← Back to all briefings

Policy · Credibility 92/100 · · 2 min read

Policy Briefing — EU DORA Provisional Agreement

EU co-legislators reached a provisional agreement on the Digital Operational Resilience Act, harmonising ICT risk management, incident reporting, and third-party oversight for financial entities.

Executive briefing: On the European Parliament and Council reached a political agreement on the Digital Operational Resilience Act (DORA). The compromise establishes harmonised ICT risk management, incident reporting, testing, and oversight obligations for banks, insurers, investment firms, and critical third-party ICT service providers operating in the EU.

Core requirements confirmed

  • Unified ICT risk programme. Financial entities must implement governance, asset management, incident response, and third-party controls proportionate to their size and risk profile, subject to board accountability.
  • Severe incident reporting. Significant ICT incidents must be reported through a centralised EU hub with initial notification, intermediate updates, and a final report that captures impact and remediation.
  • Critical vendor oversight. DORA creates an EU supervisory framework for critical ICT third-party providers, enabling regulators to conduct inspections and issue binding directions.

Preparation steps for financial entities

  • Benchmark existing operational resilience frameworks against the compromise text, ensuring coverage of threat-led penetration testing, ICT continuity, and scenario-based exercises.
  • Catalogue EU legal entities and outsourced providers to determine which relationships may be designated critical under the forthcoming oversight regime.
  • Align incident classification criteria with DORA’s severity levels and map how reports will flow into national competent authorities once the hub is operational.

Strategic considerations

  • Board education. Directors will be accountable for approving the ICT risk management framework and ensuring regular training on cyber resilience.
  • Contract remediation. Expect to update outsourcing agreements with data localisation, access, audit, and exit clauses that meet DORA standards.
  • Global harmonisation. Multinationals should align DORA with UK operational resilience, U.S. interagency guidance, and Basel Committee principles to minimise duplication.

Zeph Tech is mapping DORA control expectations to existing operational resilience tooling so EU financial institutions can accelerate readiness ahead of application in 2025.

  • DORA
  • Operational resilience
  • Financial services
  • Third-party risk
Back to curated briefings