DORA, an opportunity for ICT companies

Introduction

After its entering into force last January, financial institutions worldwide are still working very hard to finish their compliance programs focused on the requirements arising from the Digital Operational Resilience Act (officially Regulation 2022/2554, “DORA”). DORA has been introduced by the European legislator in response to increasing cyber threats and the growing reliance on digital services within the (European) financial sector. The legislation requires financial institutions to ensure digital operational resilience, with ICT services and third parties playing a crucial role. This means that financial institutions are imposing stricter requirements on their ICT third party suppliers in terms of for instance risk management, monitoring, auditing and periodical reporting.

In this article, I’ll show why I’m a firm believer in the fact that legislation like DORA should not be regarded as a regulatory hurdle but as an opportunity for financial institutions and their ICT partners to evolve, grow and take the next step in maturity. Rather than delving into all technical specifics of DORA's formal requirements—which have been extensively covered elsewhere—this article will explore how embracing DORA can strategically enhance your organization: by elevating compliance efforts to meet DORA standards, companies can cultivate stronger, more transparent relationships with their clients, positioning themselves as trustworthy and forward-thinking partners. Ultimately, DORA compliance is not just about adhering to regulations or client demands—it is about leveraging these requirements to establish a secure, resilient foundation that will drive long-term success with your clients in the financial sector.

A compliance burden

For us IT lawyers, especially when employed by an ICT company, it is essential to understand how DORA-like legislation affects the contractual and operational responsibilities between financial institutions and their ICT partners. Robust and sustainable compliance with DORA can not only reduce compliance challenges but also provide commercial opportunities. However, ICT companies don’t always see it that way. New legislation, like DORA, is often perceived as a regulatory burden imposed by financial institutions: contractual obligations must be revised, compliance requirements are becoming more stringent, and regulatory pressure is increasing. At first glance, it looks therefore unsurprising that many ICT suppliers react adversely to DORA-related requests. However, is such resistance justified?

Many of the requirements set forth by DORA should not be news to ICT suppliers. In fact, the fundamental principles underlying DORA — state-of-the-art security management, continuous monitoring, through-the-chain transparency — should already be standard practice within a well-structured ICT service framework. Instead of resisting compliance, suppliers should recognize and leverage the commercial opportunities that DORA presents.

A competitive advantage

“So,” you say, “what are these commercial opportunities you’re referring to?”. Let me address a few. 

Firstly, it is possible to enhance client value and develop a strengthened relationship with your clients in the financial sector. As stated, DORA mandates a proactive and structured approach to security, incident management, and operational resilience. Full compliance demonstrates that an ICT supplier is not merely fulfilling regulatory obligations but is also a reliable and forward-thinking business partner. Moreover, DORA encourages regular and structured engagement between financial institutions and their ICT suppliers beyond incident-driven interactions. This fosters deeper strategic collaboration and enhances long-term partnership opportunities.

Another commercial opportunity relates to competitive positioning. ICT suppliers that proactively embrace DORA position themselves as preferable, responsible vendors within the financial sector. Transparency regarding security measures, subcontracting arrangements, and audit processes is now a key differentiator in an increasingly regulated environment. For smaller ICT companies operating in a competitive market, this can be a unique selling point. The ability to adapt to regulatory requirements can enhance competitive positioning.

Thirdly, from an operational perspective, addressing DORA requirements proactively allows for greater control. By doing so, ICT suppliers can avoid rushed contractual adjustments imposed under client pressure. This ensures a structured, efficient, and seamless implementation of regulatory mandates without disrupting service delivery and, even more important, further innovative development activities.

Achieve excellence 

The critical success factor lies in the approach taken by ICT suppliers. A passive or defensive stance — “we already comply, so this is redundant” — equals a missed opportunity. Conversely, active and cooperative engagement signals a commitment to achieving the highest standards of digital operational resilience.

ICT suppliers are, after all, the foremost experts on their own products and the security mechanisms associated with them. Financial institutions highly value suppliers who not only comply with evolving regulatory requirements but also contribute strategic insights and remain open to dialogue. Ultimately, fostering a long-term relationship requires ICT suppliers to move beyond ‘simple’ service provision and assume the role of trusted advisors within the financial sector’s supply chain.

DORA should not be viewed as a regulatory burden but rather as a strategic opportunity to enhance market positioning, client relationships, and overall business value. The question is not whether compliance is necessary, but how ICT suppliers can transform regulatory adherence into a competitive advantage.

In the end, embracing DORA is not just about ticking compliance boxes—it is about demonstrating leadership in digital resilience. And who knows? A proactive stance today might just turn into your biggest selling point tomorrow.

‍