Effective as of 17 January 2025, the EU’s Digital Operational Resilience Act (DORA) requires financial entities and their third-party IT providers to ensure they can withstand and respond to cyberattacks and other digital disruptions. Incident reporting, operational resilience testing, and harmonised ICT risk management are now mandated across the EU financial sector.
For banks, this represents a major shift in how operational resilience is assessed and governed. Resilience is no longer viewed solely through the lens of a bank’s own systems and controls, but across the broader ecosystem of vendors and technology providers that support financial services.
Building on a platform of ISO 27001 compliance, XMLdation is fully aligned with DORA requirements. In this blog, we explore why DORA matters for banks and vendors and the practical benefits this brings for clients.
DORA was introduced in response to the growing systemic importance of digital infrastructure within financial services. As banks have become increasingly dependent on external technology providers, cloud services, and specialist vendors, regulators have recognised that operational resilience can no longer be managed in isolation.
Historically, approaches to ICT risk and third-party oversight differed across European markets, but DORA creates a harmonised framework across the EU – establishing common expectations around security, governance, incident management, operational testing, and third-party risk management.
For banks, this means they must be able to demonstrate not only that their own systems are resilient, but also that the vendors supporting critical operations meet appropriate operational and security standards. This shift also has important implications for vendors themselves – including those not directly regulated under DORA. Increasingly, banks expect their providers to demonstrate mature security frameworks, clear governance structures, business continuity capabilities, and transparent operational processes.
Banks have taken different approaches to assessing XMLdation under DORA. Although XMLdation is not formally categorised as a critical ICT provider under the regulation, some institutions have nevertheless assessed the company against critical-provider style requirements, requesting detailed evidence of its operational resilience and security controls. Others have focused on strengthening contractual provisions around areas such as incident management, business continuity, supervisory cooperation, and security governance, while some have incorporated XMLdation into broader vendor-risk assessments covering certifications, data governance, and data location.
In response, XMLdation has built on its existing ISO 27001-certified information security management system (ISMS) to support alignment with DORA requirements. Achieved in December 2022, ISO 27001 provides a structured framework for managing information security through ongoing risk assessment, governance, and independently audited controls designed to protect the confidentiality, integrity, and availability of data.
The standard’s emphasis on continuous improvement has also helped prepare XMLdation for the practical realities of DORA compliance. Through annual reassessments, operational reviews, and regular third-party risk evaluations, the company has developed processes covering areas highly relevant to DORA, including incident management, penetration testing, business continuity, and broader security governance.
As a result of these efforts, XMLdation has already undergone DORA-related assessments with several financial institutions, with review processes typically lasting between one and three months depending on the institution’s approach. In at least one case, the company became the first external vendor to receive full DORA compliance approval from a client bank.
For banks, working with a DORA-aligned vendor provides practical benefits beyond regulatory reassurance alone. Most importantly, it simplifies the third-party risk assessment process that they must now conduct across their vendor ecosystems. These reviews are often resource intensive and require extensive documentation, governance evidence, and operational transparency.
Because XMLdation already maintained structured governance frameworks – and has proactively prepared the information institutions require for DORA-related assessments – onboarding and review processes have become significantly more efficient for clients.
Put simply, XMLdation’s clients can be confident they are working with a vendor that understands the operational resilience expectations shaping Europe’s financial sector and can support banks in demonstrating that resilience to regulators.