EU Digital Operation Resilience Act and Why It Matters for Swiss IT Service Providers

The Digital Operational Resilience Act (DORA) establishes a comprehensive regulatory framework for digital resilience in the EU financial sector, effective January 17, 2025. DORA applies to virtually all financial entities and critically extends to their ICT third-party service providers, regardless of location. Service providers to EU financial institutions must comply with stringent requirements for risk management, incident reporting, testing, and business continuity planning, with non-compliance potentially resulting in significant penalties of up to 2% of global revenues.

Third Party Risk in Focus

DORA represents a paradigm shift in how the EU regulates operational resilience in the financial sector, with a particular emphasis on third-party risk management. The regulation explicitly includes ICT third-party service providers - companies that provide digital and data services via Information and Communication Technologies on which financial entities depend for their ICT functions [1] [2].

This inclusion is significant for Swiss-based IT service providers with EU financial clients, as DORA's jurisdiction extends beyond EU borders to any entity providing critical ICT services to EU financial institutions. By April 2025, financial entities were required to register their ICT service providers with competent EU Member State authorities, marking one of the first key compliance deadlines [4].

Under DORA, financial entities must integrate third-party risk management within their broader ICT risk management framework. This requires establishing contractual agreements with ICT service providers that clearly define rights, duties, service terms, and responsibilities, considering the nature, scale, complexity, and importance of ICT dependencies [2].

For Swiss service providers, this means being subject to rigorous due diligence, contractual requirements, and potentially direct oversight if designated as "critical" by European Supervisory Authorities. Critical ICT providers face additional compliance responsibilities, with designations expected by the end of 2025 [2] [7].

Swiss-based service providers with EU financial clients should proactively prepare for DORA compliance rather than wait for client demands. Early adoption demonstrates commitment to security excellence, provides competitive advantage, and avoids rushed implementation that could lead to gaps. Proactive compliance also helps build trust with EU financial clients who are themselves under pressure to ensure their service providers meet DORA requirements [3] [8].

DORA's Five Main Pillars

1. ICT Risk Management

   Establish comprehensive governance, control frameworks and risk management processes. Map and classify all ICT-supported functions, implement continuous monitoring, and maintain appropriate security standards for data and ICT assets [2] [8].

   
   

2. ICT Incident Management and Reporting

   Implement robust detection, management, and notification processes for ICT incidents. Follow strict reporting timeframes (initial notification within 24 hours, intermediate within 72 hours, final report within one month) for major incidents [2].

   
   

3. Digital Operational Resilience Testing

   Conduct regular testing of ICT systems using vulnerability assessments, network security assessments, and scenario-based tests. Significant entities must perform threat-led penetration testing (TLPT) every three years following the TIBER-EU framework [2] [7].

   
   

4. ICT Third-Party Risk Management

   Integrate third-party risk management into the broader ICT risk framework. Establish clear contractual agreements defining rights, duties, and service terms, considering the nature and importance of ICT dependencies [2].

   
   

5. Information Sharing

   Exchange cyber threat information within trusted communities to strengthen digital operational resilience. Ensure information sharing protects business confidentiality and personal data while respecting competition rules [2].

   
   

Conclusion

For Swiss IT service providers with EU financial clients, adopting DORA standards offers significant benefits beyond mere compliance. It provides a competitive advantage in a market increasingly focused on operational resilience, demonstrates security maturity to clients, and aligns with global best practices. Proactive DORA implementation helps build trust with EU financial institutions under regulatory pressure and positions Swiss providers as reliable partners in the evolving regulatory landscape. Additionally, the structured approach to security and resilience required by DORA can enhance overall service quality and reduce the risk of costly incidents [3] [7].