Share via

What is DORA?

  • Article

As of January 17, 2025, European Union (EU) financial entities and ICT third-party service providers designated as 'critical' by the European Supervisory Authorities must be ready to comply with the EU Digital Operational Resilience Act (Regulation (EU) 2022/2554 - ‘DORA’). DORA standardizes how financial entities report cybersecurity incidents, test their digital operational resilience, and manage ICT third-party risk across the financial services sector and EU member states.

In addition to establishing clear expectations for the role of ICT providers, DORA provides European Supervisory Authorities (ESAs) with direct supervisory powers over designated critical ICT providers. Microsoft is preparing to be designated as a “critical ICT third-party service provider” and will comply with applicable provisions under DORA, and help regulated financial institutions meet their own requirements.

Regulatory framework

DORA aims to provide a harmonized approach to achieving “a high level of digital operational resilience” of the financial services industry (FSI) by ensuring that firms can withstand and adapt to a wide range of threats and disruptions, including cyber-attacks, IT failures, and other operational risks. DORA applies to a wide range of FSI entities, including banks, insurance institutions, stock exchanges, and trading platforms. It also, for the first time, will designate “critical ICT third-party service providers” or CTPPs deemed critical to the financial system by providing critical services to FSI entities, resulting in direct regulatory supervision of such designated firms.

Key points

  1. DORA's purpose: DORA seeks to enhance the resilience and stability of the FSI sector by ensuring that FSI entities have in place effective measures to manage and mitigate operational risks, including cyber risks. It aims to protect consumers, investors, and the wider FSI system from the potentially severe consequences of major disruptions or failures within the sector
  2. Scope: DORA applies to FSI entities operating in the European Union and to their ICT third-party providers who provide services in the EU, regardless of where the latters operate from. It also applies to Critical Third-Party Providers (CTPPs) designated by the ESAs, entrusted to the daily oversight of one of the three ESAs, that is, either EBA, EIOPA, or ESMA.
  3. Key provisions: DORA includes primarily three requirements: (i) requirements applicable to FSI entities (including in areas of ICT Risk Management, notification of major ICT incidents, and operational resilience testing (Namely Threat Led Penetration Testing)), (ii) requirements in relation to the contractual arrangements concluded between designated ICT third-party service providers and FSI entities, and (iii) rules for the establishment and conduct of the Oversight Framework for Critical ICT Third-Party Providers (CTPPs) when providing services to FSI entities.
  4. Compliance: Microsoft will comply with all laws and regulations applicable to it in the provision of its services, subject to requirements as applied to it as a CTPP. FSI entities that have in place contractual arrangements for the use of Microsoft online services to run their critical or important functions shall remain accountable for compliance with all obligations under DORA and the applicable financial services regulatory requirements. Microsoft will support FSI entities to enable their compliance obligations and comply with the requirements applicable to it.
  5. Cloud services and providers: DORA is technology neutral, and the requirements under DORA apply not only to FSI entities, but also to third party providers of ICT services who are designated as CTTPs. Certain Microsoft Azure cloud services (for example, IAAS) and certain Microsoft 365 services such as Exchange and Teams are likely to be covered under DORA, but that hasn't yet been determined.
  6. Contractual commitments: DORA mandates certain contractual requirements between the ICT third-party service providers and FSI entities. Microsoft will ensure its contractual provisions are in alignment with the requirement under DORA, as appropriate. Further, Microsoft already aligns to the requirements issued under EBA, ESMA, and EIOPA guidance – and such guidance itself serves as a baseline framework for the requirements under DORA.
  7. Oversight: DORA doesn't alleviate FSI entities from oversight of technology providers, including on audits. Microsoft has substantial experience supporting customers in executing on audits and in providing a level of transparency and assurance for continuous oversight and monitoring of its cloud services.

DORA aims to strengthen the operational resilience of the FSI sector and seeks to bolster risk management so that firms can withstand and adapt to a wide range of threats and disruptions. Microsoft will comply with all laws and regulations applicable to it providing its cloud services, subject to requirements as applied to it as a CTTP. FSI entities that have in place contractual arrangements for the use of ICT third-party services shall remain accountable for compliance with all obligations under DORA and the applicable financial services regulatory requirements, to which Microsoft will support as required.