Reporting Obligations & Supervisory Rights: DORA and the State

The Regulation (EU) 2022/2554 – known as the Digital Operational Resilience Act (DORA) – is fundamentally reshaping the legal framework for digital resilience in the financial sector. It affects not only traditional banks and insurers but also fintechs, payment institutions, and increasingly, critical IT service providers. In a digitalized financial world shaped by cloud platforms and data-driven ecosystems, DORA penetrates deep into the organizational and technical fabric of many institutions.

This article aims to present the central duties and supervisory powers in a clear yet precise manner. From the viewpoint of a seasoned IT procurement professional, this raises not only legal and technical questions but also economic, strategic, and societal concerns.

Context: Why DORA?

The financial sector’s growing dependence on digital infrastructures and global service providers has introduced new threats: cyberattacks, IT disruptions, and supply chain vulnerabilities. The EU has responded with the first binding, sector-specific regulation on digital resilience. DORA is part of the European Commission’s Digital Finance Package and complements initiatives like the NIS2 directive and existing oversight rules.

Unlike voluntary frameworks such as ITIL or ISO 27001, DORA is legally binding. It applies directly across all EU member states and provides for penalties of up to €10 million or 2% of global turnover – whichever is higher (Art. 50 DORA).

Who Is Affected?

DORA applies to:

• Credit institutions and payment providers
• Insurance and reinsurance undertakings
• Investment firms, trading venues, CCPs, CSDs
• Asset managers (UCITS, AIFMs)
• Providers of critical ICT services (e.g., cloud, SaaS, infrastructure)

Significantly, non-EU service providers can also fall under DORA if they deliver essential services to EU-based financial firms. This extraterritorial scope mirrors the GDPR.

Critical ICT service providers are subject to a separate oversight regime managed by the Joint Oversight Forum, coordinated by EBA, ESMA, and EIOPA.

Reporting Obligations: Who, When, How?

What Is a “Major ICT-Related Incident”?

An incident is reportable if it:

• Significantly disrupts business operations
• Involves loss or compromise of sensitive data
• Has cross-border effects or
• Involves malicious threats (e.g., DDoS, ransomware)

Key classification criteria include:

• Duration and impact of the incident
• Number of clients affected
• Financial loss
• Downtime and recovery effort

Critical question: How precise are these definitions in day-to-day operations?

Terms such as “significant” or “critical” are open to interpretation. Regulatory technical standards (RTS) are currently under development to define thresholds and formats.

Reporting Deadlines Under DORA

• Initial notification: within 4 hours of detection
• Intermediate report: within 3 days
• Final report: within one month

This requires:

• Clear governance (roles and responsibilities)
• Fast incident detection and classification capabilities

Comparison: DORA vs. NIS2 vs. KRITIS

Many firms face regulatory overlap. Here’s how DORA compares:

Implications for ICT Service Providers

A crucial yet often overlooked consequence of DORA: Even non-regulated firms – especially ICT providers – may be indirectly impacted.

Once designated “critical,” ICT vendors must:

• Grant audit and inspection rights
• Implement resilience measures
• Define contractual exit strategies
• Establish structured reporting protocols

Note from practice: Vendors rarely offer such clauses proactively. Expect heavy renegotiation.

Also: DORA compliance must be priced in – the compliance burden is real.

Tools & Implementation Support

Not every organization needs all of these – integration and data consistency matter most.

Supervisory Powers

DORA expands national regulators’ mandates:

• Authority to audit even non-EU vendors
• Power to conduct on-site inspections and penetration tests
• Rights to block contracts
• Oversight of outsourced ICT services

Open questions include:

• How will non-EU enforcement work?
• How is DORA reconciled with data protection (GDPR)?
• Where does supervision end, and overreach begin?

Comparative Governance View:

Governance & Practical Advice

Organizations need governance models tailored to DORA:

• Responsibility: Who owns incident classification and reporting?
• Contracts: Are SLAs clear on audits and continuity?
• Roles: Who signs off, who executes?

Recommendations:

• Include DORA in your Incident Response Plan
• Automate thresholds for escalation
• Run simulation exercises with regulators
• Track internal metrics like MTTD, MTTR

Financial Impact – Sample Budget

Additional hidden costs: delays in transformation projects, increased reporting workload (30–50% more).

Conclusion: Obligation, Opportunity, and Reality

DORA is more than a compliance issue – it is a strategic policy for securing the digital finance system. Yes, the demands are high. But so are the potential benefits:

• Strengthened governance
• Transparent operations
• Competitive edge through compliance
• Greater trust from clients and regulators

My view: DORA is a wake-up call. Not just for compliance teams – but for the whole organization.

References

• Regulation (EU) 2022/2554 – EUR-Lex
• ENISA – Threat and Incident Reports
• BaFin – Expected DORA guidance (2025)
• Bitkom FinTechs in Germany 2024 – PDF
• EBA – European Banking Authority
• ESMA – EU Securities Markets Authority
• EIOPA – EU Insurance and Pensions Authority