Financial services M&A has IT due diligence requirements that go beyond any other sector. The DORA regulation (Digital Operational Resilience Act), which became applicable in the EU in January 2025, establishes a comprehensive framework for ICT risk management that applies to all financial entities — and the obligations don’t disappear in an M&A context.
If you’re acquiring a financial services company, you’re acquiring their DORA compliance posture. And if that posture has gaps, you inherit them.
DORA’s Five Pillars and Their M&A Implications
Pillar 1: ICT Risk Management
DORA requires financial entities to have a comprehensive ICT risk management framework. This includes:
- ICT business continuity policy
- ICT disaster recovery plans
- Backup and restore capabilities
- Crisis communication plans
M&A implication: The target’s ICT risk management framework should have been tested and validated. Request the most recent ICT risk assessment and the most recent business continuity test results.
Pillar 2: ICT-Related Incident Reporting
DORA requires reporting of major ICT-related incidents to competent authorities within specified timeframes (initial notification within 4 hours, intermediate report within 72 hours, final report within 1 month).
M&A implication: Check the target’s incident log. Any major ICT incident in the past 24 months should have been reported. Unreported incidents are a regulatory compliance gap.
Pillar 3: Digital Operational Resilience Testing
DORA requires financial entities to conduct a baseline of cybersecurity testing. For the most significant entities, this includes Threat-Led Penetration Testing (TLPT) — an advanced red team exercise modeled on TIBER-EU.
TLPT is required every 3 years for significant entities. The testing scope includes: the target’s critical functions, its ICT assets, and its third-party service providers.
M&A implication: When acquiring a financial entity, ask for the most recent TLPT report. If the target has never conducted TLPT and is classified as significant, this is a compliance gap that needs to be remediated — and the remediation cost and timeline need to be in the deal model.
Pillar 4: ICT Third-Party Risk Management
DORA requires financial entities to maintain a register of all ICT third-party service providers. This register must be complete and current. Critical ICT service providers must be subject to heightened monitoring.
The M&A finding: The ICT third-party register is frequently incomplete. Acquired companies often have SaaS applications that were adopted by departments without IT’s knowledge — and those applications are not on the register.
If a critical SaaS application is not on the ICT third-party register, it’s a compliance gap. If that SaaS application processes personal data of EU data subjects, it may also be a GDPR Article 28 gap.
Pillar 5: Information Sharing
DORA encourages voluntary sharing of cyber threat intelligence and vulnerability information among financial entities. This is less relevant in the M&A context, but the existence of information sharing arrangements (ISACs, FS-ISAC membership, etc.) is a good signal of security maturity.
The ICT Third-Party Concentration Risk Problem in M&A
DORA introduces a specific concept: ICT third-party concentration risk. This is the risk that an entity relies too heavily on a single ICT service provider — particularly if that provider is the only provider for a critical function.
In M&A context: If a financial services target uses a single cloud provider for all critical infrastructure, the concentration risk is significant. The acquisition should include a plan to either diversify cloud providers or have a contingency plan for cloud provider failure.
The specific finding that triggers concentration risk review:
- 80%+ of the target’s workloads are on a single cloud provider
- The target’s Azure AD tenant is the only identity provider (no backup IdP)
- A single vendor manages the target’s core banking system
The DORA IT Due Diligence Checklist for Financial Services M&A
Governance (5 items)
- ICT risk management framework documented and tested
- Business continuity and disaster recovery plans reviewed
- Most recent ICT risk assessment reviewed (findings and remediation status)
- Most recent BC/DR test results reviewed (was the plan actually tested?)
- Crisis communication plan documented and contact list current
Incidents (3 items)
- ICT incident log reviewed for past 24 months
- Major ICT incidents (if any) confirmed as reported to competent authority
- Incident response plan updated for the merged entity
Testing (4 items)
- TLPT status: current or overdue? If never conducted and entity is significant, gap identified
- Most recent penetration test results reviewed (critical/high findings remediated?)
- Red team / purple team exercise results reviewed (if available)
- Vulnerability scanning cadence documented — how often? What’s remediated?
Third-Party Risk (5 items)
- ICT third-party register reviewed — is it complete? Any gaps?
- Critical ICT service providers identified — concentration risk assessed
- SaaS applications: are all material SaaS vendors on the ICT third-party register?
- SLA monitoring: are there documented SLAs with critical ICT vendors?
- Exit provisions: do critical vendor contracts have exit provisions and data portability provisions?
Cloud and Infrastructure (4 items)
- Cloud provider concentration risk assessed (single vs. multi-cloud)
- Data residency: where is the data stored? Does it comply with applicable requirements?
- Backup and restore: tested backup restoration within last 12 months?
- Failover and redundancy: has the target’s failover capability been tested?