DORA RISKS
DORA RISKS – When Resilience Becomes a Threat
DORA – the Digital Operational Resilience Act – is widely regarded as a regulatory milestone in the fight against cyber threats and IT outages in the financial sector. But the deeper one dives into its obligations and penalties, the more pressing a question becomes:
Could DORA itself become a risk?
The Starting Point: What Happens in Case of Non-Compliance?
According to Article 50 of the DORA regulation, non-compliant entities may face fines of up to 10 million euros or 2% of global annual turnover, whichever is higher.
Originally intended as a powerful incentive for compliance, this sanction raises existential questions in practice:
- Can small and mid-sized financial institutions survive such penalties?
- What happens to regional IT service providers if deemed “critical” but not compliant?
- Does DORA actually enhance resilience – or just increase bureaucracy?
Hypothesis: DORA as a Systemic Risk Factor
While DORA is designed to serve systemic resilience, it may in fact push smaller players into financial distress due to the compliance burden. If many small actors are driven out of the market, the result could be increased market concentration – and with it, a new systemic risk.
Thesis:
If DORA’s obligations create structural disadvantages, it may not promote resilience, but instead lead to monopolization in the long run.
Worst-Case Scenario: Who Could Be Affected?
Note: These are hypothetical examples, not accusations or forecasts. Data is based on publicly available sources (e.g., balance sheets, industry estimates, and business models).
Banks with Critical Balance Sheets
| Institution (anonymized) | Estimated Balance Sheet | Risk of 10M € Fine |
|---|---|---|
| Regional Cooperative Bank | 30–80 million € | existential threat |
| Municipal Savings Bank | 200–300 million € | high risk, limited reserves |
| Local Commercial Bank | <1 billion € | significant loss, reputational risk |
Insurers with Narrow Margins
| Insurer (anonymized) | Estimated Premium Volume | Comment |
|---|---|---|
| Specialty Insurer (Travel/Risk) | <400 million € | pandemic exposure, low diversification |
| Legacy Life Insurer | <1 billion € | low new business, high administrative cost |
Critical Infrastructure & IT Firms
| Company Type | Sector | Comment |
|---|---|---|
| Regional Water Supplier | Utilities | budget-constrained, few free reserves |
| Public Hospital Group | Healthcare | partly government-funded, high investment needs |
| IT Services for Savings Banks | Financial IT | dependent on municipal customers |
| SAP-Centric IT Consultancy (<100 staff) | IT Services | limited capital, talent shortages |
Conclusion: The number of potentially vulnerable organizations is higher than assumed – especially among SMEs where liquidity is tight and compliance cannot easily scale.
The Cost of Resilience
Direct Costs:
- Staffing for DORA compliance (legal, IT risk managers)
- Tooling: GRC, SIEM, automated reporting
- Contract negotiations and third-party monitoring
Indirect Costs:
- Project delays in digitization
- Outsourcing limited to certified partners
- Liability exposure for management and IT
Question: Are these costs proportional for firms with <100 employees?
Criticism: Is DORA Hitting the Wrong Targets?
While large corporations (e.g., Allianz, Deutsche Bank, Generali) operate entire compliance departments, smaller firms struggle to fill open roles. DORA applies the same pressure to all.
Potential Effects:
- FinTechs withdrawing from the EU
- Decline in regional IT service availability
- Consolidation in the critical infrastructure sector
- Compliance burden as a brake on innovation
Example: According to Bitkom, only 19% of FinTech founders would choose Germany again. DORA might accelerate this trend.
Bitkom FinTechs in Germany 2024 – PDFConclusion: More Harm Than Good?
DORA is a well-intentioned regulation with ambitious goals. But as with many regulatory frameworks, the devil is in the detail – and in the ability to scale.
A fine that represents a quarterly risk for large banks could mean a death sentence for smaller market participants.
This is why we need:
- Proportional sanctions
- Funding programs for compliance tooling
- Regulatory sandboxes for startups and SMEs
Only then can DORA deliver real gains in resilience – and avoid becoming a threat to the diversity of Europe’s financial ecosystem.
References
General Sources
- DORA Regulation (EU) 2022/2554 – EUR-Lex
- Delegated Regulation (EU) 2024/1772 – Thresholds
- BaFin – Federal Financial Supervisory Authority (Germany)
- BSI – German Federal Office for Information Security
Banks & Insurers
- List of Largest Banks in Germany – Wikipedia
- List of Largest Insurance Companies in Germany – Wikipedia
- Annual Reports (e.g., Commerzbank, Deutsche Bank, regional Sparkassen)
FinTechs & Financial Service Providers
- Raisin Bank – Company Profile
- Tomorrow Bank – Financials & Criticism
- Scalable Capital – Press Info
- Trade Republic – Press Area
- Solaris SE – BaFin Actions
- Bitkom FinTechs in Germany 2024 – PDF
Critical Infrastructure & Providers
- BSI Critical Infrastructure Sector List
- HHLA – Annual Report
- Gelsenwasser – Financial Statements
- Sana Clinics – Company Profile
IT Service Providers
- DATEV eG – Company Info
- Atruvia AG – Annual Report
- Finanz Informatik – Sparkassen IT Report
- NTT Data Germany
- T-Systems – Data Center Services
