News

From Compliance to Competitive Edge: Navigating the New Digital Risk Landscape

by Julien Renkin, CCO, SOPIAD & Maxime Hennau, Head of Spike Reply Luxembourg

The Digital Operational Resilience Act (DORA) introduces a landmark regulatory framework that reshapes how financial entities across the European Union manage ICT risks, operational continuity, and cybersecurity. DORA sets a new benchmark for digital resilience in an increasingly volatile threat landscape.

This regulation comes at a time when cyberattacks are growing in scale and sophistication. The ransomware incident targeting a European payments infrastructure in late 2024, which disrupted cross-border transactions and exposed critical data flows, exemplifies the systemic vulnerabilities that DORA seeks to address. While DORA applies directly to financial institutions, its ripple effects are already being felt by ICT service providers. These providers, from cloud platforms to niche software vendors, are now subject to stricter contractual requirements, enhanced due diligence, and continuous monitoring imposed by their regulated clients. In practice, this means demonstrating mature cybersecurity postures aligned with financial sector standards, supporting auditability and traceability across service delivery, and preparing for threat-led penetration testing (TLPT) and exit strategies embedded in service-level agreements.

In short, DORA is redefining the expectations placed on ICT partners. Those unable to meet the elevated standards risk losing business, facing reputational damage, or being excluded from critical financial ecosystems.

How SOPIAD and Spike Reply Navigated DORA’s Demands

SOPIAD, a Liège-based RegTech, provides a scientifically grounded investment diagnostic platform that enables financial institutions to deliver personalised and transparent portfolio recommendations. As DORA raised expectations around ICT governance, SOPIAD proactively sought to align with the evolving demands of its regulated clients.

To support this, SOPIAD partnered with Spike Reply, a cybersecurity consultancy within the Reply Group. With extensive experience working alongside financial institutions across Europe, Spike Reply brought deep insight into what these entities expect from their ICT partners, enabling SOPIAD to strengthen its resilience and meet compliance standards effectively.

Impact of DORA on ICT Service Providers

Although DORA applies directly to financial entities, its influence on ICT service providers is increasingly tangible. Financial institutions are now required to ensure that their technology partners meet elevated standards of resilience, governance, and transparency, making compliance readiness a key selection criterion.

DORA introduces a tiered model of ICT providers: Category 1 includes providers of general ICT services to financial entities, such as hosting, software licensing, and helpdesk support. Category 2 covers providers supporting Critical or Important Business Functions (CIBFs), whose disruption could materially impact financial stability or regulatory compliance. Finally, Category 3 encompasses providers designated as Critical Third-Party Providers (CTPPs) at the EU level, who are subject to direct oversight by the European Supervisory Authorities (EBA, ESMA, and EIOPA).

In practice, this means ICT providers must maintain audit-ready documentation, such as ICT risk assessment evidence and policies and procedures; answer due diligence questionnaires and client audits; support incident reporting and business continuity planning; and accept contractual clauses covering audit rights, exit strategies, and subcontractor transparency.

For instance, companies may be required to demonstrate that its platform operates within a secure, well-documented, and auditable environment. This could involve providing evidence of data governance policies, encryption standards, and access controls, or responding to detailed due diligence questionnaires covering incident response and business continuity.

Even niche providers offering proprietary analytics, portfolio modelling, or investment scoring tools must now align their ICT frameworks with the expectations of financial clients subject to DORA. The ability to support these requirements is increasingly a prerequisite for maintaining strategic partnerships in the financial sector.

Providers failing to meet these standards risk losing strategic partnerships, while those that adapt can position themselves as resilient, trusted players in a highly regulated ecosystem.

While achieving compliance with new regulations is always a challenge for any company, it is particularly true for smaller firms that must cope with more limited human, technical, and financial resources. Pragmatic approaches such as modular solutions, specialised external providers, and prioritising the most significant regulatory risks help concentrate efforts on measures that add real value to operational resilience.” added Renkin. 

Strengthening Compliance: How Spike Reply Supported SOPIAD

While SOPIAD had already established solid internal processes, the growing expectations of its financial clients under DORA required a more formalised and consolidated approach to governance and documentation. Spike Reply stepped in to provide targeted, practical support aimed at elevating SOPIAD’s compliance maturity.

The engagement began with a tailored regulatory decryption, focusing on the DORA obligations most relevant to ICT service providers. This was followed by a comprehensive gap analysis, benchmarking SOPIAD’s existing posture against DORA-aligned expectations.

From there, Spike Reply delivered hands-on support by drafting and refining key governance documents, including ICT policies, risk management guidelines, and business continuity protocols. 

They also conducted internal training sessions to equip SOPIAD’s teams to handle client assessments and regulatory requests autonomously, while sharing best practices from across the European financial sector to ensure alignment with both regulatory and market standards. 

Reflecting on the collaboration, Hennau highlighted: “Our deep expertise and practical approach allowed us to transform complex regulatory requirements into actionable processes, strengthening our resilience and positioning us as a trusted partner in the financial ecosystem.

The project concluded with the delivery of a centralised “DORA package”, a structured compliance file designed to support vendor due diligence, demonstrate operational maturity, and accelerate onboarding with financial clients.

Thanks to this collaboration, SOPIAD is now better positioned to respond to external assessments and present itself as a secure, resilient partner in the financial ecosystem.

Next Steps: Building Long-Term Resilience

With its extensive experience supporting financial institutions across Europe, Spike Reply has developed a deep understanding of what these organisations expect from their ICT service providers. This includes knowing which documents, controls, and governance practices truly influence vendor selection and build trust.

For ICT providers, this insight is critical, not only to meet client expectations, but to stand out in a competitive and increasingly regulated market.

As Renkin notes,“Our internal preparation, challenged and enhanced by the expertise of the Spike Reply team, now enables us to quickly and easily demonstrate our ability to maintain continuous digital resilience, share our compliance processes, and provide full traceability of incidents and updates.”

At the same time, the regulatory landscape is evolving. Frameworks like NIS2 are beginning to place direct obligations on ICT service providers, accelerating the need for formalised internal processes, stronger documentation and auditability, and structured governance and risk management frameworks. To support this transition, service providers can also explore public funding opportunities to co-finance compliance and cybersecurity initiatives.

As regulatory expectations continue to rise, early and proactive alignment with frameworks like DORA is no longer optional; it’s a strategic differentiator.

This article was originally published in the Agefi Luxembourg Newspaper - October 2025 edition