The European Union has been on a regulatory sprint to strengthen its digital defences. Alongside the NIS2 Directive, the Cyber Resilience Act, the EU AI Act and the Critical Entities Resilience Act, the Digital Operational Resilience Act (hereinafter: DORA)[1] forms part of a sweeping framework to harden Europe’s cyber posture. These laws reflect a recognition that resilience is no longer optional. Cyber risks are now a matter of systemic stability.
Importantly, DORA’s reach does not stop at EU borders.
Non-EU ICT providers, including those in Serbia, can find themselves subject to its requirements if they deliver services to EU financial institutions. Even if such providers are not formally designated as “critical,” they may still feel DORA’s impact. This is because EU financial entities are required to insert DORA-mandated clauses into contracts with all ICT providers. In practice, this contract-driven mechanism extends DORA’s influence deep into the supply chain. Even smaller or non-critical ICT providers outside the EU will face pressure to align with DORA, as financial institutions cannot risk non-compliant partners.
On the other hand, for Serbian banks that are part of international financial groups, the implications are particularly significant. Although Serbia is not an EU member state, subsidiaries and branches of EU-based financial groups must consistently implement DORA-compliant frameworks across their operations. This means that Serbian entities within these groups will be expected to align with DORA standards for ICT risk management, incident reporting, and third-party oversight. In practice, group-wide policies, contractual templates, and testing requirements will cascade down to Serbian branches and subsidiaries, ensuring that resilience obligations are applied uniformly across all jurisdictions where the group operates.
Why Is DORA Needed in 2025?
Adopted in 2023, DORA allowed a two-year implementation window for financial entities and their ICT providers to prepare. From 17 January 2025, its requirements apply in full across the EU.
Several forces are driving the global wave of cyber resilience regulations:
- The growing frequency and sophistication of cyberattacks targeting financial services.
- The need to protect critical infrastructure and essential services.
- Heightened expectations around personal data and privacy protection.
- The push to standardize cybersecurity practices across jurisdictions.
- A desire to safeguard economic stability and trust in financial systems.
In short, cyber resilience has shifted from being a narrow IT concern to a boardroom-level business imperative.
DORA aims to ensure that all financial entities can withstand, respond to, and recover from technology disruptions. Its key objectives include:
- Harmonizing digital resilience requirements across the EU.
- Improving the security and integrity of the financial sector.
- Enhancing incident reporting and risk management frameworks.
By setting accountability at the highest levels, DORA pushes resilience from being a compliance exercise to becoming a core business capability.
DORA and NIS 2: Which Law Prevails?
DORA was adopted on 16 January 2023, the very same date as the revised NIS2 Directive. While NIS2 is a broad framework aimed at strengthening cybersecurity and resilience across a wide range of essential and important sectors — such as energy, transport, health, digital infrastructure, and public administration — DORA zeroes in on the financial sector and its ICT dependencies. This naturally raises the question: which of the two frameworks prevails in matters of digital finance? The answer lies in the principle of lex specialis, meaning that a more specific law overrides a more general one when both apply. In practice, this makes DORA the governing standard for financial entities, while NIS2 provides the overarching rules for other critical industries. Rather than replacing NIS2, DORA complements it by tailoring resilience obligations to the unique risks and interdependencies of the financial ecosystem.[2]
Unlike NIS2, which establishes clear, quantified fine structures, DORA adopts a more flexible enforcement model. Instead of prescribing fixed penalties at the EU level, it empowers national supervisory authorities to decide on the most suitable corrective measures within their jurisdiction. This design gives Member States room to tailor enforcement to their legal traditions and regulatory practices.
Still, the absence of predefined fines should not be mistaken for leniency. DORA gives authorities sweeping powers: they can impose financial penalties, mandate corrective action, or even publish public statements naming the entities responsible for breaches. In some cases, reputational exposure may carry more weight than financial sanctions, acting as a strong incentive for firms to stay compliant.
Aspect | NIS2 Directive | DORA |
Nature of sanctions | Predetermined, quantified fines set at the EU level | Discretionary, left to national supervisory authorities |
Examples of penalties | Administrative fines up to €10 million or 2% of global annual turnover (whichever is higher) | Any corrective measure deemed necessary, including pecuniary sanctions, remediation orders, or suspension of activities |
Transparency measures | Not specifically highlighted | Authorities may publish statements naming the entity and describing the breach |
Consistency across EU | Uniform thresholds across Member States | Potential variation depending on national implementation and regulator discretion |
Primary deterrent | Heavy financial fines | Combination of financial penalties and reputational risk |
DORA in Context: A Global Trend
While DORA is a flagship regulation for the EU, it is part of a much larger global movement:
- United States: SEC rules on cybersecurity governance and incident disclosure (2023).
- Singapore: Amendments to its Cybersecurity Act.
- Brazil: New cybersecurity regulations and authority bill (2024).
- India: Digital India Act with cyber requirements.
- Australia: Finalizing resilience regulations.
- Canada: Operational risk and resilience guidelines, plus its Critical Cyber Systems Protection Act.
- Japan: New draft regulations on incident handling.
- Serbia: Moving toward closer alignment with EU cyber and financial regulatory standards due to cross-border banking integration.
Clearly, operational resilience is no longer a concern exclusive to Europe. It’s becoming a global regulatory standard.
Who Falls Under the Scope of DORA?
A common misconception is that DORA applies only to banks. In reality, the regulation casts a much wider net. DORA sets out a closed list of 20 types of financial entities that fall directly within its scope, including:
- Credit institutions
- Insurance and reinsurance companies
- Investment firms and asset managers
- Payment institutions and electronic money institutions
- Crypto-asset service providers
- Market infrastructure operators such as trading venues and central counterparties.[3]
Beyond these financial institutions, DORA also applies to ICT third-party service providers that deliver critical digital services to the sector. This ensures that both the core of the financial system and the technology partners it relies on are held to the same high standards of resilience.
Indirectly, DORA also creates ripple effects for a wide range of organizations:
- Smaller ICT suppliers and subcontractors that support these critical providers must also adapt, since contractual obligations will cascade down the supply chain.
- Professional service firms (consultants, auditors, managed security providers) working with financial entities will need to meet tougher requirements in contracts.
- Even non-financial firms that provide essential digital services to financial institutions (such as telecoms, analytics platforms, or specialized SaaS tools).
What Does “Digital Operational Resilience” Actually Mean?
What DORA introduces is not just a change in terminology, but a fundamental shift in mindset for the financial sector. Traditionally, cybersecurity has been about building defences and reacting once an incident occurs. DORA pushes institutions to go further: to build structures and processes that allow them to continue operating even in the middle of disruptions or cyberattacks. This is the essence of resilience — not simply preventing failure, but ensuring continuity in spite of it.
The true focus of DORA is on safeguarding the reliability and integrity of financial services under adverse conditions. Protecting assets such as data, software, and hardware remains vital, but it is not the ultimate objective. Under DORA, protection is a means to a greater goal: ensuring resilience, the capacity to maintain critical functions and recover swiftly when things go wrong.
While the regulation stops short of mandating full “security by design,” it is clear that European regulators are steering the industry in that direction, and resilience is the bridge on that path.
The Five Core Pillars of DORA
DORA establishes five interconnected pillars to reinforce digital operational resilience across the financial landscape:
- ICT Risk Management – embedding resilience into technology governance and strategy.
- ICT Incident Reporting – ensuring structured detection, response, and regulator notifications.
- Digital Operational Resilience Testing – validating systems through penetration testing and scenario exercises.
- ICT Third-Party Risk Management – setting rules for contracting, oversight, and concentration risk management.
- Information & Intelligence Sharing – promoting collaboration across institutions to strengthen collective defences.
These pillars apply to both financial entities and their ICT partners, ensuring resilience is shared across the entire value chain.
In this text, we focus on pillar four – ICT Third-Party Risk Management.
ICT Third-Party Risk: The Heart of DORA
Among the five pillars, ICT third-party risk management receives special emphasis. DORA seeks to prevent systemic vulnerabilities that could arise if a major technology provider fails. It should be noted that this workstream belongs to CISOs as well as to legal departments.
Key requirements include:
a. Drafting a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers[4]
b. Building and maintaining a register of information, a comprehensive inventory of your ICT vendor landscape. The register should make it clear which providers are involved in delivering critical or important functions, and which are not. Regulators have the right to request this register at any time, so it must be accurate, current, and readily available. Additionally, financial entities shall report at least yearly to the competent authorities on the number of new arrangements on the use of ICT services, the categories of ICT third-party service providers, the type of contractual arrangements and the ICT services and functions which are being provided.[5]
c. Before establishing any cooperation, financial entities must identify and evaluate all potential risks linked to the contractual arrangement and carry out a comprehensive due diligence review of the prospective vendor. This process should assess not only technical capabilities, but also the provider’s financial stability, security posture, compliance record, and ability to ensure business continuity.[6]
d. Introduce strict contractual obligations: contracts must cover service descriptions, SLAs, data security, continuity planning, subcontracting restrictions, and service locations.[7]
e. Enact additional safeguards for critical services: monitoring rights, mandatory resilience testing participation, exit strategies, and transition assistance.
f. Financial entities must go beyond simply vetting individual ICT providers. They are also required to assess concentration risk, i.e., the danger that arises when many firms rely on the same ICT provider for critical or important services. This obligation ensures that systemic vulnerabilities do not build up across the sector if a single provider experiences disruption.[8]
g. Under DORA, certain ICT providers may be designated as critical third-party providers. Once this designation is made, they come under the direct oversight of the European Supervisory Authorities (ESAs), acting through a “Lead Overseer.” The ESAs are empowered to carry out inspections, request information, and issue recommendations to ensure that these providers maintain adequate resilience standards.[9]
The overall goal is simple but ambitious: ensure outsourced ICT services do not create systemic risks for the financial sector.
Stricter “Know-Your-Subcontractor” Requirements
DORA recognizes that ICT services for financial entities often rely on complex subcontracting chains, which create challenges in identifying and managing risks. Importantly, financial entities remain fully responsible for resilience, even when subcontractors are involved.
Following the adoption of Commission Delegated Regulation (EU) 2025/532[10], which sets the binding Regulatory Technical Standards (RTS) on subcontracting, the rules now provide greater clarity on how DORA applies in practice. Under these RTS, financial entities must:
- Ensure contracts with ICT providers clearly describe the services, including whether subcontracting of critical or important functions is permitted and under what conditions.
- Retain visibility into subcontracting arrangements and assess associated risks, even when multiple providers contribute to critical services.
- Maintain a structured framework for monitoring and managing subcontracting risks, supported by oversight mechanisms to ensure that resilience is not weakened across the chain.
- Require ICT providers to apply due diligence to their subcontractors and flow down key contractual obligations where appropriate.
While the Commission removed some provisions from the original draft (such as the requirement to monitor the entire subcontracting chain in detail), the final RTS still impose stricter “know-your-subcontractor” obligations. Financial entities and ICT providers alike must strengthen contractual terms, oversight processes, and risk management practices to ensure subcontractors involved in critical ICT services do not create vulnerabilities in operational resilience.
DORA Requirements and Serbian Law
As the EU’s Digital Operational Resilience Act (DORA) ushers in a new era of resilience for the financial sector, its influence is already visible beyond EU borders. Serbia has been steadily modernizing its regulatory landscape through the National Bank of Serbia’s framework on ICT governance, secure authentication, and outsourcing. Apart from the proposal of the new Law on Information Security and the Personal Data Protection Act, which is aligned with the GDPR, the National Bank of Serbia enacted several key pieces of legislation applicable to the ICT systems in the financial sector[11]. Although Serbian institutions are not formally bound by DORA, these measures align closely with its core pillars: ICT risk management, incident reporting, resilience testing, and third-party oversight. The final RTS on Threat-Led Penetration Testing (TLPT), which builds on the TIBER-EU methodology, demonstrates how Europe is setting the bar for proactive, scenario-based testing. For Serbian financial institutions, this alignment is more than compliance; it is an opportunity to benchmark against the highest standards, strengthen trust in the market, and position themselves competitively in a region increasingly integrated with the EU’s financial ecosystem. In practice, being “DORA-ready” today means being future-proof tomorrow.
[1] Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011.
[2] Recital 16 of DORA reads as follows: „This Regulation constitutes lex specialis with regard to Directive (EU) 2022/2555. At the same time, it is crucial to maintain a strong relationship between the financial sector and the Union horizontal cybersecurity framework as currently laid out in Directive (EU) 2022/2555”.
[3] The entire list is prescribed under article 2 para. 1. of DORA.
[4] Article 28, para. 2. of DORA.
[5] Article 28, para 3. of DORA.
[6] Article 28, para 4 of DORA.
[7] Article 30 of DORA.
[8] Article 28, para 2 and Article 30 para 2 (e) of DORA.
[9] Articles 31-34 of DORA.
[10] Commission Delegated Regulation (EU) 2025/532 of 24 March 2025 supplementing Regulation (EU) 2022/2554 (DORA) with regard to regulatory technical standards specifying the conditions under which financial entities may subcontract ICT services supporting critical or important functions to ICT third-party service providers. Published in the Official Journal L, 2 July 2025, in force from 22 July 2025.
[11] Key Serbian legislation relevant for DORA-like compliance includes:
Rulebook on Minimum Standards for Managing Information-Communication Systems of Financial Institutions (Official Gazette RS 102/2024)
Decision on Technical Standards for Reliable Customer Authentication and Secure Communication (Official Gazette RS 102/2024)
Decision on Conditions and Manner of Outsourcing ICT System Activities of Financial Institutions to Third Parties (Official Gazette RS 100/2023).
