DORA for SMEs: What It Means for Regulated Companies and ICT Third-Party Vendors

Understanding DORA

What is DORA and who is concerned?

DORA is a European law with a simple goal: make sure the financial sector can keep running when technology fails, whether the cause is a cyberattack, a system outage, or a problem at a supplier. It applies the same way in every EU country and has been in force since January 2025, with regulators now actively enforcing it.

Importantly, DORA has no size threshold. A three-person payment startup and a major bank are both in scope. The requirements are adjusted to size, but no regulated company is exempt for being small.

How DORA can impact an SME

There are two main ways DORA may affect your business, and some organizations may fall into both categories.

• You are a financial entity covered by DORA.
• You provide ICT services to a financial entity covered by DORA.

DORA applies directly to a wide range of financial entities, including banks, insurers, many insurance intermediaries, investment firms, fund managers, payment institutions, e-money institutions, crypto-asset service providers, and pension-related entities. If your organization falls within one of these categories, DORA applies regardless of company size.

For most technology providers, DORA has an indirect effect. Financial entities remain responsible for managing ICT risk and ensuring the resilience of outsourced services. To meet these obligations, they must assess their ICT providers and include contractual requirements covering areas such as security, operational resilience, incident management, audit rights, and business continuity. As a result, technology vendors serving the financial sector are often expected to demonstrate many of the same capabilities that regulated firms must maintain.

A small number of ICT providers may be designated as Critical ICT Third-Party Providers (CTPPs). These organizations are subject to direct EU oversight under DORA.

The good news: DORA is sized to your organization

One reassurance that gets lost in most DORA coverage is that the regulation is designed to be proportionate. Your size, risk profile, and the nature of your activities are considered, so regulators do not expect a 30-person firm to produce the same governance, documentation, and controls as a major bank.

For financial entities, DORA includes proportionality measures, with microenterprises (fewer than 10 employees and no more than €2 million in annual turnover) benefiting from a lighter regime and certain smaller entities able to follow simplified requirements.

For ICT providers, the practical effect is similar. While DORA generally applies to your financial-sector customers rather than directly to you, those customers are expected to assess your resilience and risk management practices. In practice, the expectations placed on a small specialist software provider will differ from those placed on a large cloud platform supporting critical financial services.

Proportionate does not mean optional. Whether you are a regulated firm or a technology provider serving one, the goal is to demonstrate that your organization can manage ICT risk and recover from disruption in a way that is appropriate to its size and role.

What DORA Requires, in Plain Terms

The Five Pillars

DORA is organized around five pillars:

1. ICT Risk Management – identify, manage, and monitor technology risks through a documented framework.

2. ICT Incident Reporting – detect, classify, and report major ICT-related incidents through a formal reporting process.

3. Digital Operational Resilience Testing – regularly test whether systems, processes, and recovery plans actually work.

4. ICT Third-Party Risk Management – understand and manage the risks created by technology suppliers and outsourced services.

5. Information Sharing – participate in threat intelligence and information-sharing arrangements where appropriate.

The common thread is evidence. Regulators and your customers want to see documented risk management, tested controls, and clear accountability. A security control that is not written down, assigned to an owner, or periodically reviewed can be difficult to demonstrate when you are reporting to your customer or the regulatory body.

Cyber Risk Is a Leadership Responsibility

DORA places accountability for ICT risk on the management body and requires senior leadership to oversee operational resilience. Cyber risk is no longer just an IT issue; it is a business risk.

That means cyber risk has to be discussed in business terms. A list of technical vulnerabilities is difficult for leadership to prioritize. What executives can oversee is a short list of realistic scenarios that could materially disrupt the business, the likely operational and financial impact of each, and the actions being taken to reduce that risk.

Putting a financial value on key risks can help create that common language. It gives leadership a practical way to compare risks, prioritize investments, and make informed decisions about resilience.

How to Prepare as an SME or Mid-Market Company Under DORA

Whether DORA applies directly to your organization or reaches you through customer requirements, the starting point is largely the same: understand your risks, document your controls, test your resilience, and keep evidence ready.

1. Identify Your Most Important Risks

Focus on the small number of scenarios that could seriously disrupt your business: ransomware, a significant data breach, loss of a key supplier, or a prolonged outage. Understanding the operational and financial impact of these events helps you prioritize improvements and demonstrate a risk-based approach.

2. Build a Governance Foundation

A small organization can meet this expectation without significant administrative overhead. What matters is clear ownership, documented processes, and a consistent approach to risk decisions.

For most SMEs, that starts with a small set of core documents:

• A cyber risk management policy
• An incident response plan
• Business continuity procedures (BCP)
• Disaster recovery procedures (DRP)
• Clearly defined roles and responsibilities

These are not just compliance documents. Together they define who makes decisions, how incidents are handled, how critical services are restored, and how risk is monitored over time. And this starts at the top: leadership should understand the organization's most significant cyber risks, review them regularly, and ensure that controls and recovery capabilities remain appropriate as the business changes.

3. Validate Recovery Capabilities

Many organizations assume recovery will work because backups exist. Unfortunately, a backup that has never been tested is an assumption, not a recovery capability.

Regularly test the processes defined in your business continuity and disaster recovery plans. Restore systems, measure recovery times, verify that critical data can be recovered, and document any gaps that emerge.

This serves two purposes. First, it improves resilience by identifying weaknesses before an incident occurs. Second, it provides evidence that recovery capabilities are more than a theoretical plan on paper.

4. Maintain Evidence and Oversight

Good governance is not a one-time exercise. Risks change, systems evolve, suppliers come and go, and controls require ongoing review.

Maintain a current record of your risk assessments, policies, recovery tests, security reviews, incidents, and remediation activities. Whether the request comes from a regulator, a customer, an auditor, or a cyber insurer, the ability to demonstrate what you have done is often as important as the controls themselves.

Organizations that review their cyber risk posture regularly are typically better positioned to identify emerging threats, justify security investments, respond to customer due diligence requests, and demonstrate operational resilience when it matters most.

Compliance Is the Starting Point, Not the Goal

Many organizations approach DORA as a compliance exercise. In reality, compliance is often the by-product of good risk management.

The businesses that benefit most are the ones that maintain an ongoing view of their cyber risk landscape rather than treating risk assessments as a once-a-year activity. New suppliers are added, systems change, vulnerabilities emerge, and attackers adapt. Without regular visibility, today's controls can quickly become tomorrow's gaps.

A structured cyber risk management process helps organizations:

• Identify emerging threats and exposures
• Understand changes in their attack surface
• Prioritize investments based on risk
• Demonstrate resilience to customers and partners
• Provide evidence for audits and due diligence
• Support cyber insurance applications and renewals

When governance, risk assessment, and evidence collection become part of normal operations, compliance becomes significantly easier. Instead of scrambling to answer questionnaires or prepare for audits, the information already exists because the organization is actively managing risk.