DORA Compliance:
Operational Resilience for ICT Third-Party Risk
How financial institutions can meet their obligations under the Digital Operational Resilience Act — and why legacy escrow arrangements fall short.
Executive Summary
The Digital Operational Resilience Act (DORA), effective January 2025, imposes binding requirements on financial institutions and their ICT third-party service providers across the EU. For firms using critical ICT vendors, DORA mandates comprehensive exit planning, operational continuity testing, and demonstrable resilience. Traditional source code escrow arrangements — designed for IP protection, not operational survival — do not meet these requirements. This paper sets out what DORA requires and how DORAssure addresses those obligations.
What is DORA?
Regulation (EU) 2022/2554 — the Digital Operational Resilience Act — entered into force on 16 January 2023 and became applicable on 17 January 2025. It applies to financial entities including credit institutions, investment firms, trading venues, payment institutions, and a broad range of ICT service providers designated as critical.
DORA establishes a unified framework for managing ICT risk across the EU financial sector. Its five pillars are: ICT risk management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk management, and information sharing.
For firms relying on third-party technology vendors — particularly for critical functions — Article 28 creates specific obligations around exit planning, concentration risk, and the right to terminate.
Article 28: The Exit Planning Obligation
Article 28(8) of DORA requires that, for ICT services supporting critical or important functions, financial entities put in place exit strategies that allow them to migrate to another ICT third-party service provider or bring the relevant ICT services in-house. These strategies must be realistic, documented, and tested.
Critically, DORA distinguishes between documented plans and operational readiness. Supervisors — the European Supervisory Authorities and national competent authorities — are empowered to assess whether exit plans are credible, including whether the receiving entity has the capability to assume operations within a defined timeframe.
"Exit strategies shall include the conditions enabling the activation of those exit strategies, the timeframe for the planned exit activities and the capacity to operate during transition."
— DORA Article 28(8)
The requirement for demonstrable "capacity to operate during transition" is where most escrow arrangements fail. Holding source code is not the same as having an operational environment, on-call engineering expertise, and a tested deployment pipeline.
Why Legacy Escrow Fails the DORA Test
No operational capacity
Source code escrow releases code. It does not release the build environment, the deployment pipelines, the infrastructure configuration, the operational runbooks, or the engineers who know how the system behaves under load. DORA requires all of these.
No tested activation
DORA Article 26 requires digital operational resilience testing, including scenario-based testing of ICT continuity plans. A code deposit that has never been compiled in a controlled drill does not satisfy this requirement.
Recovery timelines are incompatible
Building and staffing an internal capability from a code release typically takes 6–12 months. DORA's expectations for critical function continuity — informed by the RTO/RPO frameworks firms must maintain — make this untenable.
How DORAssure Addresses DORA Requirements
Pre-trigger knowledge capture
DORAssure works with your vendor pre-trigger to capture architecture, runbooks, and operational knowledge. This satisfies Article 28's requirement for transition planning with "documented and tested" exit capability.
48-hour activation SLA
Our contractually committed 48-hour step-in timeline supports your RTO obligations for critical function continuity — backed by on-call engineering, not a static code deposit.
Quarterly exercises
Full build-and-deploy exercises on a quarterly schedule produce the audit trail and testing evidence that supervisors expect under DORA's resilience testing framework.
Replatforming as post-activation strategy
DORA requires not just activation, but a credible long-term strategy. DORAssure's replatforming deliverable — rebuilding to modern standards with clean IP — provides the post-activation pathway that supervisors require to see in exit plans.
Ready to demonstrate DORA readiness?
Request a no-obligation assessment of your current exit planning position.