WSO2 Supports Financial Institutions on the Path to DORA Compliance
- Godwin Amila
- Solution Architect, WSO2
First published on INTELLIGENT fin.tech
In January this year, financial institutions across the EU were faced with a clear mandate – the Digital Operational Resilience Act (DORA): to ensure digital resilience, maintain service continuity and strengthen oversight of Information and Communication Technology (ICT) partners. While WSO2’s on-premises products are not classified as ‘Critical ICT Third-Party Service Providers’ under DORA, we recognise our role in powering the operations of regulated entities and with that comes shared accountability.
WSO2 is committed to helping customers meet DORA requirements with confidence. Through our secure software delivery lifecycle, resilient architecture, DORA-aligned third-party governance and deployment best practices, we empower financial organisations to strengthen operational continuity and reduce digital risk without compromising agility or innovation.
DORA explained
DORA is a regulation introduced by the European Union (EU) to strengthen digital operational resilience and ensure service continuity across the financial sector. It establishes a comprehensive framework for managing ICT risks, aiming to ensure financial institutions can withstand, respond to and recover from ICT-related disruptions, such as cyberattacks or system failures.
DORA applies to a wide range of financial entities, including banks, insurance companies, investment firms, payment institutions, crypto-asset service providers and more. It also extends oversight to critical third-party ICT service providers, such as cloud platforms and software vendors.
The regulation, currently in effect, gives organisations a clear timeline to align their operations with the mandated compliance
Source: https://www.digital-operational-resilience-act.com/
Key requirements
To comply with DORA, financial entities must strengthen their ability to prevent, withstand, recover from and adapt to ICT-related disruptions. The regulation outlines several core requirements that focus on managing digital risk, ensuring operational continuity and safeguarding the financial system’s stability. These requirements are grouped into five main areas:
- ICT risk management and governance: DORA requires financial institutions to establish a clear framework for managing technology-related risks. This means identifying all critical IT assets, understanding potential threats and implementing controls to prevent disruptions. Institutions must also maintain up-to-date Business Continuity and Disaster Recovery plans to ensure they can continue operations during a crisis.
- Incident reporting: Organisations must be able to quickly detect and respond to significant ICT-related incidents, such as system outages or cyberattacks. When such events occur, they need to be classified and reported to regulators following a specific timeline: an initial alert; interim updates; and a final detailed report. These reports help ensure transparency and allow for sector-wide risk monitoring.
- Digital operational resilience testing: To ensure preparedness, companies must regularly test the strength and reliability of their IT systems. This includes running vulnerability assessments, simulations and, for critical services, more advanced threat-led penetration tests. Any weaknesses discovered during testing must be addressed promptly to reduce future risk.
- Third-party risk management: DORA places strong emphasis on oversight of external ICT service providers, such as cloud vendors. Organisations are expected to maintain a full list of all providers, assess the risks they pose and include robust clauses in contracts covering security, audit rights and exit strategies. Regular monitoring is essential, especially for services deemed critical or high-risk.
- Information sharing: To improve the collective resilience of the financial sector, DORA encourages institutions to join trusted platforms for sharing information about cyberthreats and incidents. This collaboration helps spread awareness of emerging risks and fosters a more coordinated defence across the industry.
How WSO2 supports DORA readiness
DORA establishes a harmonised regulatory framework to strengthen the digital operational resilience of financial entities across the EU. It applies to 20 categories of financial entities and their ICT third-party service providers, ensuring consistent cybersecurity and risk management standards.
The following table categorises ICT service providers under DORA and explains whether the conditions and respective obligations apply to WSO2. It is important to note, however, that WSO2 is not a critical ICT third-party service provider because the nature of our business does not involve the ongoing operation or management of our customers’ ICT systems. Our involvement is limited to providing software that customers deploy and manage on-premises. As such, our role is confined to on-prem deployments and we do not have continuous access to or control over the ICT services of financial entities.
| Category of Service Provider under DORA | WSO2 Assessment |
| 1. ‘ICT Third-Party Service Provider’ | While we provide ICT services and are subject to the obligation to adopt contractual commitments of Article 30.1 and 30.2, we do not fall under any of the other two categories of ICT third-party service providers subject to heightened regulatory obligations. |
| 2. ‘ICT Third-Party Service Provider Supporting Critical or Important Functions’ | To the best of our knowledge, our services do not qualify as critical or important functions under DORA, as any potential disruption would not significantly impact the financial performance, operational continuity, or regulatory compliance of the financial entities we serve. |
| 3. ‘Critical ICT Third-Party Service Provider’ | We have not been designated as a critical ICT Third-Party Service Provider by supervisory authorities. |
Financial services customers can sign a DORA addendum with WSO2 addressing the regulatory requirements.
Although WSO2 on-premises products are not classified as ‘Critical ICT Third-Party Service Providers’ under DORA, we acknowledge our role as a service provider to financial institutions and regulated entities. This means that, although we are not directly subject to heightened regulatory scrutiny, we bear shared accountability in supporting our customers’ DORA compliance obligations.
To align with the expectations of our customers operating in the EU financial sector, WSO2 is committed to the following:
- Ensuring third-party compliance
WSO2 leverages several third-party service providers that process customer-related data, including personally identifiable information (PII). As these platforms indirectly handle regulated customer information, WSO2 ensures that its third-party vendors implement strong data governance and are DORA-aligned in their operational resilience, contractual obligations and audit readiness. - Supporting product lifecycle compliance
WSO2 maintains a robust product lifecycle management process for its software, encompassing timely delivery of patches, security updates and support services. Our commitment to transparency, availability and service continuity ensures that our customers using WSO2 products can meet DORA’s expectations for ICT risk management and operational resilience. - Guidance for DORA-aligned customer deployments
To help customers achieve their own compliance goals, WSO2 encourages and supports architecture reviews, deployment best practices and risk assessments aligned with DORA. We work with customers to evaluate the resilience, data handling and operational dependencies of their WSO2-based environments to help them ensure that digital resilience requirements are met at the deployment level.
Through these practices, WSO2 reinforces its commitment to secure, resilient and trustworthy digital infrastructure, thereby enabling our customers to confidently meet the demands of DORA without unnecessary risk exposure.