Since January 17, 2025, financial institutions in the European Union have had to comply with the Digital Operational Resilience Act (DORA), a legal framework designed to strengthen operational resilience against cyber threats. DORA regulations were put in place to respond to a surge in cyberattacks in the financial sector, which was the third most impacted by cyber threats in 2024. The rise of 75% in the number of attacks in Q3 2024 – compared to the same period in 2023 – highlights the growing scale of the problem. A crucial aspect of the DORA regulation is the “DORA register”, which requires financial institutions to maintain an up-to-date, detailed record of third-party ICT providers with whom they work.
Financial institutions increasingly depend on external service providers, which has in turn facilitated the emergence of innovative technological solutions that enhance data sharing and open banking ecosystems. As a result, these institutions have become particularly exposed to third-party risks. Today, 77% of banking institutions rely on cloud infrastructures, and 92% outsource their IT operations.
DORA regulations aim to regulate and secure these relationships, minimizing vulnerabilities and ensuring a robust risk management. The affected businesses must submit their DORA register before April 15, 2025. This deadline is particularly significant since the European Banking Authority (EBA) will no longer provide its conversion tool (Excel to CSV), which was used during the 2024 test phase to submit the DORA register to the ACPR (Autorité de Contrôle Prudentiel et de Résolution).
This means that institutions must adapt and find other solutions to ensure transparency, guarantee the management of risks related to external service providers and strengthen their regulatory oversight.
The DORA register: Why is it so crucial for financial institutions?
The DORA register is a cornerstone of the DORA regulations, aiming to provide complete visibility on the relationship between financial institutions and their third-party ICT providers. By having a thorough understanding of the risks associated with each external service provider, organizations can better anticipate potential threats and strengthen their operational resilience.
The primary objective of the DORA register is to strengthen the supervision of third-party risks. This means first identifying and assessing the risks associated with each provider to ensure the effective implementation of appropriate risk management measures.
Regulatory transparency is at the heart of this approach, allowing supervisory authorities easy access to information on financial institutions’ ICT subcontractors. Finally, proactive register management enhances digital resilience, enabling businesses to respond swiftly when an incident affects their services.
The EBA plays a central role in enforcing these requirements, responsible for ensuring the harmonized implementation of the DORA register across EU member states. To do this, the EBA publishes detailed guidelines to help financial institutions structure their registers and maintain reporting consistency. This facilitates control and evaluation by the relevant authorities.
Who’s affected by the DORA register, and what compliance challenges do they face?
DORA regulations apply to nearly 22,000 organizations across Europe, including:
- Banks and credit institutions
- Insurance companies
- Payment and electronic money institutions
- Digital asset service providers
- Third-party ICT service providers
Since the proposed “Resilience Act” (Loi Résilience) has not been adopted, branches of third-country institutions, financing companies and certain overseas entities are not currently subject to DORA’s obligations as of January 17, 2025. This exemption applies to entities defined in Articles L. 532-48 and L. 511-1 of the French Monetary and Financial Code, meaning their compliance requirements may be deferred. This extensive scope underlines the ambition and impact of this legislation, which aims to standardize risk management for external providers across the European financial sector.
However, implementing the DORA register represents a considerable challenge for financial institutions, both from an organizational and technical perspective. Among the main obstacles encountered are the complexity of reporting requirements. Institutions must maintain a comprehensive list of their ICT providers and ensure continuous updating of collected information. This task, although crucial, may prove to be tedious and time-consuming.
Furthermore, the implementation of the register entails significant costs, including mobilizing specialized teams to collect, validate and update provider data. This management must be integrated into existing compliance systems, which implies reorganizing certain resources.
Finally, the management of third-party provider risks must be rigorous. Several approaches are essential to guarantee strict compliance with DORA, such as evaluating services provided by each provider and conducting regular audits on cybersecurity and business continuity.
The consequences of non-compliance, plus new opportunities
Failure to comply with DORA register obligations could result in severe sanctions. Companies risk financial penalties of up to 10 million euros or 5% of annual turnover, as well as increased controls and regular audits. In cases of serious non-compliance, a temporary suspension of business operations could also be enforced.
Although managing the DORA register represents a challenge, it also presents strategic opportunities for financial institutions. By implementing a methodical register management, companies can strengthen their operational resilience and improve their ICT risk management processes. This increased transparency toward authorities reinforces trust and can constitute a competitive advantage. By proactively complying with DORA requirements, an institution can distinguish itself in the market and gain recognition from regulators and stakeholders.
Furthermore, DORA encourages information sharing among financial actors regarding cyber threats and vulnerabilities. This cooperation could lead to better risk anticipation and a more robust collective response to cyberattacks. Beyond regulatory compliance, DORA encourages financial institutions to adopt a proactive security culture, promoting continuous improvement of their digital defenses.
Approaching DORA regulations with SBS
DORA compliance remains a challenge, especially register management and monitoring ICT provider relationships. Without the right tools in place, these requirements could consume excessive resources. A recent McKinsey study shows that 40% of surveyed companies dedicate more than seven full-time employees (FTEs) to this task.
SBS is here to help with SBP Regulatory Reporting. Fully integrated, scalable and SaaS-enabled, our solution enables the creation of DORA reports directly from the client’s IT system, in compliance with regulatory needs. With continuous updates and rigorous version tracking of the DORA register, the platform centralizes reporting, controls costs and anticipates future developments through AI module integration and BI reporting capabilities for informed decision-making. With our help, turn DORA from a regulatory challenge into a strategic advantage.
Contact us today to discover how SBP Regulatory Reporting can help you stay compliant and competitive.