The Digital Operational Resilience Act (DORA) officially came into effect on January 17, 2025, setting a new standard for cyber resilience, third-party risk management, and operational security across financial institutions in the European Union.
While DORA is an EU regulation, its impact extends far beyond the European Union. Many Swiss financial institutions are now asking:
Does DORA apply to Swiss banks, asset managers, and financial service providers?
Should Swiss institutions align with DORA’s requirements even if they are not directly regulated?
What are the business risks and opportunities of ignoring or adopting DORA’s framework?
In this first installment of our "Prepare for DORA" series, we break down these questions and explore why Swiss financial institutions should pay attention to DORA—whether they are legally required to or not.
1. What is DORA and Why Does It Matter?
DORA is an EU-wide regulatory framework aimed at ensuring financial institutions can withstand, respond to, and recover from cyber threats and ICT-related disruptions. It applies to a wide range of financial entities, including:
Banks
Insurance firms
Investment firms
Payment service providers
Critical third-party ICT providers (e.g., cloud providers, SaaS vendors)
Key Pillars of DORA:
ICT Risk Management – Ensuring strong internal cybersecurity policies and controls.
Third-Party Risk Oversight – Strict requirements for monitoring ICT vendors and service providers.
Incident Reporting – Mandatory reporting of cyber incidents to regulatory authorities.
Resilience Testing – Regular penetration testing and red teaming exercises.
Regulatory Supervision – Ongoing compliance and governance responsibilities for financial institutions.
The goal? To strengthen the operational resilience of financial institutions in an era of increasing cyber threats, ransomware attacks, and supply chain vulnerabilities.
2. Does DORA Apply to Swiss Financial Institutions?
Since Switzerland is not an EU member state, DORA does not automatically apply to Swiss financial institutions. However, there are key scenarios where Swiss organizations may be impacted:
Scenario 1: If Your Institution Has EU Branches or Subsidiaries
If a Swiss bank, asset manager, or financial service provider operates within the EU, it must comply with DORA for its EU-based entities.
Example:
A Swiss private bank has a subsidiary in Frankfurt that serves high-net-worth clients across Germany and France. Since the subsidiary is within the EU’s jurisdiction, it must fully comply with DORA’s cybersecurity, third-party risk management, and incident reporting requirements.
Even though the Swiss headquarters is not directly regulated under DORA, it will likely need to adopt similar cybersecurity standards to maintain consistency and ensure compliance across its entire organization.
Scenario 2: If You Provide Services to EU Clients
Even if a Swiss financial institution is not directly regulated by DORA, it may still need to comply indirectly if it serves EU-based clients.
Example:
A Swiss wealth management firm provides investment advisory services to EU-based institutional clients. While the firm is headquartered in Zurich, its EU clients may require DORA compliance as a contractual condition before engaging in business.
Financial institutions across the EU will want to ensure that their service providers meet the same security and operational resilience standards to avoid regulatory risks. Swiss firms that do not align with DORA may find themselves at a competitive disadvantage when seeking EU clients.
Scenario 3: If You Rely on ICT Vendors Operating Under DORA
DORA also applies to third-party ICT service providers supporting EU financial institutions. If a Swiss financial entity uses cloud providers, cybersecurity services, or SaaS tools that must comply with DORA, those vendors may impose DORA-aligned security requirements on their Swiss clients.
Example:
A Swiss fintech company offers digital payment services and relies on an EU-based cloud provider for its infrastructure. Since the cloud provider is subject to DORA, it may require its Swiss customers to implement stricter security controls and contractual agreements to meet compliance obligations.
This means that even Swiss institutions without direct EU exposure could still be required to align with DORA’s cybersecurity and risk management framework simply because their key ICT vendors must comply.
Scenario 4: If Swiss Regulators Adopt Similar Standards
Switzerland’s FINMA (Swiss Financial Market Supervisory Authority) already enforces strict cybersecurity regulations, including:
FINMA Circular 2008/21 – Operational risk management, including ICT security.
FINMA Cyber Risk Guidance 03/2024 – Strengthening cyber resilience in financial institutions.
\While FINMA has not explicitly adopted DORA, Swiss regulators have a history of aligning with EU financial regulations to maintain market equivalence. In the past, Swiss financial laws have followed EU regulatory trends, such as MiFID II for financial markets and GDPR for data protection. If FINMA introduces DORA-like cybersecurity mandates, Swiss financial institutions that have already implemented DORA’s best practices will be ahead of the compliance curve.
3. Why Should Swiss Financial Institutions Align With DORA?
Even if your organization is not legally required to comply with DORA, aligning with its framework can provide significant business and security advantages:
Competitive Advantage & Market Access
Swiss financial institutions that demonstrate DORA compliance may have an edge when working with EU clients, partners, and vendors who expect their counterparts to meet similar security standards.
Stronger Cyber Resilience & Risk Mitigation
DORA’s framework provides a structured approach to cybersecurity, helping organizations:
Reduce the risk of cyberattacks and ransomware incidents.
Improve third-party risk management and vendor security.
Strengthen incident response and business continuity planning.
Regulatory Readiness & Future-Proofing
Swiss financial institutions that proactively align with DORA will be well-positioned for future regulatory shifts. If FINMA introduces DORA-like cybersecurity mandates, early adopters will already be compliant, reducing costs and regulatory friction.
Stronger Vendor Relationships & Security Expectations
DORA enforces stricter third-party security requirements for ICT service providers. Aligning with DORA ensures that Swiss financial institutions set the right expectations for their vendors and maintain strong security controls in their supply chain.
4. What’s Next?
This is just the beginning of our “Prepare for DORA” blog series!
Part 2: Managing Third-Party ICT Risk Under DORA
How DORA impacts third-party risk management for financial institutions.
What Swiss organizations need to know about contracting and oversight of ICT vendors.
Stay tuned for Part 2 coming soon!
Comments