Skip to main content
Regulatory readiness and cybersecurity
Regulatory readiness

DORA: Enhancing financial resilience

Building digital trust for financial institutions

DORA (Digital Operational Resilience Act)

DORA sets strict requirements to strengthen the ICT resilience of financial entities across the EU. As a designated Critical Third‑Party Provider (CTPP), Kyndryl is directly overseen by the European Supervisory Authorities (ESAs) to ensure our robust risk management, governance, and resilience practices meet their expectations.

For financial sector customers, this means choosing a partner already operating under regulatory scrutiny comparable to their own - helping reduce compliance effort and increasing confidence in the resilience of the services they rely on.

 

Image

Why it matters

Key principles

01
ICT Risk Management: Sets key principles and requirements for the development and implementation of a governance and control framework to effectively identify, assess, and manage ICT risks.
02
ICT Incident Reporting: Harmonizes and streamlines incident management, classification, and reporting processes to ensure timely and consistent responses across entities.
03
Digital Operational Resilience Testing: Establishes rules and requirements for digital operational resilience testing programs, including advanced Threat-Led Penetration Testing (TLPT), where applicable.
04
ICT Third-Party Risk: Defines requirements for financial entities to manage risks related to ICT third-party service providers, including contractual obligations, and introduces direct regulatory oversight of critical third-party providers (CTPPs).
05
Information Sharing: Includes provisions for voluntary information and intelligence exchange on cyber threats and ICT risks to enhance collective resilience.
Creative, planning or designers talking in meeting for project ideas, startup or feedback. Review, interior design paperwork and people with teamwork for brainstorming, development or collaboration.

How Kyndryl adheres to DORA

As a trusted provider of critical IT infrastructure services to financial institutions globally, Kyndryl already operates under direct regulatory supervision in several jurisdictions, including the United States and Luxembourg. As a designated CTPP under DORA, Kyndryl’s risk management and governance frameworks are subject to additional ongoing assessment and monitoring by the ESAs.

To further support the resilience of services that Kyndryl delivers to financial entities in Europe, we maintain a dedicated compliance and governance team that provides robust oversight across all business practices and corporate functions. Our strength lies in a proven framework of regulatory governance and a comprehensive global approach that ensures controls are continuously reviewed and updated as needed.

Key enterprise activities supporting DORA implementation include:

Kyndryl Europe Regulatory Team

Our dedicated team of legal, cybersecurity and audit professionals oversees Kyndryl’s adherence to regulatory oversight requirements under DORA, NIS2, and their UK equivalents. The ERT also manages Kyndryl’s engagement with regulatory authorities and provides guidance to Kyndryl account teams on related matters.

DORA Program Office

Our financial services regulatory governance and compliance program office supports Kyndryl and financial entity customer accounts in implementing DORA requirements.

Review and Assessment

We conducted a comprehensive gap analysis of DORA and its Regulatory Technical Standards (RTS), identifying direct impacts on financial entities and CTPPs, and indirect effects on ICT third-party service providers. We continue to monitor developments and changes in these requirements.

Guidance and Education

We develop educational materials and provide guidance to internal Kyndryl organizations, complemented by external communications to ensure awareness and a consistent understanding of DORA obligations.

ESA and Regulator Engagement

We actively participate in DORA consultation papers and proposals, engage in public ESA forums, industry associations, and collaborate with EU and national regulators.

Country Engagement

We support Kyndryl subsidiaries in EU countries and global infrastructure delivery centers, enabling ongoing DORA scope analysis and assessment of operational impacts on Kyndryl and its subcontractors who support critical or important functions of Kyndryl’s financial entity customers.

How Kyndryl supports customer compliance

Kyndryl’s assessment of DORA’s impact across our EU subsidiaries and global infrastructure delivery centers means that customers benefit from a provider ready to assist them with the security and resiliency requirements imposed upon them by DORA, helping to reduce their overall compliance effort.

Financial entities subject to DORA are required to implement controls based on their size, risk profile, and the complexity and scale of their service offerings within the EU. We work closely with our customers to translate their regulatory requirements into tailored technical specifications. Where necessary, this includes incorporating provisions mandated by DORA and similar regulations into our contracts and aligning them with updates to our service scope, enterprise processes, and procedures while minimizing both operational and commercial impact for all parties involved.

Kyndryl services

Governance, risk and compliance

Kyndryl’s integrated, insight-driven frameworks help organizations align with evolving regulations, reduce risk, and strengthen operational resilience.

Learn more

Connect with Kyndryl

Together we can make sure the world thrives.

Contact us