The dominance of digitalisation in business operations is a widely acknowledged reality. Because of this, Small and Medium Enterprises (SMEs) in the financial sector tend to stand at the intersection of opportunity and vulnerability. The Digital Operational Resilience Act (DORA) Regulation is approaching, ushering in a new era of compliance requirements. Yet, for SMEs, DORA is not merely a challenge in terms of compliance; it presents a distinctive opportunity to strengthen their digital infrastructure and secure long-term success in the constantly changing digital environment. 


Understanding the DORA Regulation 

The Digital Operational Resilience Act (DORA) is a regulatory framework set forth by the European Union which provides uniform requirements for the security of network and information systems that support the operations of businesses in the financial sector. These requirements include ICT risk management, reporting of major ICT related incidents, digital operational resilience testing, information and intelligence sharing and measures for the sound management of third-party risk. 


A deep dive into DORA’s Pillars

5 pillars of DORA



Where do you belong in the SME spectrum? 

In the context of this article, SMEs, or Small and Medium-sized Enterprises, are businesses that fall within a specific range of size and operational scale. These enterprises are characterized by their relatively modest size compared to larger corporations. In the European Union, which is where DORA is of relevance, the classification of SMEs is based on specific criteria. Understanding where your business fits within these categories can help your organisation better assess its obligations and compliance efforts related to the DORA regulation. 

Microenterprise You are a financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover or total balance sheet that does not exceed EUR 2 million.
Small Enterprise You are a financial entity that employs 10 or more persons, but fewer than 50 persons, and has an annual turnover and/or annual balance sheet total that exceeds EUR 2 million but does not exceed EUR 10 million.
Medium-Sized Enterprise You are a financial entity that is not a small enterprise and employs fewer than 250 persons and has an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million. 


Why should your organization take DORA into consideration? 

One of the critical aspects of DORA is its intention to level the regulatory playing field. It ensures that all financial market participants, regardless of their size, adhere to consistent standards of operational resilience. DORA places a strong emphasis on cybersecurity risk management, requiring SMEs to bolster their defenses against cyber threats. Compliance with these standards not only safeguards the enterprise but also fosters trust among customers, partners and investors.  

In short, operational resilience isn't merely about compliance; it's a strategic differentiator. The act recognizes that SMEs play a vital role in the financial ecosystem and aims to provide them with the tools and standards needed to thrive in the digital age. By embracing DORA's principles, SMEs can enhance their operational resilience, build trust, and navigate the digital seas with confidence, ensuring their continued success in an increasingly complex and interconnected financial world. 


Streamlining compliance for your organization with the principle of proportionality 

Within the intricacies of DORA lies a fundamental principle - proportionality. At its core, this principle in DORA signifies that regulatory requirements should be proportionate to the size, significance, and complexity of the entities being regulated. It acknowledges the diverse nature of regulated entities and tailors the regulatory requirements accordingly.  

For SMEs, the proportionality principle plays a pivotal role in ensuring that the regulatory burden matches the size and complexity of the organization. This means that they are not burdened with the same extensive and costly compliance requirements as larger organizationsSubsequently, SMEs can focus their efforts on areas of their business that post the most significant risk. With this targeted approach, smaller firms can minimize unnecessary expenses and enhance operational efficiency.  


Where the proportionality principle applies  

The regulation embodies the principle of proportionality in three key instances. First and foremost, it states that the rules laid out throughout the text shall be proportionate to the entity’s size, overall risk profile, nature, scale and complexity of their services and operations. This point holds significant importance since it advocates for a risk-centric approach over a mere compliance-focused mindset. 

Following that, this principle is also exercised in the second pillar termed as the ICT Risk Management framework. Under this pillar, small and non-interconnected investment firms, payment institutions, electronic money institutions, and small institutions for occupational retirement provision are granted exemptions from specific requirements from certain requirements. Instead, they are only required to establish a simplified risk management framework for their organisation

Finally, the third instance of the proportionality principle is noticeable in the context of microenterprises, which are similarly exempt from certain requirements within the text. 


Operational Resilience challenges for small & medium enterprises and the Grant Thornton Solution 

 While DORA is designed to bolster the operational resilience of financial institutions by imposing strict requirements on their digital infrastructures, it also presents an imposing challenge for small and medium-sized enterprises within the industry. Here are some key obstacles that your company may encounter: 

  • Compliance costs: DORA mandates that financial entities maintain a high level of cybersecurity and operational resilience. Your business may need to invest in enhanced cybersecurity measures, which could include third party monitoring, threat detection, and incident response systems. These security enhancements can be costly.  

How we can help:  

Our DORA Readiness assessment can help you evaluate your current maturity level and from there, we can help you leverage the proportionality principle to allocate resources efficiently and concentrate your efforts on mission-critical dependencies. In addition, Grant Thornton can help your company with our SME Consultancy Service Grant Scheme which can support your business by partly financing your expenditure incurred by the consultancy services procured by us. 

  • Interpreting the legal requirements: Regulatory documents like DORA often employ complex legal terminology and concepts that can sometimes be vague or open to interpretation, leaving room for you to misunderstand the exact obligations and standards you need to meet. This vagueness can lead to incorrect compliance measures. In addition, you may have limited resources, including time, money, and personnel, to dedicate to legal compliance.

How we can help:  

Grant Thornton can provide you with the necessary skills and knowledge needed in your compliance journey without the expense of hiring in-house legal specialists. We can help you decipher the legal intricacies of DORA and provide you with simplified interpretations, customized to your specific operations. 


  • Managing third parties supporting critical or important functions: Selecting the right third-party vendors that meet DORA's stringent requirements can be a complex process. Your organisation may struggle to conduct comprehensive risk assessments and draft robust contractual agreements that adequately protect your interests, potentially exposing your firm to vulnerabilities.

How we can help:  

Through our third-party risk management program, we can help your company establish ongoing monitoring mechanisms and negotiate contracts to include necessary operational resilience and cybersecurity provisions. In addition, our team at Grant Thornton can develop your contingency plans and alternative solutions to mitigate dependencies on vendors for your critical services. 

As we find ourselves at the midpoint of the two-year implementation period, it becomes crucial for organisations like yours to assess their progress and identify the necessary steps to bridge any existing gaps on the path to compliance.

At Grant Thornton, our team of dedicated consultants is steady in its commitment to guide you through this journey with competence and assurance. We believe in fostering a collaborative approach that empowers you to not only meet the regulation’s requirements but also to thrive in a compliant and ethical business environment.