🎧How does DORA affect your business? In this episode, learn why the new EU framework for digital resilience is changing everything – and what ‘critical ICT service providers’ have to do with it. Listen now:
This podcast episode is about the new EU legal framework DORA (Digital Operational Resilience Act), which affects all regulated financial companies – from fintechs and payment service providers to major banks. DORA is the first binding regulation on how financial companies must strengthen their digital resilience.
But what does this mean in practice? Which companies are affected by the new requirements, and how does DORA differ from the existing NIS2 Directive? Of particular interest is the new focus on ‘critical ICT service providers’ – a term that represents a real game changer for many market participants. Dana Wondra discusses these and other questions with Josefine Spengler, a lawyer at Annerton and specialist in IT law who provides legal support to financial companies in the implementation of DORA.
The five pillars of DORA at a glance
DORA follows a clearly structured approach based on five central pillars: The focus is initially on ICT risk management, which financial companies should use to systematically identify and control risks in their IT infrastructure. This is supplemented by mandatory procedures for reporting serious incidents and regular digital resilience tests to check resistance to cyber threats. Other key elements include ICT third-party management – i.e. dealing with external IT service providers – and structured exchange of information on cyber threats within the financial sector.
Who is a ‘critical ICT service provider’?
DORA significantly broadens the regulatory perspective and, for the first time, directly targets technology service providers that previously operated outside the immediate regulatory framework. With the introduction of the term ‘critical ICT service provider,’ the EU is establishing a new form of supervision for key IT partners, such as cloud providers, core banking platforms and payment software providers. This has far-reaching consequences for regulated financial companies: they must revise their contracts, reporting processes and exit strategies and adapt them to the new regulatory requirements.
Looking ahead to the next episode
The next episode will focus on the topic of third-party ICT management: What requirements does DORA place on contract design? How can the new requirements be implemented in practice?
Test it now quickly and easily: How ready is your company for DORA?
🎯 Take advantage of Annerton’s free DORA self-test: In just a few minutes, you can check your individual DORA maturity and identify specific areas for action.
About this podcast
Alles Legal – Fintech Recht Kompakt delivers sharp, weekly insights into legal and compliance matters in the world of banking. (in German only)
This podcast is a collaboration between Payment & Banking and PayTechLaw.
Each Wednesday, we unpack the legal developments shaping the financial world – clearly, concisely, and without the legal jargon.
Since 2021, PayTechLaw authors and Annerton attorneys have brought depth and clarity to complex topics.
Whether it’s PSD3, DORA, or FiDA – we provide the legal context you need.
In 20 minutes. No detours.
