What is DORA and why should European SMBs care
The Digital Operational Resilience Act (DORA) is one of the most significant pieces of EU financial regulation to emerge in recent years. Officially known as Regulation (EU) 2022/2554, DORA entered into force on January 16, 2023, with its core requirements becoming applicable from January 17, 2025. But the regulatory timeline does not stop there — 2026 brings a fresh wave of technical standards and enforcement milestones that no business operating in the European financial ecosystem can afford to ignore.
While DORA primarily targets banks, insurance companies, and investment firms, its reach extends far beyond the traditional financial sector. If your company provides ICT services to any financial entity in the EU, you are likely in scope. For Italian SMBs — many of which serve as technology vendors, managed service providers, or software suppliers to banks and insurers — DORA compliance is not optional. It is a contractual and regulatory necessity.
According to the Bank of Italy, over 60% of ICT incidents in the financial sector originate from third-party service providers. This statistic alone explains why European regulators decided to bring the entire supply chain under the same resilience umbrella.
Key obligations under DORA for SMBs
DORA is built around five core pillars, each carrying specific obligations that affect how businesses manage their digital operations.
ICT risk management
Every entity in scope must implement a comprehensive ICT risk management framework. This means identifying, classifying, and documenting all ICT-related risks, and establishing clear policies for prevention, detection, and response. For SMBs, this often translates into formalizing processes that may have existed informally — vulnerability management, patch cycles, access controls, and business continuity planning.
The regulation requires companies to assign clear responsibility for ICT risk at the management body level. Board members and senior management cannot delegate this away. They must understand and actively oversee the digital risk posture of the organization.
Incident reporting
DORA introduces a harmonized incident reporting framework across the EU. Financial entities must classify ICT-related incidents according to specific criteria (including data loss, service downtime, and number of affected clients) and report major incidents to their competent authority within strict timeframes.
For ICT third-party providers, the obligation is indirect but equally pressing. Your financial sector clients will require you to notify them of incidents rapidly so they can meet their own reporting deadlines. Contracts must reflect these requirements, and your incident response processes need to be fast, documented, and tested.
Digital operational resilience testing
Organizations must conduct regular testing of their ICT systems, including vulnerability assessments, network security reviews, and — for larger or systemically important entities — threat-led penetration testing (TLPT). The European Supervisory Authorities published the final Regulatory Technical Standards on TLPT based on the TIBER-EU framework, with full applicability in 2025-2026.
SMBs that fall under proportionality provisions may not need to conduct full TLPT exercises, but basic resilience testing is mandatory. This includes scenario-based testing that simulates realistic cyberattack conditions, not just routine scans.
Third-party risk management
This is where DORA hits Italian SMBs hardest. Financial entities must maintain a detailed register of all ICT third-party arrangements and ensure that contracts with providers include specific clauses on security, audit rights, exit strategies, and subcontracting limitations.
If you are an ICT provider to a bank or an insurance company in Italy, expect your contracts to be renegotiated. DORA mandates that financial entities assess the concentration risk of relying on a single provider and document substitutability plans. The European Supervisory Authorities have designated certain providers as “critical ICT third-party service providers,” subjecting them to direct oversight.
The 2026 timeline: what is coming next
While the main regulation became applicable in January 2025, several implementing and regulatory technical standards have staggered deadlines extending into 2026. Here is what matters most.
Regulatory Technical Standards (RTS) and guidelines
The Joint Committee of the European Supervisory Authorities (EBA, EIOPA, and ESMA) finalized two batches of technical standards. The first batch, covering ICT risk management frameworks and incident classification, was adopted in early 2024. The second batch — addressing threat-led penetration testing, subcontracting policies, and the oversight framework for critical third-party providers — followed in mid-2024, with enforcement timelines reaching into 2025 and 2026.
Throughout 2026, national competent authorities across the EU are expected to intensify supervisory activities, including on-site inspections and requests for evidence of compliance. In Italy, Banca d’Italia, CONSOB, and IVASS will coordinate oversight of financial entities and their provider ecosystems.
The information register deadline
Financial entities must maintain and regularly update a register of information on all contractual arrangements with ICT third-party service providers. This register must follow a standardized template defined by the ESAs. Supervisory authorities can request this register at any time, and periodic reporting obligations are being phased in during 2025-2026.
For SMBs providing ICT services, this means your clients will ask you to supply detailed information about your infrastructure, security measures, data processing locations, and subcontracting chains. Being prepared to provide this information quickly and accurately is a competitive advantage.
Practical steps for Italian SMBs
Compliance with DORA does not require building everything from scratch. Many of its requirements overlap with existing frameworks like ISO 27001, the NIS2 Directive, and GDPR. Here is a practical approach for SMBs.
Conduct a gap analysis. Map your current security posture against DORA’s five pillars. Identify where you already comply (likely through existing GDPR or ISO 27001 controls) and where gaps remain.
Review and update contracts. If you provide ICT services to financial entities, expect contract amendments. Proactively prepare standard clauses covering incident notification, audit rights, and exit strategies.
Formalize incident response. Document your incident detection and reporting procedures. Ensure you can notify affected clients within the timeframes their regulatory obligations demand.
Invest in testing. Move beyond annual vulnerability scans. Implement regular, scenario-based testing of your critical systems and document the results.
Train your leadership. DORA places explicit responsibility on management bodies. Ensure that board members and senior managers understand their obligations and can demonstrate active oversight.
The competitive opportunity behind compliance
DORA compliance is often framed as a burden, but for Italian SMBs in the ICT sector, it represents a genuine market differentiator. Financial institutions across Europe are actively reviewing their supplier base and favoring providers who can demonstrate robust digital resilience. According to a 2024 survey by the European Banking Authority, 73% of financial entities planned to reduce the number of ICT providers they work with, concentrating spending on fewer, more resilient partners.
For SMBs willing to invest in compliance now, the reward is access to a more stable, higher-value client base. Those who delay risk being excluded from procurement processes entirely as financial entities tighten their supply chains throughout 2026 and beyond.
The message is clear: DORA is not just about avoiding penalties. It is about proving that your business is built to withstand the digital threats that define the modern European economy.
Need support on this topic? Contact us for a free consultation — let’s assess your company’s situation together.
Stay updated every week on cybersecurity, AI and technology for SMBs: subscribe to our newsletter.