DORA will apply to financial institutions including banks, insurance companies and investment firms but will also have substantial implications for IT service providers who count these institutions as customers.
DORA imposes a uniform set of rules for ICT risk management, incident reporting and operational resilience testing for financial institutions as well as for managing the risk posed by third-party ICT providers.
DORA will impose requirements on the contractual arrangements between financial institutions and ICT providers and will set the parameters of an oversight framework for managing these third-party risks.