Blog

Regulating Digital Resilience in the EU

What Does DORA Mean for Financial Institutions and Their Vendors?

What DORA compliance means for fintechs, NBFIs and marketplaces as digital resilience requirements and vendor oversight reshape the financial ecosystem.

October 15, 2025

Are you ready to prove your digital resilience?

Introduction

In the financial world, we’re used to watching the regulatory horizon (e.g., recent stablecoin regulations under the GENIUS Act and MiCA), because each change reshapes how money has to be modeled and managed. If you’re a financial institution operating or planning on operating in Europe, there’s a new set of regulations that have recently come on-line. The Digital Operational Resilience Act (DORA) is designed to ensure that financial institutions are resilient in the face of digital disruptions.

One of the most important things to note about DORA is that it cascades. For example, for a bank to be DORA compliant, all of its vendors need to be compliant (or have plans to be compliant). But for any one of those vendors to be compliant, all of their vendors must be compliant. And so on. This is why DORA compliance was, and is, a priority for Formance.

As we’ve worked through the process of achieving DORA compliance for Formance products, we’ve picked up some key insights for the compliance officers, legal teams, and engineers asking: What does this mean for us?

What is DORA Compliance?

The Digital Operational Resilience Act (DORA) is a European Union regulation that took effect in January 2025, requiring financial entities and their Information and Communications Technology (ICT) third-party providers to implement strategies that ensure resilience in the face of digital disruptions.

DORA aims to minimize both the risk of outages within a financial institution’s own ICT infrastructure and the knock-on risk that third-party failures or cyberattacks could disrupt the broader European financial system. The regulation recognizes that resilience is only as strong as the weakest link. A glitch at a payments provider, for example, can cascade quickly, interrupting customer access and undermining trust in the market as a whole. By pushing standards down through every layer of the supply chain, DORA seeks to ensure that the system as a whole can withstand, respond to, and recover from disruption.

DORA is built on five foundational pillars:

  1. ICT Risk Management
  2. ICT Incident Reporting
  3. Resilience Testing (including Threat-Led Penetration Testing)
  4. ICT Third-Party Risk Management
  5. Information Sharing

These pillars serve as guardrails for what “operational resilience” means in practice. DORA’s scope cascades well beyond traditional banks and insurers: Fintech apps, crypto platforms, NBFIs, and even cloud providers all fall under its requirements, meaning many companies that never considered themselves financial institutions are now subject to the same resilience standards.

Why the Cascade Matters

DORA is aimed at EU-based financial entities (e.g.,payment and credit institutions, electronic money institutions, investment firms, insurance companies, trade repositories) and ICT service providers (e.g., cloud providers, network security companies, IT service providers). The regulation extends beyond companies within the EU, affecting non-EU vendors that provide critical or important services to financial entities operating in the EU.

Importantly, NBFIs are also required to comply. Many companies don’t even realize they qualify as NBFIs until they begin managing stored balances, marketplace payouts, or gift card and credit flows. Under DORA, these activities attract the same obligations as those of a regulated bank.

Take fintech platforms for example. Resilience is not confined to their own infrastructure. Every dependency (i.e., identity verification, FX conversion, cloud hosting) is a part of the compliance surface. The regulation is explicit that they must be able to withstand, respond to, and recover from ICT disruptions—and that the responsibility extends across their entire chain of providers.

By the end of 2025, the European Supervisory Authorities (ESAs) are expected to identify [the first list of Critical ICT Third-Party Providers](https://globallitigationnews.bakermckenzie.com/2025/03/04/european-union-dora-update-upcoming-designations-of-critical-third-party-providers/#:~:text=The ESAs have recently published a roadmap,place by the end of this year.) (CTPPs). These firms will face direct supervision, joint examination teams, and a designated lead overseer. Even providers not formally designated will come under pressure, as institutions increasingly demand CTPP-level assurance throughout their supply chains.

What DORA Means for Financial Institutions

For financial institutions, DORA has formalized responsibilities that were previously left to internal interpretation. Whether it’s a traditional bank, an NBFI offering lending or digital wallets, or a marketplace with embedded finance, institutions must prove that their systems are resilient and that every ICT vendor in their ecosystem meets the same standard.

  • For compliance officers, that means vendor oversight can’t stop at onboarding. Mandatory due diligence and binding resilience clauses are now essential.
  • For legal teams, this looks like strengthening contracts to include audit rights, incident reporting obligations, and mechanisms to exit or replace providers under stress.
  • Engineering teams are facing higher expectations too, with regulators and partners asking for proof: Simulated failures, telemetry, safe rollbacks, and evidence of how systems respond under pressure.

A concrete example of how these responsibilities are being enforced is the new [Threat-Led Penetration Testing (TLPT)](https://treccert.com/threat-led-penetration-testing-tlpt-under-dora-is-now-in-effect/#:~:text=On June 18%2C 2025%2C the,adapting to exploit emerging vulnerabilities.). In June of 2025, the Commission Delegated Regulation (EU) 2025/1190 was published in the Official Journal, supplementing Article 26 of DORA and setting Regulatory Technical Standards (RTS) for TLPT. Twenty days later, the standards became directly applicable across all EU Member States. This marked a turning point in how financial entities are expected to validate their cybersecurity preparedness. Institutions are now required to engage in red-team style exercises (simulated, real-world cyberattacks) designed to test an organization's security posture by mimicking the tactics of actual adversaries. It’s the ultimate test of whether institutions and their vendors are truly resilient under stress.

What DORA Means for Vendors

For vendors—such as ledger providers, cloud platforms, analytics services, KYC tools, orchestration layers—DORA raises the bar for being a viable partner. Financial institutions will increasingly demand evidence that vendors can meet standards. That makes operational resilience both a business requirement and an opportunity for differentiation. Vendors that can provide attestation of their preparedness, outline credible substitution paths, and share transparent reporting are more likely to win and retain business.

The Register of Information, introduced in April 2025, has made this clear. Institutions now use it as the baseline for oversight, checking whether vendors have fully mapped their dependencies and sub-vendors. Weak or incomplete registers will not only expose operational risks but also surface in compliance findings, pushing institutions to disengage from providers who cannot document their ecosystem with precision.

Starting Steps for DORA Compliance

DORA compliance is broad, but the core expectations can be distilled into a few practical priorities. The weight or sequence of these will vary by role, but all are essential across the ecosystem.

  • Map dependencies & define accountability. Build and maintain a register of ICT providers and sub-vendors. Assign clear ownership and oversight— senior leadership should be accountable for ICT risk within the broader risk governance framework.
  • Simulate failure & test resilience. Run real scenarios (PSP downtime, FX volatility, identity provider outages) and include vendors in Red Team / TLPT-style exercises to validate how systems respond under stress.
  • Set up incident reporting & transparency. Define classifications, required data, and escalation timelines. Build templates and escalation paths so significant incidents can be reported reliably and in compliance with regulators.
  • Revise contracts with stress paths. Ensure vendor agreements include resilience clauses, audit rights, stress-exit or substitution paths, and pre-contract assessments. Also revisit termination rights under adverse conditions.
  • Model flows precisely & log for traceability. Track money movements and internal system flows at fine granularity. A ledger that surfaces dependencies and allows audit trails is critical for reconstructing incidents and proving compliance.
  • Establish governance & integrate with enterprise risk. Embed ICT risk into your organization’s overall risk strategy. Ensure roles, policies, board oversight, and accountability are defined and understood.
  • Monitor & measure continuously. Track key metrics—incident resolution, system downtime, vendor performance—and use them to manage operational resilience over time.

Looking Ahead to a More Resilient Future

DORA is one more step in the industry’s ongoing effort to strengthen the foundations of modern finance. By setting clear expectations for resilience, it helps ensure that institutions doing vital work can continue to operate safely, even in the face of disruption. The outcome is an ecosystem that protects trust and innovation–two things we care deeply about. Formance’s mission to redefine how developers interact with money is dependent on the kind of resilient, transparent infrastructure that DORA is pushing the entire financial ecosystem to adopt.