The Digital Operational Resilience Act (DORA)
The Digital Operational Resilience Act sets binding ICT resilience requirements, strengthening continuit whereby firms must demonstrate evidence for recoverability and third-party control from 17 January 2025.
What is DORA?
The Digital Operational Resilience Act (DORA) is a European Union regulation designed to ensure that financial institutions can withstand, respond to, and recover from information and communication technology (ICT) disruptions. Its core purpose is to create a single, harmonised regulatory framework for digital operational resilience across the EU financial sector, replacing fragmented national rules and closing gaps in how ICT risk is regulated.
Scope of application
DORA applies broadly across the EU financial system, including banks, insurers, investment firms, payment and electronic money institutions, market infrastructures, and certain crypto-asset service providers. Crucially, it also brings critical third-party ICT service providers within the regulatory perimeter, recognising that concentration and outsourcing risk can pose systemic threats even where failures occur outside regulated institutions themselves.
Regulatory focus and requirements
At its core, DORA establishes binding requirements across five pillars: ICT risk management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk management, and information-sharing arrangements. These requirements are outcomes-based but enforceable, obliging institutions to demonstrate effective governance, clear accountability at board and senior management level, and evidence that resilience capabilities are operational rather than theoretical.
Why it matters
DORA matters because it shifts regulatory expectations from preventing ICT incidents to proving resilience and recoverability under severe but plausible disruption. Financial institutions must now show regulators that critical services can continue even when systems fail or vendors become unavailable. In doing so, DORA elevates ICT resilience to a core prudential and conduct concern, with direct implications for governance, outsourcing strategies, and supervisory scrutiny across the EU financial sector.
Who must comply & what is expected
Who must comply
The Digital Operational Resilience Act (DORA) applies to a wide range of EU financial entities, including banks, insurers, investment firms, payment and electronic money institutions, market infrastructures, and certain crypto-asset service providers. Importantly, DORA also captures critical third-party ICT service providers that supply technology supporting essential financial services, extending regulatory oversight beyond traditional regulated entities to address systemic concentration and outsourcing risk.
What is expected
In-scope entities are expected to establish, implement, and continuously maintain robust digital operational resilience capabilities. This includes formal ICT risk management frameworks, board-level accountability, timely incident reporting, regular resilience testing, and strong governance over third-party ICT dependencies. Crucially, institutions must be able to demonstrate through documented controls, testing outcomes, and oversight mechanisms that they can withstand, respond to, and recover from severe but plausible ICT disruptions, rather than merely asserting preparedness.
How software escrow maps to DORA
DORA applies across a wide range of EU financial-sector participants, while also addressing risk arising from ICT supply chains. it is deliberately technology-agnostic and does not prescribe specific tools or solutions. Instead, DORA consistently frames requirements around outcomes such as the security, integrity, and availability of ICT systems and services, leaving firms responsible for selecting and evidencing controls that achieve those outcomes.
Within this outcomes-based structure, Articles 25 and 26 introduce a clear and enforceable requirement for financial entities to maintain and test stressed exit plans for failed or failing ICT services. These plans must be capable of enabling an institution either to bring the service in-house or to transfer it to an alternative third-party provider without disrupting critical business services. DORA explicitly identifies supplier failure, service deterioration, and concentration risk as mandatory test scenarios with risks that align directly with the trigger events typically addressed in software escrow arrangements.
From a supervisory perspective, DORA places emphasis on demonstrable risk controls rather than policy intent. Regulators assess whether firms can evidence independent testing and review, complete technical documentation, effective reporting, and clear oversight and accountability. Software escrow aligns with these expectations by providing verified access to critical software assets, documented recovery and transition capability, and auditable records that support governance and assurance. Escrow functions as a control that directly supports the regulation’s stressed exit, third-party risk, and resilience requirements.
How ESCROWSURE make sure that you are compliant
ESCROWSURE supports compliance with the Digital Operational Resilience Act (DORA) by translating regulatory expectations for third-party ICT risk, stressed exit planning, and operational resilience into enforceable, auditable controls. Through structured escrow agreements, ESCROWSURE ensures that access to critical software, documentation, and deployment artefacts is contractually secured in advance of failure. This directly supports DORA requirements to manage supplier failure, service deterioration, and concentration risk, and enables institutions to demonstrate that exit and substitution plans are not aspirational but operationally viable.
In addition, ESCROWSURE strengthens compliance by providing evidence-based assurance aligned with supervisory expectations. Deposit management, update controls, verification processes, and documented release conditions create a clear audit trail that supports independent review, governance oversight, and regulatory reporting. ESCROWSURE helps ensure that the institution can demonstrate a pro-active response to recoverability, accountability, and resilience outcomes required under DORA during audits, inspections, and supervisory assessments.
The Digital Operational Resilience Act (DORA) entered into force on 10 January 2023, following its publication in the Official Journal of the European Union. While legally in force from that date, DORA included a transitional period to allow financial entities and ICT third-party providers time to implement the required governance, risk management, and resilience controls. Full application and enforceability of DORA requirements commenced on 17 January 2025, from which point competent authorities may exercise supervisory and enforcement powers for non-compliance.
Update: Technical standards and implementing measures
Since its entry into force, DORA has been supplemented by a comprehensive set of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) developed by the European Supervisory Authorities. These technical standards provide detailed requirements on areas such as ICT risk management frameworks, incident classification and reporting, digital operational resilience testing, and oversight of critical third-party ICT service providers. Their adoption has materially increased clarity and supervisory consistency, shifting DORA from a high-level regulation to an operationally testable compliance regime.
Update: Transition to active supervision
With DORA now fully applicable, regulatory focus has moved from implementation planning to evidence-based supervision. Financial entities are expected to demonstrate that ICT risk controls, resilience testing, and stressed exit plans are operational, documented, and independently reviewable. Particular supervisory attention has emerged around third-party ICT risk, concentration risk, and exit readiness, reflecting DORA’s objective to address systemic vulnerabilities arising from digital dependency rather than isolated firm-level failures.
Frequently Asked Questions
Is the agreement customizable? How much customization do you allow?
Yes, absolutely. We believe that each escrow environment is unique and requires a customized approach. ESCROWSURE’s in-house legal counsel will craft a bespoke escrow agreement tailoring the provisions to meet the needs of your specific requirements.
What are the implications of DORA?
The Digital Operational Resilience Act (DORA) materially raises regulatory expectations for how financial entities manage, test, and evidence ICT resilience. Its implications include stronger board and senior management accountability, mandatory resilience testing, formalised incident reporting, and enhanced oversight of third-party ICT providers. Non-compliance exposes firms to supervisory intervention, enforcement action, and reputational risk, particularly where institutions cannot demonstrate recoverability and continuity of critical services under severe but plausible disruption.
How does DORA relate to other regulations?
DORA is designed to complement, not replace, existing EU financial services regulation. It operates alongside sectoral frameworks such as MiFID II, Solvency II, CRD/CRR, and the Payments Services framework, focusing specifically on ICT and digital operational resilience rather than prudential capital or conduct outcomes. DORA also aligns with broader EU digital initiatives by standardising ICT risk management and resilience requirements across sectors, reducing fragmentation while preserving consistency with existing supervisory regimes.
Why do we need escrow for SaaS applications?
With SaaS applications, software is not accessed on a server located on the end users premises, but instead, is hosted remotely in the cloud by a hosting services provider usually paid for by the software vendor. This introduces an additional layer of risk as it adds to the supply chain dependencies.
In addition, the data generated by the application is hosted in the cloud too. This means that if the software Vendor were to stop answering the phone, both application and data could be beyond the reach of the end user immediately.
Some end users believe that a migration to a cloud service eliminates the need for an escrow arrangement.
But this is not true.
If anything, the need for escrow is greater for SaaS applications, because of the additional layer of risk which puts both the software and the data at risk if the worst should happen.
Is DORA a one-off compliance exercise or an ongoing process?
DORA is explicitly an ongoing compliance obligation rather than a one-time implementation project. Financial entities are required to continuously maintain ICT risk management frameworks, perform regular resilience testing, reassess third-party dependencies, and update stressed exit plans as technologies, vendors, and risk profiles evolve. Supervisory expectations under DORA are forward-looking, meaning institutions must demonstrate sustained operational resilience over time, not point-in-time compliance.
What are the challenges for implementing DORA?
Key challenges include identifying and managing complex third-party ICT dependencies, designing credible and testable stressed exit plans, and producing auditable evidence of resilience across distributed systems and suppliers. Many institutions also face practical difficulties in aligning legacy IT environments with DORA’s standards and documentation expectations, as well as embedding board-level oversight over technical risk domains. These challenges are compounded by the regulation’s outcomes-based nature, which places the burden on firms to prove effectiveness rather than simply adopt prescribed controls.