Finance
DORA Explained: What Dutch Businesses Need to Know About Digital Operational Resilience
What DORA means for Dutch financial institutions and ICT providers: scope, ICT risk management, incident reporting, third-party requirements, supervision by DNB and AFM, and potential fines.
•
17 mins
Intro
Since 17 January 2025, new EU-wide rules on digital operational resilience have officially applied across the financial sector. Under DORA, banks, payment institutions, fintechs, insurers and other financial entities must prove that their systems can withstand cyberattacks, technical failures and disruptions involving external IT suppliers. For many businesses, this goes far beyond cybersecurity alone. DORA introduces new expectations around governance, vendor management, incident reporting and board-level accountability.
The impact also extends well beyond traditional financial institutions. Software companies, cloud providers and ICT vendors serving regulated financial businesses may also be affected. A Dutch SaaS company providing infrastructure or software to a bank or payment provider can quickly find itself drawn into DORA requirements, even without holding a financial license itself. Understanding the regulatory environment when starting a company in the Netherlands in financial services or fintech is therefore more important than ever.
For Dutch businesses, digital operational risk is no longer just an IT concern. Directors and management teams of a Dutch BV are expected to demonstrate that risks are actively managed, critical suppliers are monitored and incidents are escalated properly. That requires not only technical controls, but also governance structures, internal procedures and clear documentation.
What Is DORA and Why Was It Introduced?
DORA stands for the Digital Operational Resilience Act, officially Regulation (EU) 2022/2554. The regulation was published in December 2022, entered into force in January 2023 and became fully applicable on 17 January 2025. Its core objective is straightforward: financial institutions must be able to prevent, withstand and recover from digital disruptions without causing instability in the financial system.
The regulation emerged because the European approach to ICT risk had become fragmented. Different member states imposed different cybersecurity, outsourcing and operational continuity requirements, creating inconsistent standards across the EU. At the same time, financial institutions became increasingly dependent on a small number of cloud providers, software vendors and external ICT suppliers. A disruption at a single provider suddenly had the potential to affect hundreds of regulated entities simultaneously.
DORA creates one unified European framework for digital operational resilience. Unlike a directive, DORA is a regulation, meaning it applies directly across all EU member states without requiring separate national implementation. There is therefore no separate "Dutch version" of DORA. The EU regulation itself forms the legal framework.
In the Netherlands, additional legislation mainly focused on assigning supervisory authority. The Dutch Central Bank (DNB) and the Authority for the Financial Markets (AFM) are the primary regulators responsible for enforcement.
Does DORA Apply to Your Dutch Business?
Many founders assume DORA only matters for large banks. In reality, the scope is significantly broader. The regulation applies to thousands of financial entities across Europe, including:
banks
payment institutions
e-money institutions
insurers
pension funds
investment firms
crypto-asset providers under MiCA
fund managers
trading platforms
For Dutch fintechs, one of the most important aspects is DORA's impact on ICT providers. Companies supplying software, cloud infrastructure, cybersecurity services, analytics platforms or managed IT solutions to regulated financial institutions may also face DORA-related obligations. If you have already registered your KvK number as a technology company serving financial clients, reviewing your DORA exposure should be an early priority.
This often surprises Dutch SaaS businesses. A software provider with no financial license may still encounter:
contractual DORA obligations from customers
audit rights for financial institutions
stricter security requirements
mandatory incident escalation procedures
enhanced supplier management obligations
Smaller businesses do benefit from certain proportionality measures. Micro-enterprises with fewer than ten employees and less than 2 million euros in turnover face lighter obligations in some areas. However, the core requirements around ICT risk management still apply.
In the Netherlands, supervision is primarily divided between:
DNB for banks, insurers and pension funds
AFM for investment firms, crypto providers and capital markets activities
joint supervisory structures for certain payment and ICT activities
How DORA Supervision Works in the Netherlands
The Dutch implementation act entered into force alongside DORA on 17 January 2025. This formally granted DNB and AFM the authority to supervise compliance. Both regulators had already spent several years preparing the market. Since 2023 they published guidance, held consultations and actively engaged with financial institutions about implementation readiness. Much of 2025 focused on transition support and identifying operational gaps.
Since 2026, the focus has shifted more clearly toward enforcement. Regulators are paying particular attention to:
governance and board accountability
incident reporting timelines
ICT risk management quality
completeness of third-party registers
concentration risk involving cloud providers
For many Dutch businesses, DORA does not replace existing obligations. The framework sits alongside existing requirements under the Dutch Financial Supervision Act (Wft), NIS2 and sector-specific regulations. Companies therefore needed to assess existing compliance frameworks against DORA's far more detailed operational requirements.
The Five Core Pillars of DORA
DORA is built around five core areas: ICT risk management, incident management and reporting, digital resilience testing, third-party ICT risk management, and information sharing on cyber threats.
One principle runs through all five pillars: management remains ultimately responsible for digital operational resilience. Responsibility cannot simply be delegated entirely to IT teams or external providers. For many Dutch fintechs and scale-ups, this represents a major shift. Cybersecurity can no longer be treated purely as an operational IT matter. DORA requires formal governance, documented controls and active board involvement.
ICT Risk Management Under DORA
The first pillar of DORA requires companies to establish a comprehensive ICT risk management framework. That framework must continuously monitor systems and digital assets, operational dependencies, vulnerabilities and threats, escalation procedures, business continuity, and recovery capabilities.
In practice, organizations need a continuously updated overview of:
applications
cloud environments
databases
ICT suppliers
critical business processes
system dependencies
Companies must also maintain documented procedures for incident detection, escalation, crisis management, business continuity and disaster recovery. Policies alone are not enough. Dutch regulators increasingly focus on operational effectiveness. A business continuity plan that has never been tested is unlikely to satisfy supervisory expectations. The management body must formally review and approve the framework at least annually. For DGA directors, this governance accountability is directly comparable to the personal liability principles that apply in other areas of holding and operating BV management.
DORA Incident Reporting Deadlines
DORA introduces strict reporting obligations for major ICT incidents. Not every disruption must be reported immediately, but companies must implement formal classification systems to determine when an incident qualifies as major.
The assessment considers factors such as number of affected customers, duration of the disruption, geographical impact, data loss, financial damage, reputational consequences and impact on the financial system.
Once an incident is classified as major, strict deadlines apply.
Obligation | Deadline |
|---|---|
Initial notification | Within 4 hours after classification |
Intermediate report | Within 72 hours |
Final report | Within 1 month after resolution |
For many organizations, the four-hour requirement is particularly demanding. It requires clear internal escalation procedures, predefined responsibilities, tested incident playbooks and immediate access to compliance and legal teams. Where personal data is involved, GDPR reporting obligations may also apply simultaneously. In practice, DORA and privacy-related incident workflows often overlap.
DORA Testing and TIBER-NL
DORA requires businesses to actively test their operational resilience. Compliance is not limited to documentation. Organizations must demonstrate real operational readiness.
All in-scope entities are expected to conduct:
vulnerability assessments
penetration testing
security reviews
remediation exercises
Larger or systemically important institutions face more advanced obligations through Threat-Led Penetration Testing (TLPT). These exercises simulate realistic cyberattacks against production environments. In the Netherlands, this is implemented through TIBER-NL, the Dutch framework based on the ECB's TIBER-EU methodology. DNB plays a central coordinating role.
TLPT goes far beyond standard penetration testing. The objective is not only to identify technical weaknesses, but to assess whether an organization can actually detect, contain and recover from sophisticated attacks.
Third-Party Risk and Cloud Providers
For many companies, the most significant part of DORA involves third-party ICT risk management. Financial institutions must maintain a complete overview of all ICT suppliers and dependencies through the mandatory Register of Information (ROI).
The register includes:
suppliers
type of services provided
critical dependencies
contractual structures
subcontracting arrangements
exit capabilities
DORA also imposes strict contractual requirements for ICT providers. Contracts must typically address:
audit rights
incident reporting obligations
service level agreements
exit strategies
subcontractor transparency
termination rights
For Dutch SaaS and cloud companies, this increasingly means renegotiating customer agreements to satisfy DORA requirements.
The 19 Critical ICT Providers Under DORA
In 2025, European regulators published the first list of Critical ICT Third-Party Providers (CTPPs), including AWS, Microsoft Azure, Google Cloud, Oracle, SAP, IBM, Accenture and Capgemini. These providers now fall under direct European supervisory oversight.
For financial institutions, this significantly increases attention on concentration risk. Heavy reliance on a single cloud provider for multiple critical functions creates systemic vulnerabilities. DORA therefore requires firms to:
identify concentration risk
assess dependency exposure
maintain realistic exit strategies
document fallback arrangements
DORA vs GDPR and NIS2
Many Dutch businesses now face overlapping obligations under DORA, GDPR and NIS2. While these frameworks overlap in some areas, they serve different purposes.
GDPR primarily focuses on personal data protection and data breach reporting.
NIS2 addresses broader cybersecurity obligations across essential and important sectors.
DORA specifically targets digital operational resilience within the financial sector, including governance, resilience testing and ICT supplier management.
In practice, a single cyber incident may trigger:
DORA reporting obligations to DNB or AFM
GDPR reporting to the Dutch Data Protection Authority
NIS2 obligations
customer and contractual notifications
As a result, many organizations are now building integrated incident response frameworks.
What Dutch Businesses Should Do Now
For many companies, DORA is no longer a future compliance project. It is an active operational requirement.
Current priorities include:
determining whether DORA applies
mapping ICT assets and suppliers
reviewing contracts
testing incident procedures
documenting governance structures
planning resilience testing
assessing concentration risk
building supplier registers
improving board-level documentation
Smaller fintechs often underestimate the level of governance and evidence DORA requires. In practice, many compliance issues arise not because security controls are missing, but because procedures, documentation and audit trails are incomplete.
Financial Administration for Regulated Businesses
Financial businesses face growing obligations around administration, auditability and compliance. From VAT filings and payroll to operational documentation and regulatory reporting, the administrative burden continues to increase. Understanding the difference between an accountant and a bookkeeper becomes especially relevant as compliance obligations grow.
Neno combines AI-driven bookkeeping automation with certified accountants who understand Dutch compliance requirements. This helps regulated businesses keep their administration organized, scalable and audit-ready as they grow. From the moment you incorporate your BV with us, your financial foundations are properly structured from day one.
Book a demo and see how bookkeeping, payroll and tax come together in one integrated system built for growing Dutch businesses.
Frequently Asked Questions About DORA
What exactly is DORA?
DORA is the EU Digital Operational Resilience Act, a regulation requiring financial institutions to manage and document digital operational resilience in a structured way.
Since when has DORA applied?
DORA became fully applicable across the EU on 17 January 2025.
Does DORA apply to fintechs?
Yes. Payment institutions, e-money institutions and many crypto providers fall directly within scope. Technology suppliers serving financial institutions may also be indirectly affected.
Who supervises DORA in the Netherlands?
DNB and AFM are the primary Dutch supervisory authorities responsible for DORA enforcement.
What is the Register of Information?
It is the mandatory register containing all ICT suppliers and third-party dependencies of a financial institution.
What are the main DORA requirements?
The key obligations relate to ICT risk management, incident reporting, resilience testing, third-party risk management and governance.
How quickly must a major incident be reported?
The initial notification must generally be submitted within four hours after classification.
What happens if a company is not compliant?
DORA includes potentially significant fines and enforcement measures. Non-compliance can also create licensing, reputational and liability risks.
Does DORA apply alongside GDPR and NIS2?
Yes. The frameworks coexist and can apply simultaneously to the same incident or organization.
Why is DORA relevant for SaaS businesses?
Because regulated financial institutions increasingly require suppliers to comply with DORA-related contractual, security and audit obligations.
Written by
Nick Knuppe
CEO & Founder
