Banking systems, insurance firms, investment services, asset or crypto-asset managers… Europe’s financial sector is among the most digitalised, and, by extension, among the most exposed to cyber risk. To tackle this growing vulnerability, the European Union has adopted the Digital Operational Resilience Act (DORA), which sets a high bar for cybersecurity and digital resilience across the industry and its technology partners.
In this summer edition of your Compliance Check-Up series, we break down the key principles of DORA, who falls within its scope, and how this new regulation is reshaping the relationship between financial institutions and their third-party digital service providers (like Axeptio 👋).
Shoring Up Digital Defences in the Financial Sector
DORA is part of the EU’s Digital Finance Package, a broader set of measures designed to modernise and secure the financial sector in today’s digital-first world.
“Its objective is crystal clear: to strengthen the digital operational resilience of financial entities. In other words, to ensure that, even in the face of a cyberattack or a major IT disruption: services continue, data remains protected, and operations can be restored without triggering systemic chaos.” — Eunice Amisi, Business and Data Protection Lawyer at Axeptio
To deliver on that promise, DORA lays down wide-ranging requirements around risk management, oversight, incident reporting, business continuity, and the governance of contractual relationships with ICT service providers. Sounds heavy? Don’t worry—we’ll unpack it all further down.
Who Falls Under DORA’s Scope?
DORA’s reach is broad, to say the least. It applies to nearly all financial sector players operating within the European Union.
That includes banks, insurance companies, investment firms, asset and portfolio managers, market infrastructure operators, crypto-asset service providers, or crowdfunding platforms.
But the regulation goes a step further: it also applies to their technology partners, especially third-party ICT service providers, whether they’re offering cloud hosting, SaaS solutions, data storage, or consent management platforms like Axeptio.
In short, thousands of organisations across Europe now fall under the purview of this new regulatory framework.
Understanding DORA’s Contractual Compliance Framework
Article 28(5) of DORA spells it out clearly: financial entities may only engage with digital service providers that meet high standards for information security. This includes cloud providers, infrastructure suppliers, SaaS platforms—and yes, consent management platforms too.
“The contract becomes the cornerstone of DORA compliance. It must anticipate every scenario: where data is stored, whether it’s subcontracted, under what conditions it can be retrieved, and how the provider cooperates with financial entities and regulatory authorities in the event of a security incident, an audit, or regulatory scrutiny.” — Eunice Amisi, Business and Data Protection Lawyer at Axeptio
In practice, that means transparency: services must be described in exhaustive detail, leaving no ambiguity about their nature or the possibility of subcontracting. It also means defining service levels and how they’ll evolve over time, to eliminate grey areas in case of a dispute or incident.
And what if an incident does occur? The provider must be able to step in fast—at no extra cost—to support crisis management. Likewise, providers are expected to cooperate with authorities, including during investigations or resolution procedures, and must commit to doing so contractually.
DORA also sets high expectations when it comes to data protection—not just confidentiality, but also availability, authenticity, and integrity. Providers must ensure that data can be returned in a readable format in the event of contract termination, insolvency, or even business closure. As an additional consideration, financial entities must also be informed of where their data is processed and stored.
Finally, a telling sign of DORA’s philosophy: tech providers are encouraged to actively participate in training programmes set up by financial institutions. Because digital resilience isn’t just about contract clauses—it’s about building a security culture over time.
Axeptio: A Trusted Partner Compliant with the DORA Regulation
At Axeptio, DORA compliance isn’t a distant target—it’s business as usual. And that’s precisely what enables us to support demanding financial institutions with complete peace of mind when it comes to managing consent data.
“Being compliant with the DORA regulation is not just a prerequisite for continuing to operate in the financial sector, it also reflects our core philosophy when it comes to consent management. This transparency doesn’t only stem from a user-friendly interface, an educational approach, or solid opt-in rates, it’s first and foremost about a long-term commitment to regulatory rigour and responsible data practices.”
Christophe Landat Lawyer called to the Bars in Montpellier and Montreal, Legal Director and Co-Founder of Axeptio
Are you impacted by DORA and looking for a tech partner who’s already aligned with your regulatory requirements?
