I N D U S T R Y I N S I G H T
I N D U S T R Y I N S I G H T
recover from ICT-related disruptions, such as cyberattacks or system failures.
DORA applies to a wide range of financial entities, including banks, insurance companies, investment firms, payment institutions, crypto-asset service providers and more. It also extends oversight to critical third-party ICT service providers, such as cloud platforms and software vendors.
The regulation, currently in effect, gives organisations a clear timeline to align their operations with the mandated compliance requirements.
Organisations are expected to maintain a full list of all providers, assess the risks they pose and include robust clauses in contracts covering security, audit rights and exit strategies. Regular monitoring is essential, especially for services deemed critical or high-risk.
Information sharing: To improve the collective resilience of the financial sector, DORA encourages institutions to join trusted platforms for sharing information about cyberthreats and incidents. This collaboration helps spread awareness of emerging risks and fosters a more coordinated defence across the industry.
How WSO2 supports DORA readiness
Key requirements
To comply with DORA, financial entities must strengthen their ability to prevent, withstand, recover from and adapt to ICT-related disruptions. The regulation outlines several core requirements that focus on managing digital risk, ensuring operational continuity and safeguarding the financial system’ s stability. These requirements are grouped into five main areas:
ICT risk management and governance: DORA requires financial institutions to establish a clear framework for managing technology-related risks. This means identifying all critical IT assets, understanding potential threats and implementing controls to prevent disruptions. Institutions must also maintain up-to-date Business Continuity and Disaster Recovery plans to ensure they can continue operations during a crisis.
DORA establishes a harmonised regulatory framework to strengthen the digital operational resilience of financial entities across the EU. It applies to 20 categories of financial entities and their ICT third-party service providers, ensuring consistent cybersecurity and risk management standards.
The following table categorises ICT service providers under DORA and explains whether the conditions and respective obligations apply to WSO2. It is important to note, however, that WSO2 is not a critical ICT third-party service provider because the nature of our business does not involve the ongoing operation or management of our customers’ ICT systems. Our involvement is limited to providing software that customers deploy and manage on-premises. As such, our role is confined to on-prem deployments and we do not have continuous access to or control over the ICT services of financial entities.
Incident reporting: Organisations must be able to quickly detect and respond to significant ICT-related incidents, such as system outages or cyberattacks. When such events occur, they need to be classified and reported to regulators following a specific timeline: an initial alert; interim updates; and a final detailed report. These reports help ensure transparency and allow for sector-wide risk monitoring.
Digital operational resilience testing: To ensure preparedness, companies must regularly test the strength and reliability of their IT systems. This includes running vulnerability assessments, simulations and, for critical services, more advanced threat-led penetration tests. Any weaknesses discovered during testing must be addressed promptly to reduce future risk.
Third-party risk management: DORA places strong emphasis on oversight of external ICT service providers, such as cloud vendors.
36 www. intelligentfin. tech