DORA and its impact on the data center industry

In January 2025, the Digital Operational Resilience Act (DORA) entered into application across the European Union. This landmark regulation is designed to strengthen the digital resilience of the financial sector. Now, a year on, what does DORA mean in practice for financial institutions and critical third-party providers, including data centers?

What is DORA really?

Europe’s financial stability depends on digital trust. To safeguard that trust, the European Commission introduced the Digital Operational Resilience Act (DORA): a regulation designed to protect financial institutions from digital disruption. DORA has been in force since January 2025, marking a new chapter in how Europe safeguards the stability of its financial system.

At its core, DORA ensures that banks, insurers and other financial institutions can withstand digital shocks. From ransomware attacks to power outages, DORA turns resilience from a best practice into a legal obligation.

But DORA is not just about banks and insurers. It also applies to the partners they rely on, including data centers. These facilities, usually operating quietly in the background, now take a central role in Europe’s plan for digital resilience.

Why DORA matters

The European Commission introduced DORA to tackle growing risks in the financial system.

Cyberattacks, digital sabotage, and complex supply chains can quickly undermine stability. Vulnerabilities in a single provider can ripple through an entire ecosystem. At the same time, the lack of transparency and fragmented reporting make it difficult to respond effectively when incidents occur.

DORA complements other European initiatives such as NIS2, which focuses on critical infrastructure, and the Cyber Resilience Act (CRA), aimed at connected devices. Together, these regulations raise the bar for cybersecurity and operational resilience across Europe.

What DORA means for financial institutions

For banks, insurers, and other financial players, DORA sets clear expectations. They must strengthen ICT risk management across their entire chain of partners. This includes everyone from cloud service providers to data centers. Cyber incidents now have to be reported swiftly to national authorities. Regular resilience testing is mandatory, through penetration tests, scenario exercises, and audits. Contracts must also include predefined exit plans, ensuring continuity if a supplier relationship ends.

Data centers as critical third parties

Although DORA was not written specifically for data centers, it affects them directly. As critical ICT service providers to the financial industry, data centers carry responsibility for operational continuity. If a data center experiences an outage or security breach, the consequences for financial institutions can be immediate.

This means data centers must demonstrate compliance with strict security and operational standards. They need to provide detailed documentation for audits, ensure that subcontractors follow the same resilience requirements, and align physical and digital security to reduce human error. In today’s regulatory environment, data centers are not “just” facility providers. They are strategic partners in financial resilience.

Resilience as a competitive strength

True resilience goes beyond having a checklist. It is about preparation, communication, and adaptability. Regular simulations and failover drills help organisations test their response under real conditions. Cross-functional training ensures that technical experts, communication teams, and senior leaders work together when crises arise. Clear and consistent communication during such moments builds trust, both internally and externally.In practice, resilience is now a competitive differentiator for data centers.

For data centers, resilience has become a differentiator. Clients value partners that can demonstrate maturity in both preparedness and response. Those who invest in their cybersecurity strategies will not only comply with DORA but also strengthen their reputation as reliable partners.

The human factor and the role of AI

Technology plays a vital role in resilience, but people make the difference. The way teams act under pressure, how leaders communicate, and how lessons are integrated after exercises determine success. At the same time, artificial intelligence is changing the landscape. Attackers are using AI to automate and scale threats. Defenders, on the other hand, can use it to predict failures, detect anomalies, and support faster recovery.

Still, experts agree that AI should remain a supporting tool. Decision-making and accountability must stay in human hands. The balance between technology and human judgement is what builds lasting trust.

Challenges and opportunities

Complying with DORA will require both technical and organisational investment. Enhanced monitoring systems, redundancy, sustainability initiatives, and cyber-secure processes will become standard. Governance must also evolve, with closer client collaboration, stronger supplier oversight, and contractual clauses that ensure continuity.

Yet, these efforts bring opportunities. Data centers that embrace resilience and transparency can position themselves as trusted partners. By helping clients meet their own DORA obligations, they add value beyond infrastructure. At the same time, their growing role in sustainability, for instance through heat reuse or grid stabilization, underlines their contribution to society.

Looking ahead

While DORA focuses on financial services, its principles are likely to spread across other sectors, much like NIS2 did. This broader adoption will bring greater transparency and accountability throughout ICT ecosystems. It will also reinforce Europe’s digital sovereignty by strengthening trust and control over critical infrastructure. As both frameworks evolve, their overlap is becoming increasingly clear, suggesting that one day a single, unified standard for digital resilience may apply across all sectors.

Conclusion

DORA marks a turning point in the relationship between financial institutions and their data center partners. What started as a rulebook for banks has become a strategic catalyst for the entire data center industry. Those who place resilience, security, and transparency at the heart of their operations will not only comply with European law but also shape the foundations of Europe’s digital economy.

In the age of DORA, resilience is not optional, it is the cornerstone of trust.