DORA Compliance: What M&A Dealmakers Need to Know

The European Union’s Digital Operational Resilience Act (DORA) — which came into effect on January 16, 2023 and applies beginning January 17, 2025 — is a bold step forward in strengthening cybersecurity in the financial sector. This regulation aims to ensure increased protection against cyber threats.

DORA requires financial institutions to increase their ability to prevent, respond to and recover from cybersecurity threats. By emphasizing uniform security requirements, DORA establishes a new benchmark for operational resilience that aligns more effectively with the realities of today’s global cyber threat landscape.

DORA introduces new layers of complexity for affected E.U. financial institutions and transactions. Firms engaged in deals — whether as buyers, sellers or intermediaries — must adapt to its requirements. Mergers and acquisitions (M&A) dealmakers must now adopt an even more thorough due diligence process, focusing on assessing digital operations and cybersecurity frameworks while identifying potential gaps to meet DORA's standards. To comply with DORA’s requirements, firms may also need to maintain operations or data centers within the E.U., which will impact cross-border deal strategies with potential increased post-deal costs and valuation impacts

Who does DORA apply to?
DORA affects a broad range of firms under 21 categories, including:

• Traditional financial institutions such as banks, investment firms and credit institutions
• Non-traditional entities like crypto-asset service providers and crowdfunding platforms
• Third-party information and communication technology (ICT) providers, including cloud service providers, data centers and other financial firm ICT suppliers
• Information services providers, such as credit rating agencies and data analytics firms

Key DORA requirements
DORA’s requirements are comprehensive and span four critical categories:

ICT risk management and governance
The act requires firms to establish policies for identity and access management, patch management, extended detection and response protocols and security information and event management (SIEM) systems.

Incident response and reporting
Firms must implement systems for monitoring, managing, logging and reporting ICT incidents. Clear communication channels are required for reporting to regulators, clients and partners.

Digital operational resilience testing
DORA mandates annual vulnerability and scenario-based testing, as well as threat-led penetration testing (TLPT) every three years for both institutions and their ICT providers.

Third-party risk management
Vendor contracts must include provisions for exit strategies, audits and performance targets to address accessibility, integrity and security.

What are the risks of non-compliance?
Non-compliance with the Digital Operational Resilience Act (DORA) can result in significant consequences for affected financial institutions and their third-party providers. Consequences can include:

• Financial penalties: Fines can range from up to 2% of annual global turnover to 1% of average daily turnover. Individuals can be fined up to €1,000,000. Third-party service providers can incur fines up to €5,000,000.
• Operational limitations: Regulatory authorities may impose restrictions or temporarily suspend non-compliant business activities until corrective actions are confirmed complete.
• Impact on reputation: Public reprimands for non-compliance by regulators can damage an institution’s reputation and erode customer trust.
• Legal risks: Institutions and their individual leadership, including potentially senior leaders and board members, may face lawsuits or investigations by regulators.

These penalties highlight the importance of proactively preparing for and complying with DORA to ensure operational resilience and avoid costly penalties. Firms must act now to meet these stringent requirements — and working with reliable, experienced third-party ICT providers is vital for success.

SS&C Intralinks: A trusted DORA-compliant partner
DORA represents a significant step toward standardizing cybersecurity resilience across the E.U.’s financial sector. As a trusted ICT provider, SS&C Intralinks is fully committed to helping institutions achieve and maintain compliance with these new regulations.