The DORA Regulation and Its Impact on EU Data Infrastructures

At the beginning of 2024, European authorities published the first set of technical standards to be implemented under the Digital Operational Resilience Act (DORA).

This is major news for financial entities providing services in the EU, because it provides crucial details on the provisions of the DORA regulation, which will enter into force on 17 January 2025. 

In this article, we will briefly introduce the DORA regulation, then talk about its potential implications for the data infrastructures of these entities, as well as for their critical third-party IT service providers.

What Is the DORA Regulation and Who Will It Affect?

The DORA regulation is a new EU regulation aimed at ensuring the stability of the European financial sector in case of a severe operational disruption.

The logic behind it is that financial institutions, being increasingly dependent on technology and tech companies to provide services, are now more vulnerable to cyber attacks and other security incidents, and that a new regulation is necessary to counter these risks.

DORA will apply to a range of institutions—primarily financial entities (FEs), like investment firms and banks; but also to third-party providers of information and communication technology services (TPPs) that critically enable the work of FEs.

The scope of DORA is rather wide, as it covers everything from incident classification and reporting, to operational resilience testing, to requirements for contractual agreements between FEs and TPPs.

Impact on EU Data Infrastructures and Vendor Landscape

DORA will have a notable impact on how and by whom cloud infrastructure services are provided within the EU. 

Impact of DORA on Financial Entities

According to Article 29, FEs will need to take into account the compliance of any TPPs they use with EU data protection rules. Most notably, they will need to ensure that:

• TPPs are processing and storing data in a DORA-compliant location and under appropriate oversight from EU authorities, or from third-country authorities who are ensuring compliance with DORA
• Their sharing of any data with TPPs does not violate DORA provisions
• Provision of critical services is not concentrated with a single or few TPPs
• Critical services must be transferable from one TPP to another
• Service level agreements are tailored to DORA regulations

On one hand, these requirements may limit the pool of data infrastructure vendors available to FEs due to stricter compliance requirements. On the other hand, the requirements will likely push FEs to keep their data architectures composable. So, for example, instead of having data integration, storage, and analytics functions locked up in a single vendor, they might want to have a separate vendor for each of these three functions.

Additionally, data tools themselves will need to be:

• Reliable
• Able to accurately process data
• Able to interoperate with new technologies
• Able to deal with unexpected, heightened information processing needs (i.e., scalable)

These requirements may steer FEs towards the use of technology-agnostic data tools, like data integration tools (e.g. Dataddo***), database management systems, and observability platforms. They may also drive FEs to seek tools with embedded data quality features, to help keep data accurate when connected across increasingly complex data stacks (this is especially important for AI initiatives).

***Dataddo is a DORA-compliant data integration tool. Learn more about its cross-technology data replication abilities, as well as its inbuilt suite of data quality mechanisms.

Though FEs will be required to have and enforce their own TPP oversight policies, it won’t only be their responsibility to ensure the compliance of TPPs with DORA.

Impact of DORA on Third-Party Service Providers

For the first time, under DORA, TPPs providing critical services will also be directly regulated by European Supervisory Authorities (ESAs).

It is still unclear how and to what extent the ESAs will be involved in oversight of TPPs. But it is clear is that TPPs doing business in Europe will need to take additional compliance measures, like drafting special contingency plans, granting unrestricted rights of inspection to EU authorities, and tailoring SLAs to DORA.

This change will not inherently put TPPs based in non-EU countries at a disadvantage, but it may amplify FEs’ preference for EU-based TPPs, and make it harder for non-EU-based TPPs to attract business in Europe.

Getting Ready for DORA

DORA will provide a much-needed safeguard against the gamut of security risks that threaten FEs operating within the EU. But it will come at the cost of more compliance measures for them and their critical TPPs.

This will mark a significant shift in how both groups operate within the European Union. 

Financial entities will need to ensure that their ICT risk management frameworks align with DORA's requirements, and that relationships with third-party ICT service providers are governed by contracts that reflect DORA's standards.

Critical ICT third-party service providers will need to align their services with DORA, focusing on data quality, technological interoperability, and service level guarantees to their EU clients.