DORA and the SME Sector: Between Resilience and Market Exclusion
DORA and the SME Sector: Between Resilience and Market Exclusion
The EU’s Digital Operational Resilience Act (DORA) has a clear objective: to make digital risks manageable for financial firms, enable faster detection of cyberattacks, and ensure continuity of IT services. But as with many well-intended regulations, execution may yield unintended consequences.
This article explores why DORA may become an existential burden for small and medium-sized IT service providers (SMEs) – and what that means for innovation, competition, and ultimately, the financial sector itself.
1. The Objective: High Security, High Standards
DORA mandates a comprehensive set of requirements for financial firms and their “critical ICT third-party providers”:
- Reporting major ICT incidents within 4 hours
- Conducting resilience tests (e.g., TLPT)
- Implementing documented recovery and continuity plans (BCP, RTO, RPO)
- Allowing audits – even unannounced – by authorities or financial clients
- Logging all systems, processes, and interfaces
- Drafting contracts with exit strategies, audit clauses, and evidence obligations
For large players like Microsoft, IBM, SAP, or AWS, these are routine matters. For SMEs with 30 to 300 employees, it means a profound overhaul of contracts, staffing, processes, and IT standards.
2. Reality Check: Painful Compliance Costs
Studies by Bitkom, KPMG, and ISACA reveal that average initial costs for regulatory IT compliance range between €120,000 and €450,000, depending on service complexity.
Example: Mid-sized IT firm offering cloud services
| Cost Category | Description | Estimated Cost |
|---|---|---|
| Certifications | ISO 27001, possibly ISO 22301 | €40,000 |
| Legal Advisory | Contract reviews, compliance clauses | €25,000 |
| Technical Consulting | TLPT prep, architecture audits | €30,000 |
| Internal Training | 5–10 staff across IT, procurement, support | €15,000 |
| Tooling | GRC, SIEM integration, DMS links | €20,000–€80,000 |
Conclusion: Securing a 3-year deal with a bank now demands investment before a single invoice is sent.
Many SMEs simply cannot afford this threshold – they stay out or exit voluntarily.
3. Procurement as a New Barrier
Procurement practices are already shifting. More tenders now contain strict DORA-driven requirements:
- TLPT compatibility (Threat-led Penetration Testing)
- Certified Business Continuity Management (BCM)
- Disclosure of subcontractors
- Commitment to unannounced audits
- Integration with the client’s SIEM or CMDB systems
For SMEs whose operations are not built on GRC standards, this is often unachievable – even if their service quality and domain expertise are excellent.
A paradox arises: Regulatory risk avoidance leads to a shrinking vendor pool – and thus, new systemic risks.
4. Market Concentration Instead of Resilience?
Result: Tech giants like AWS, Microsoft Azure, Google Cloud, and Accenture benefit. They come pre-equipped with certifications, compliance teams, and legal departments.
Trends Already Visible:
- Fewer qualified bidders: Bitkom reported a 40% decline in SME participation in IT procurement within finance between 2022 and 2024.
- Price increases: With less competition, prices rise. DORA-compliant services now cost 8–12% more on average.
- Fewer innovation drivers: Start-ups and specialized SMEs are increasingly excluded from tenders, despite being more agile and technically innovative.
Conclusion: DORA may unintentionally create concentration risks.
5. Competitive Imbalance: Global vs. Local
Another concern: Many global providers can bypass DORA requirements by operating through third-country structures or legal buffers.
Real-World Case:
A European software firm with 120 employees is fully DORA-regulated. A U.S.-based firm with 15,000 employees uses its Luxembourg subsidiary to shift regulatory risk.
Outcome: Success depends less on capability, more on jurisdictional leverage.
6. A Proportionate Strategy Needed?
DORA includes the possibility of proportional application, but execution remains ambiguous. Most financial firms choose the highest compliance tier to minimize liability – even for non-critical suppliers.
Recommended Actions:
- Clear thresholds for audit and reporting requirements
- Regulatory sandboxes and transition periods for SMEs and start-ups
- Incentive programs to support compliance investment
- Operational proportionality made enforceable and transparent
Final Thought: Resilience Requires Diversity
DORA is necessary and important. But without granular application, regulatory ambition might backfire:
- By shrinking the supplier base
- By increasing dependency on Big Tech
- By stifling SME-driven innovation
If resilience is the goal, diversity is the method. And diversity depends on enabling SMEs to compete fairly – not locking them out by regulation.
