EU Digital Operational Resilience Act (DORA) and Data Requirements

What Is DORA and Why Does It Matter?

The Digital Operational Resilience Act (DORA) is an EU regulation that took effect on January 17, 2025. It establishes a comprehensive framework for ICT risk management in the financial sector, covering everything from banks and insurance companies to investment firms and crypto-asset service providers.

DORA represents a fundamental shift in how the EU regulates technology risk in finance. Rather than leaving ICT resilience to individual firms, it creates harmonized requirements across the entire financial sector -- and extends regulatory oversight to the technology providers that financial institutions depend on.

Who Does DORA Apply To?

Financial Entities

DORA applies to virtually all regulated financial entities in the EU:

• Credit institutions (banks)
• Payment institutions
• Investment firms
• Insurance and reinsurance undertakings
• Pension funds
• Crypto-asset service providers
• Central counterparties
• Trade repositories
• Crowdfunding service providers
• Credit rating agencies
• Fund managers (UCITS and AIFMs)

ICT Third-Party Service Providers

DORA also creates a framework for overseeing critical ICT third-party service providers (CTPPs):

• Cloud service providers
• Data analytics providers
• Software providers
• Data center services
• Managed security service providers

Critical providers will be directly supervised by European Supervisory Authorities (ESAs).

DORA's Five Pillars

Pillar 1: ICT Risk Management

Financial entities must implement comprehensive ICT risk management frameworks:

Requirement	Description
Risk identification	Identify, classify, and document all ICT-supported business functions
Risk protection	Implement security measures proportionate to identified risks
Risk detection	Deploy mechanisms to detect anomalous activities and ICT incidents
Risk response	Establish response and recovery procedures for ICT incidents
Risk recovery	Ensure business continuity and disaster recovery capabilities
Lessons learned	Conduct post-incident reviews and incorporate findings

Data implications:

• Organizations must know where all their data is stored and processed
• Data classification must align with business function criticality
• Data protection measures must be proportionate to risk
• Data recovery capabilities must be tested regularly

Pillar 2: ICT-Related Incident Reporting

DORA establishes a harmonized incident reporting framework:

• Major incidents must be reported to competent authorities
• Initial notification within specified timeframes
• Intermediate reports providing updates on resolution
• Final reports analyzing root cause and remediation

Data implications:

• Organizations need comprehensive logging and monitoring
• Incident data must be preserved for regulatory review
• Reporting capabilities require real-time data access
• Cross-border incidents may need reporting in multiple jurisdictions

Pillar 3: Digital Operational Resilience Testing

Financial entities must regularly test their ICT systems:

• Basic testing -- vulnerability assessments, network security assessments, gap analyses
• Advanced testing -- threat-led penetration testing (TLPT) for significant financial entities
• Testing frequency -- at least annually for basic testing; every three years for TLPT

Data implications:

• Testing must cover data protection controls
• Test results must be documented and retained
• Remediation of identified vulnerabilities must be tracked
• Testing scope includes third-party service providers

Pillar 4: ICT Third-Party Risk Management

This is arguably DORA's most significant innovation:

Pre-contractual requirements:

• Risk assessment before engaging ICT providers
• Due diligence on provider capabilities and resilience
• Assessment of provider's data handling and security practices

Contractual requirements:

Contract Element	Requirement
Service level agreements	Clear performance metrics and monitoring
Data location	Specification of where data is processed and stored
Data access	Arrangements for regulatory access to data
Subcontracting	Notification and approval for material subcontracting
Exit strategy	Transition plans and data portability provisions
Audit rights	Right to audit the provider's operations

Ongoing management:

• Regular monitoring of provider performance
• Assessment of concentration risk
• Exit strategy maintenance
• Sub-contractor oversight

Pillar 5: Information Sharing

DORA encourages voluntary sharing of cyber threat intelligence among financial entities:

• Trusted information-sharing arrangements
• Appropriate data protection safeguards
• Notification to competent authorities about participation
• Use of standardized formats where possible

DORA's Impact on Data Management

Data Location and Residency

DORA does not explicitly mandate data residency within the EU. However, it creates strong incentives for EU-based data hosting:

• Regulatory access -- competent authorities must be able to access data for supervision
• Audit rights -- financial entities must be able to audit their ICT providers
• Exit strategies -- data must be retrievable and transferable
• Sub-processor transparency -- full visibility into where data is processed

Hosting data outside the EU does not violate DORA, but it complicates compliance with these requirements significantly.

Data Protection Requirements

DORA's ICT risk management framework includes specific data protection measures:

• Data classification aligned with business function criticality
• Encryption and cryptographic controls for data in transit and at rest
• Access management and authentication controls
• Data backup policies with regular testing
• Data retention policies aligned with legal and regulatory requirements
• Data integrity monitoring and protection

Third-Party Data Access

DORA requires financial entities to maintain control over their data even when it is processed by third parties:

• Right to inspect and audit third-party operations
• Access to performance monitoring data
• Ability to retrieve all data upon contract termination
• Transparency about sub-processors and their data handling

Implementation Challenges

Challenge 1: Third-Party Mapping

Most financial institutions use hundreds or thousands of ICT service providers. Mapping all of these relationships and assessing their criticality is a massive undertaking.

Challenge 2: Contract Remediation

Existing contracts with ICT providers may not meet DORA's requirements. Renegotiating contracts with major cloud providers and software vendors takes time and leverage.

Challenge 3: Testing Requirements

Threat-led penetration testing is expensive, complex, and requires specialized expertise. The requirement to test third-party services adds another layer of complexity.

Challenge 4: Concentration Risk

DORA requires financial entities to assess concentration risk -- the danger of depending too heavily on a single ICT provider. For many institutions heavily invested in a single cloud platform, addressing concentration risk may require significant architectural changes.

Challenge 5: Cross-Border Coordination

Financial groups operating across multiple EU member states must coordinate their DORA compliance across jurisdictions, potentially dealing with different supervisory approaches.

Practical Steps for Compliance

Step 1: ICT Asset and Vendor Inventory

Create a comprehensive inventory of:

• All ICT systems supporting business functions
• All ICT third-party service providers
• Data flows between systems and providers
• Geographic locations of data processing and storage

Step 2: Criticality Assessment

Classify ICT assets and providers by criticality:

• Which systems support critical business functions?
• Which providers would cause significant disruption if they failed?
• What concentration risks exist?
• Where are the single points of failure?

Step 3: Gap Analysis

Compare current ICT risk management against DORA requirements:

• Risk management framework completeness
• Incident reporting capabilities
• Testing program maturity
• Third-party contract compliance
• Data protection measures

Step 4: Remediation Plan

Prioritize and address identified gaps:

• Contract renegotiations with critical providers
• ICT risk management framework enhancements
• Testing program development
• Incident reporting process implementation
• Staff training and awareness

Step 5: Ongoing Compliance

Establish continuous compliance processes:

• Regular risk assessments and control reviews
• Incident monitoring and reporting
• Testing schedules and remediation tracking
• Third-party monitoring and assessment
• Regulatory change monitoring

Technology Solutions

Financial institutions need technology platforms that support DORA compliance inherently. Key capabilities include:

• Data residency controls that ensure data is stored in documented, accessible locations
• Comprehensive audit trails that support incident investigation and regulatory reporting
• Encryption that meets DORA's cryptographic control requirements
• Access management with granular controls and monitoring

For document management and hosting, platforms like GlobalDataShield provide the data residency controls, encryption, and audit capabilities that DORA demands, ensuring financial institutions maintain control over their data regardless of where it is processed.

Looking Ahead

DORA is just the beginning of a broader EU effort to regulate digital resilience in financial services. Financial institutions should expect:

• Increasing supervisory attention to ICT risk
• Direct supervision of critical ICT service providers by ESAs
• Evolving technical standards from ESAs
• Cross-sectoral coordination with NIS2 and other EU cybersecurity frameworks

Organizations that build robust, flexible ICT risk management frameworks now will be best positioned to adapt as requirements continue to evolve.

Conclusion

DORA fundamentally changes how the EU financial sector manages ICT risk and third-party relationships. For data management specifically, it requires unprecedented transparency about where data is stored, how it is protected, and who has access to it. Financial institutions that treat DORA as an opportunity to strengthen their data governance -- rather than just a compliance obligation -- will build more resilient operations and stronger relationships with regulators and customers alike.