Using DORA Against Systemic Risks: How Europe Strengthens Its Digital Financial Stability

Digitization has profoundly changed the European financial sector in recent years. Modern financial services are no longer conceivable without information and communication technology (ICT). At the same time, however, dependence on a few, often globally operating technology providers is growing. This development not only offers potential for efficiency but also poses significant systemic risks. This is where the Digital Operational Resilience Act (DORA) comes in. A European legal framework that, for the first time, pursues a comprehensive, cross-sector approach to the digital resilience of the financial market.

This specialist article combines key statements from the BaFin interview (“Using DORA Against Systemic Risks” dated November 18, 2025), essential content from the ESAs’ press release on critical ICT third-party providers, and important further documents from practice and research. Various topics related to digital financial stability, regulatory requirements, and DORA are addressed in the process.

Digital technologies penetrate every facet of the financial sector. Banks, insurers, payment service providers, and investment firms increasingly rely on:

• Cloud computing for AI applications, money laundering prevention, or risk modeling
• Payment platforms
• Core banking systems, which form the operational heart of modern banks
• Telecommunications and infrastructure services, enabling global financial transactions

This development affects the entire industry and underscores the central role that innovation and digitization play in the competitiveness and stability of the financial and insurance industries. Insurance companies, in particular, play a key role in the digital transformation, as they combine regulatory requirements and new technologies.

As Dr. Sibel Kocatepe from BaFin explained in the interview, this development is not surprising: scalability, cost optimization, innovation capability, and security aspects make external ICT services attractive. At the same time, they open access to technologies that would not be economically viable to operate in-house – such as AI or high-performance data centers.

The capital market also benefits from digitization, as modern ICT services increase the efficiency, transparency, and security of capital market transactions, thereby supporting the development of the EU Capital Markets Union.

However, a strong market concentration has developed precisely in this area: A few global players serve large parts of the European financial system. This increases efficiency but also makes the sector more vulnerable.

Despite all the advantages, there is a clear “but”. A few global ICT companies – including large cloud and software providers – dominate the market. Many of them are located outside the European Union. This not only complicates the enforcement of European compliance requirements but also creates dangerous dependencies.

The failure of the provider Crowdstrike in the summer of 2024 made the vulnerability of the digitized financial world visible. While the immediate impact on the financial market was limited, the event was a wake-up call: A technical failure at a system-critical ICT provider can quickly lead to a domino effect that extends far beyond individual institutions. In addition to operational risks, credit risks also play a central role, as they can endanger the stability of the entire financial system in the event of systemic shocks.

Jens Obermöller from BaFin puts it bluntly: The financial market must reckon with real systemic shocks in the future, including the growing threat of cyberattacks. And that is precisely why DORA was created.

DORA aims to holistically strengthen the digital resilience of the European financial market. While financial companies themselves were previously solely responsible for managing their ICT risks, the regulation is now taking a new path:

For the first time, critical ICT third-party providers will be directly supervised at the European level.

This paradigm shift is profound: Supervision expands from a microprudential, company-related approach to a macroprudential, system-wide perspective. New regulations under DORA create a unified regulatory framework that addresses the complexity of European and international laws and makes compliance mandatory for financial companies and their service providers.

In the context of macroprudential supervision, political decisions and policy play a central role, as they significantly influence the development and implementation of regulatory strategies for strengthening financial stability in the EU.

The press release dated November 18, 2025 describes in detail the three-stage process by which the ESAs selected the critical providers:

1. Data Collection

Extensive information was compiled from EU-wide registers on contractual ICT services.

2. Criticality Assessment

In collaboration with national supervisory authorities, the ESAs assessed the providers based on DORA criteria, including:

• Systemic significance
• Affected critical or important functions
• Substitutability
• Extent of dependencies in the financial sector

Hearing and Final Decision

The providers classified as critical were formally notified and could provide input. In this process, the ESAs also made proposals for the classification of providers before the final classification was made after reviewing all considerations.

The press release emphasizes:

The goal is to identify risks before they can destabilize the European financial market.

With the CTPP list, the operational part of DORA supervision begins. The ESAs establish Europe-wide monitoring teams for this purpose. They can:

• request comprehensive information
• conduct on-site inspections
• order technical tests
• examine governance and risk management structures

Particularly noteworthy is the enforceability: In case of insufficient cooperation, fines of up to 1% of the worldwide daily turnover per day can be imposed – up to 180 days. This dimension provides the necessary binding, especially for big tech companies.

Even though critical providers are now supervised, this does not absolve financial companies of their responsibility. DORA significantly increases the requirements for third-party risk management:

• Identification and assessment of all ICT risks
• Management and supervision of outsourcing
• Reduction of internal concentration risks
• Development of robust exit strategies
• Strengthening operational resilience
• Proof of business continuity in an emergency

Financial companies must particularly check whether they themselves are too dependent on a single service provider – regardless of how many other institutions use the same provider. The new requirements serve the interests of customers and strengthen market stability. In addition, qualified advice for financial companies remains a key requirement to meet regulatory guidelines and ensure fair, understandable support for customers.

The financial market thrives on innovations. AI, cloud, automation, and data-driven business models create competitiveness. But they also bring risks that need to be consciously and methodically managed.

DORA ensures that the benefits of modern technologies can be utilized without endangering financial stability – a balancing act that is more important than ever given the increasing cyber threats and global dependencies. Access to the law and compliance with legal requirements are central components to sustainably securing digital financial stability.