ARTICLE
8 August 2025

The Digital Operational Resilience Act (DORA) – How Will It Impact Canadian Businesses?

F
Fasken

Contributor

Fasken is a leading international law firm with more than 700 lawyers and 10 offices on four continents. Clients rely on us for practical, innovative and cost-effective legal services. We solve the most complex business and litigation challenges, providing exceptional value and putting clients at the centre of all we do. For additional information, please visit the Firm’s website at fasken.com.
In effect across the EU since January 17, 2025, the Digital Operational Resilience Act ("DORA") aims to enhance the digital resilience of financial entities to withstand and respond to ICT-related disruptions.
Canada Privacy

DORA at a Glance

In effect across the EU since January 17, 2025, the Digital Operational Resilience Act ("DORA") aims to enhance the digital resilience of financial entities to withstand and respond to ICT-related disruptions. This regulation reflects a global shift towards proactive measures to ensure the availability of increasingly digitized financial systems.

DORA is based on five pillars of compliance: (i) ICT Risk Management, (ii) Cyber Incident Reporting and Response, (iii) Operational Resilience Testing, (iv) Third-Party Risk Management and (v) Information Sharing. Each of these pillars plays a role in strengthening and maintaining the resilience of the EU's financial infrastructure. DORA's focus on reporting and responding to incidents emphasizes the importance of implementing such strong mechanisms with regard to ICT-related incidents.

Being properly prepared can ensure the resilience of financial institutions. Operational resilience testing enables institutions to identify weaknesses in their systems and adapt accordingly. Third-party risk management helps ensure that responsibility is appropriately assigned, underscoring the importance of digital operational resilience across and between organizations. Information sharing promotes collaboration and a better mutual understanding of digital risks and appropriate responses, bolstering the operational resilience of the industry as a whole.

DORA emphasizes monitoring, managing and reporting ICT-related incidents. Entities subject to DORA must respond to and classify incidents within 24 hours based on their impact, applying a set of prescribed criteria[1]. Following this initial report, entities are required to produce an intermediate report within 72 hours and the final report within one month of the incident. Where required by the circumstances, incidents must also be reported to both clients and the public.

Who Does It Impact?

DORA directly applies to financial service entities operating in the EU, including banks, insurance companies, investment firms and other financial entities. However, Canadian companies with operations in the EU must comply with DORA if they fall within its scope, which covers subsidiaries in the EU as well as third-party ICT service providers to EU-based financial institutions, such as cloud service providers, data analytics platforms and cybersecurity vendors.

DORA also requires financial service entities within the EU to ensure that their supply chains meet operational resilience standards. Additional obligations are required for ICT service providers designated as "critical." As a result, entities outside the EU that are part of these supply chains will likely face pressure to comply with DORA in order to preserve business relationships and maintain operations and costs.

How DORA Fits Within the Canadian Regulatory Landscape

Canadian financial entities are currently subject to various regulations aimed at protecting these sectors. Complying with DORA can therefore help ensure Canadian businesses meet regulatory requirements in both jurisdictions and avoid penalties and fines. Below is a brief overview of the regulatory landscape within which many Canadian financial entities operate.

At the federal level in Canada, the Office of the Superintendent of Financial Institutions (OSFI) has issued a Technology and Cyber Risk Management guideline to ensure the sound financial condition of federally regulated entities, while its Technology and Cyber Security Incident Reporting guideline requires the timely reporting of incidents. The OSFI's guidelines align with DORA's emphasis on operational resilience, but they adopt approaches that are more principles-based than prescriptive.

In Québec, the recent Regulation respecting the management and reporting of information security incidents by certain financial institutions and by credit assessment agents issued by the Autorité des Marchés Financiers (AMF) builds on its existing Guideline on Information and Communications Technology Risk Management. This underscores that managing ICT risks and reporting incidents are just as important for provincially regulated entities, especially as they relate to financial institutions and their operational resilience.

The Canadian Investment Regulatory Organization (CIRO) has its own sector-specific Cybersecurity Incident Reporting Requirements, which require the effective management and mandatory reporting of cybersecurity incidents by regulated dealers.

Canadian privacy laws, both provincially and federally, impose fundamental requirements for protecting personal information, including reporting requirements following a privacy incident[2]. These regulations mirror the privacy laws in the EU, which are governed by the General Data Protection Regulation (GDPR) and national laws of member states.

Lastly, although Bill C-26 and Bill C-27 died on the Order Table, they would have applied to many entities in the financial sector and imposed a similar incident management and reporting regime, accompanied by significant fines. There is a good chance that these bills will be reintroduced, so regulated entities with strong practices already in place will have an advantage.

While Canadian laws and the EU's DORA currently provide similar regulatory frameworks for managing ICT risks and reporting incidents, DORA sets out more prescriptive and comprehensive requirements in areas such as third-party oversight and resilience testing.

Why DORA Matters to Canadian Businesses

It is critical that Canadian financial businesses with operations in the EU, or that are part of an EU financial institution's supply chain, stay abreast of DORA's provisions. Properly preparing for and complying with DORA will mitigate financial, operational and reputational risks for the organization and customers alike.

DORA prescribes three broad categories of penalties—financial, administrative and criminal—which are defined as follows:

  • Financial: Entities may be fined up to 2% of annual worldwide turnover or €1,000,000. Critical third-party ICT service providers may also face fines of up to €5,000,000.
  • Administrative: Entities may have their operating licence suspended or be ordered to take corrective actions, such as making specific improvements to cybersecurity defences. The loss of an operating licence represents a serious risk for fintech firms, as any ensuing financial market disruptions can severely impact their business relations and market presence.
  • Criminal: Executives may be criminally liable for gross negligence and, in extreme cases, may face imprisonment, subject to the discretion of each member state.

The potential fines and penalties under DORA are designed to disrupt business operations, and non-compliance could restrict access to the EU market.

The enactment of DORA reflects a broader global shift toward ensuring and protecting operational resilience in the financial sector. The three key components of data security, namely confidentiality, integrity and availability, are the foundation of this trend and essential for ensuring security.

As financial institutions become increasingly dependent on digital technology, regulations such as the EU's DORA and the AMF's cybersecurity framework in Québec (see previous section) underscore the growing importance of ensuring data security in the financial sector. It will therefore become increasingly important to ensure the resilience of these systems when faced with ICT disruptions, making compliance not only a legal obligation but also a strategic necessity.

How to Prepare

The best way for Canadian businesses with operations in the EU to ensure DORA compliance is to review current practices, as many entities likely already have such measures in place. Nevertheless, being proactive, such as by implementing processes to quickly and effectively respond to cyber incidents, is crucial. Aligning their incident response procedure with global reporting requirements can strengthen and maintain the operational resilience of financial entities with operations both in Canada and abroad.

Recommended measures include developing risk management strategies, establishing and implementing a response plan, conducting resilience testing and acting accordingly, strengthening third-party risk management practices, and sharing information and results among entities. Implementing these practices and conducting regular compliance assessments can help ensure that your business has taken all necessary precautions to avert penalties and fines.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More