DORA and Financial Crime Systems: What EU Institutions Must Know

Technical Guide · May 2026 · EU Focus

The EU’s Digital Operational Resilience Act applies to AML and fraud detection platforms. Here’s what compliance teams at EU-regulated institutions need to understand.

The EU’s Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, entered into force in January 2025 and applies to a broad range of financial entities and their critical ICT third-party service providers. For compliance leaders, DORA’s relevance extends beyond IT risk management: AML transaction monitoring platforms, fraud detection systems, sanctions screening tools, and case management solutions are all ICT systems within scope.

⚠ An active obligation — not a future consideration

For institutions operating AML and fraud detection platforms in the EU, integrating DORA compliance into financial crime technology governance requires immediate assessment of ICT classifications, contractual gaps, and resilience testing programmes.

DORA’s Core Requirements Relevant to Financial Crime Systems

DORA imposes requirements in five main areas. Each has direct implications for financial crime technology infrastructure:

ICT Risk Management

Identify and classify ICT assets, assess associated risks, and implement protection, detection, response, and recovery measures

Incident Classification & Reporting

Classify and notify major ICT-related incidents within defined regulatory timelines — including AML system outages

Resilience Testing

Basic testing for all in-scope entities; advanced Threat-Led Penetration Testing (TLPT) for significant institutions

ICT Third-Party Risk Management

Enhanced contractual requirements for Critical ICT Third-Party Providers — directly relevant to cloud-hosted AML and fraud platforms

Information Sharing

Participation in cyber threat intelligence sharing arrangements within the EU financial sector

Incident Reporting for Financial Crime System Outages

An outage of an AML transaction monitoring or sanctions screening platform could meet the threshold for a major incident classification if it affects a significant volume of transactions or creates a period of non-compliance. The DORA reporting timeline is strict:

Initial Notification

Within 4 hours of classifying as major (no later than 24h of becoming aware)

72h

Intermediate Report

Intermediate update to the competent authority within 72 hours

1mo

Final Report

Full final report submitted within one month of the intermediate report

💡 Compliance teams must coordinate with ICT risk functions

Financial crime system outages must be included in the incident classification framework — and notification procedures must be documented and tested before an incident occurs, not drafted in response to one.

ICT Third-Party Risk: What Contracts Must Include

DORA’s third-party risk requirements are particularly relevant for institutions using cloud-hosted or vendor-managed AML and fraud detection platforms. Contracts with Critical ICT Third-Party Providers must include specific provisions:

Information Security

Defined security standards, access controls, encryption requirements, and vulnerability management obligations for the vendor.

Data Access and Audit Rights

The institution’s right to audit the vendor’s systems and access data held on its behalf — on demand and with defined notice periods.

Service Continuity and Disaster Recovery

Defined recovery time objectives, business continuity plans, and geographic redundancy requirements to ensure AML system availability.

Exit Assistance and Data Portability

Clear obligations on the vendor to support migration to an alternative provider — including data export in usable formats within defined timelines.

Regulatory Access and Inspection Rights

Supervisory authorities’ right to access and inspect the vendor’s premises and systems where relevant to the institution’s regulated activities.

Incident Notification

Vendor obligations to notify the institution of ICT incidents within defined timeframes consistent with the institution’s own DORA reporting obligations.

Implications for Financial Crime Technology Procurement

DORA significantly raises the due diligence bar for procuring financial crime technology from third-party vendors. Procurement assessments must now evaluate:

Assessment Area	Key Questions	Priority
Operational Resilience	Business continuity, disaster recovery, geographic redundancy	Critical
Security Certifications	ISO 27001, SOC 2, or equivalent — current and auditable	Critical
DORA Contractual Provisions	Ability to support all mandatory DORA contract requirements	Critical
CTPP Designation Status	Is the vendor designated or likely to be designated as a Critical Third-Party Provider?	Monitor
Testing Cooperation	Ability to support TLPT and vulnerability assessment programmes	Critical

⚠ Existing contracts must be reviewed

Institutions should revisit existing contracts with financial crime technology vendors to assess DORA compliance gaps and initiate renegotiation where necessary. DORA required existing contracts to be brought into compliance by the application date — a requirement that has driven significant contract review activity across the EU financial sector since 2024.

Frequently Asked Questions

What is DORA and which financial entities does it apply to?

DORA (Regulation (EU) 2022/2554) applies to a broad range of EU financial entities including banks, investment firms, payment institutions, insurance companies, crypto-asset service providers, and their critical ICT third-party service providers. It establishes requirements for ICT risk management, incident reporting, resilience testing, and third-party risk management to ensure the digital operational resilience of the EU financial sector.

Does DORA apply to AML and fraud detection systems?

Yes. AML transaction monitoring platforms, sanctions screening tools, fraud detection systems, and financial crime case management solutions are ICT systems within DORA’s scope for EU financial entities. Those classified as critical ICT systems face enhanced governance requirements including board-level accountability, resilience planning, and inclusion in the digital operational resilience testing programme.

What are the incident reporting timelines under DORA?

For major ICT-related incidents, DORA requires: an initial notification within four hours of classifying the incident as major (and no later than 24 hours after becoming aware), an intermediate report within 72 hours, and a final report within one month of the intermediate report. Financial entities must have documented and tested procedures to classify incidents and initiate reporting within these timelines.

What contracts with financial crime technology vendors need to be updated for DORA?

Contracts with ICT third-party providers of financial crime technology must include provisions on information security, data access and audit rights, service continuity and disaster recovery, exit assistance and data portability, sub-contracting restrictions, regulatory access and inspection rights, and incident notification. DORA specifies minimum contractual requirements that must be reflected in all in-scope agreements.

How does DORA interact with EU AML regulations?

DORA governs how financial entities manage the ICT systems that underpin their regulated activities — it does not change the substantive AML obligations under the Anti-Money Laundering Directives. However, an institution that cannot demonstrate its AML systems are operationally resilient, tested, and recoverable faces both DORA compliance risk and the potential for an AML compliance failure during an ICT outage. The two frameworks are complementary and must be managed in parallel.

Assessing your financial crime systems for DORA compliance?

Nexiant supports EU-regulated institutions in aligning their AML and fraud detection technology governance with DORA’s operational resilience requirements.

Get in touch with our team

This article was accurate at the time of publication in May 2026 and is intended for general informational purposes only. It does not constitute legal or compliance advice. Organisations should seek qualified professional counsel in relation to their specific obligations under EU law.