The Digital Operational Resilience Act (Regulation 2022/2554), which applies from 17 January 2025, introduces a concept that no previous EU regulation stated so explicitly: financial entities must identify, assess, and manage the risk of depending too heavily on a single ICT provider. And they must have documented exit plans for their critical providers.
This is not optional. DORA applies to credit institutions, investment firms, insurance undertakings, payment institutions, crypto-asset service providers, and virtually every other regulated financial entity in the EU. The European Supervisory Authorities (EBA, ESMA, EIOPA) are developing Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) to specify the details.