Services
Publications
DORA
DORA takes effect on January 17, 2025 and Swiss companies must act now to ensure compliance and mitigate digital operational risks.
Christoph Buck
What Swiss Companies Need to Know Now
January 17, 2025, is approaching quickly, bringing with it the enforcement of the Digital Operational Resilience Act (DORA). This EU regulation aims to strengthen digital operational resilience within the financial sector.
For affected Swiss companies, this means finalizing the implementation of DORA requirements in the coming weeks and critically reviewing the adjustments made.
Below, we outline the relevant DORA framework and highlight some of the key challenges companies may face during implementation.
What is DORA's Objective?
DORA is an EU-wide regulation that establishes a uniform framework for managing risks related to information and communication technology (ICT) in the financial sector. It was designed to make financial institutions more resilient to IT-related risks such as system failures and cyberattacks.
Key aspects of the regulation include:
- Strict ICT risk management requirements
- Standardized incident and cyberattack reporting procedures
- Regular resilience testing of digital systems
- Monitoring and control of external ICT service providers
Why Are Swiss Companies Affected?
Even though DORA is an EU regulation that applies directly to EU financial institutions, it can also impact Swiss companies.
-
Subsidiaries of Swiss financial service providers with EU operations must comply with DORA. If these subsidiaries rely on critical ICT services from their Swiss parent company through intra-group agreements, then the Swiss parent becomes a critical supplier under DORA.
-
Critical ICT services include:
- IT infrastructure providers (e.g., data centers)
- Cloud services (e.g., AWS, Microsoft Azure)
- Cybersecurity services
- Essential software providers (e.g., core banking systems)
- Network service providers
A key factor in determining whether an ICT provider is "critical" is whether a failure of that provider would have serious consequences for operational continuity, customer data protection, or financial stability.
- Companies subject to DORA must assess their entire supply chain for critical ICT services. This means ensuring that contracts with DORA-relevant suppliers, partners, and subcontractors fully comply with DORA requirements. This prevents cascading risks in the supply chain.
Challenges of Implementing DORA
The upcoming enforcement of DORA presents significant challenges for companies, primarily due to uncertainties in the regulation and its interpretation:
-
Vague Requirements: Some aspects of DORA are not clearly defined, such as the criteria distinguishing highly critical providers from others. This makes it difficult for companies to determine which of their service providers fall under the strictest regulations.
-
Reluctance from Major ICT Providers: Large ICT vendors (e.g., Microsoft, SAP) are uncertain about their own regulatory status and may be hesitant to include DORA-specific clauses in contracts. This makes it challenging for companies to ensure compliance within contractual deadlines.
-
Intra-group Agreements: Internal service agreements must be treated like external contracts under DORA. However, the level of detail required for compliance is unclear, leaving companies in limbo as they wait for further regulatory clarifications.
-
IT Risk Management Requirements: Beyond third-party risk management, DORA demands strict internal IT risk controls, such as:
- Penetration testing
- Ensuring system resilience
- Disaster recovery strategies
- Comprehensive process documentation
These requirements mean that organizations must align not only their third-party providers but also their own IT systems and processes with DORA standards.
- Regulatory Uncertainty Until After January 2025: The European Commission will only announce which ICT providers will be classified as critical suppliers after DORA takes effect. This creates further uncertainty for companies relying on these providers.
Urgent Actions for Swiss Companies
Swiss companies must navigate the complex interplay between Swiss and EU regulations, requiring a deep understanding of both legal frameworks.
Key areas that require immediate attention:
-
Contract Management:
- Adjustments must originate from EU-regulated companies.
- Swiss companies must be ready to respond quickly to DORA-related contract modifications.
- Large ICT providers may delay contract updates, as they await confirmation on whether they will be directly regulated under DORA.
-
Internal Coordination:
- Clear responsibilities must be established across departments.
- Implementing DORA requires collaboration between IT, compliance, legal, and management.
-
IT Risk Management Compliance:
- Regular penetration testing and resilience checks.
- Developing disaster recovery strategies.
- Detailed process documentation to meet regulatory standards.
-
Resource Allocation:
- Many companies lack the personnel and expertise to fully implement DORA requirements.
- Some service providers may be unable or unwilling to comply with DORA, requiring companies to find alternatives.
Our Publications
Swiss Office
MMG Management Consulting (Schweiz) AG
+41 44 520 0896
swissoffice@mmgmc.ch
Lintheschergasse 13, 8001 Zurich, Switzerland
Austrian Office
MMG Management Consulting GmbH
+43 650 922 5421
austrianoffice@mmgmc.ch
Rohrergasse 8, 1130 Vienna, Austria
Follow Us
