.

Primary references

• European Supervisory Authorities overview of DORA: esma.europa.eu
• EU text of the Digital Operational Resilience Act: eur-lex.europa.eu