Skip to main content
Industry

3 ways Microsoft is helping the financial industry prepare for new DORA regulations

Banks, insurers, investment firms, and other global financial services industry (FSI) firms are realizing breakthrough benefits in leveraging AI and the cloud to advance their businesses. But as the dependence on these critical technologies accelerates, so does the responsibility to ensure that they operate reliably and safely. 

Keeping the financial sector resilient in a fast-changing world is a global challenge, shared by leading firms, government regulators, and technology providers like Microsoft. In fact, it is a tenet of our work in Microsoft Cloud for Financial Services, and is closely aligned with Microsoft’s commitment to making security our top priority in our products and services. 

Since 2020, officials in the European Union (EU) have been working on a new set of sweeping regulations to address the industry’s increasing reliance on technology, and to mitigate the associated risks. DORA—the Digital Operational Resilience Act—took effect on January 16, 2023, and becomes effective on January 17, 2025, impacting virtually every financial firm operating in the EU and the many critical third-party service providers who support them. Microsoft has been actively engaged in working with regulators and financial entities concerning the development of DORA and is now focused on helping customers enable smooth and comprehensive compliance under it. 

What is DORA? 

DORA is a major new EU regulation designed to strengthen the operational resilience of financial services by ensuring that firms maintain strong risk management practices and can withstand and adapt to a wide range of threats and disruptions. The regulation is part of a broader EU strategy to improve the stability and security of the industry and to harmonize requirements across member states. DORA applies to financial services entities operating in the EU, as well as the technology companies who provide third-party services to them that are critical for such entities. 

Under DORA, financial services entities will be required to implement robust cybersecurity incident response plans and promptly report breaches and other cyber incidents and disruptions to authorities. Firms will need to build business continuity plans that let them keep operating in the event of a major disruption, including having exit plans for more serious scenarios. And they will be subject to increased scrutiny by financial supervisory authorities, who will monitor and assess their operational resilience, and take action to ensure compliance if need be. 

DORA also imposes requirements for third-party Information and Communication Technology (ICT) service providers, with a primary (though not exclusive) focus on ICT companies who provide cloud computing products and services that help support key functions. The regulation also creates a new designation of “critical” providers (which likely would include Microsoft) who will be subject to a new oversight framework by the European Supervisory Authorities (ESAs). 

DORA’s impact on financial services customers 

For financial services, DORA will require firms to adhere to many new or enhanced requirements. Among them: 

  • Risk management of Information and Communication Technology (ICT) service providers Financial firms will need to establish a comprehensive management framework for ICT risks, integrated into their overall risk management systems. The framework covers core technology and security considerations including identification, protection, detection, response, and recovery. It also encompasses strategies, policies, procedures, and tools to ensure the security and resilience of systems, information assets, and data.
  • Incident management and reporting
    Firms will be required to put processes in place to detect, manage, and report major ICT-related incidents to authorities on tight timeframes. Incidents such as cybersecurity breaches, service disruptions, and data loss will be evaluated on criteria such as number of clients affected, duration, and economic impact.
  • Operational resilience testing
    DORA will require that digital operational tests, such as threat-led penetration testing (TLPT) and vulnerability assessments, be conducted on critical ICT systems and applications. These tests aim to ensure timely recovery and business continuity in the event of disruptions.
  • Contractual commitments
    DORA mandates specific contractual requirements between ICT service providers and financial services entities. These include requirements regarding audit, business continuity, exit planning, and the use of key subcontractors. Moreover, before entering into contracts with ICT providers, firms must conduct pre-contractual risk assessments, including such considerations as evaluating the provider’s security measures, compliance status, and financial stability.  

How Microsoft is helping customers to comply with DORA  

As a major ICT service provider, Microsoft has established robust internal governance processes to prepare for and comply with all applicable provisions as a critical third-party technology vendor, and we will equally endeavor to support regulated financial institutions in meeting their requirements under DORA. This includes aligning contractual provisions with the mandates of DORA and providing built-in ICT risk management capabilities across a broad range of Microsoft cloud and enterprise product offerings. 

Here are three important ways that we are helping customers meet the challenges of DORA:

  1. To help customers successfully meet their contractual commitments under DORA, we are now working closely to update contract terms as required and applicable by the new regulation. This includes ensuring smooth pre-contractual risk assessments of Microsoft products and services, and fully defining the specific aspects of their obligations that dovetail with our offerings. We are also working with customers for input to update our contracts, as needed, so they remain fit for purpose under the DORA framework.
  2. To help customers manage ICT risks and establish an internal governance and control framework, we provide in our products and services a broad set of built-in ICT risk management capabilities required by DORA. For example, on aspects related to information protection concerns, Microsoft Defender for Cloud performs continuous threat assessment, detection, and response, and Microsoft Secure Score helps assess and improve security posture across workloads. Likewise, for other aspects, such as incident management, resilience testing, and incident information sharing, vital functionality is provided by corresponding Microsoft offerings, including Microsoft Purview, Microsoft 365 Service Health dashboard, and Azure Service Health.
  3. To help customers with incident management, classification, and reporting, our security and compliance offerings provide sophisticated capabilities for supporting incident management requirements, including tools and services for efficient incident detection and investigation, as well ensuring timely incident reporting and response as required. Azure Security Center, for example, ensures timely detection and response, and Microsoft 365 Health dashboard and Microsoft Defender work together to provide a comprehensive approach to incident management, classification, and reporting.  

Why DORA matters to global financial services 

DORA represents a significant step forward in strengthening the operational resilience of the financial services sector. By standardizing how entities manage, report, and work together to minimize ICT risks, DORA aims to protect the financial system from a wide range of threats and disruptions.  

DORA is not simply a new regulatory framework for the EU. Rather, it is an important milestone on the road to broader financial services resilience around the world, fostering an important emphasis on information sharing, transparency, and collective responsibility that promise to unlock the full potential of cloud and AI, while keeping businesses and their customers safer.  

Microsoft’s commitment to helping ensure compliance with DORA 

Microsoft is working intensively with our financial services customers to ensure a smooth and productive pathway to DORA compliance, while also preparing to meet the requirements under DORA that would apply to Microsoft on the basis of our designation as a critical ICT service provider. 

This is only a continuation of the investments we have made for over a decade in working with regulatory agencies to address common needs and challenges, and building products to help financial services firms strengthen cyber resilience in an evolving regulatory environment.  

We see DORA as a natural step forward to advance operational resilience in financial services, and we will continue working with regulators in other jurisdictions such as the United Kingdom, which are implementing measures that harmonize with DORA. 

Business workshop participants in a small group discussion.

Microsoft Cloud for Financial Services

Unlock business value and deepen customer relationships in the era of AI

Learn more 

To learn more about DORA and how Microsoft can help with cyber resilience in financial services, see these resources: