DORA and Treasury: What the EU’s Digital Operational Resilience Act Means for Outsourced Treasury Functions

February 24, 2026

In January 2025, the EU’s Digital Operational Resilience Act — DORA — came into force, introducing a harmonised framework for ICT risk management across the European financial sector. Early commentary focused largely on banks, insurers and investment firms. Yet DORA carries equally significant implications for corporate treasury functions, particularly those operating through outsourced models or relying on third-party technology providers.

For treasury teams that support regulated entities, or that operate within them, DORA is not a peripheral compliance topic. It reshapes expectations around operational resilience, third-party oversight and governance accountability at every level of the organisation — including functions that have historically sat outside the core regulatory perimeter.

As a regulated entity supervised by the Central Bank of Ireland, FTI Treasury operates within this enhanced regulatory framework. This positioning provides a distinctive vantage point on what DORA means in practice for treasury operations delivered through an outsourced model.

Understanding DORA’s Core Objective

DORA establishes a comprehensive legislative framework to ensure that financial entities can withstand, respond to and recover from ICT-related disruptions and cyber threats. The regulation is built around five pillars: ICT risk management; incident reporting; digital operational resilience testing; ICT third-party risk management; and information sharing arrangements.

Of these, ICT third-party risk management is the most consequential for treasury functions. Treasury today is inherently technology-enabled. Payment platforms, treasury management systems, banking APIs, market data feeds, connectivity providers and cloud infrastructure form the operational backbone of daily liquidity and risk management. DORA formalises what regulators have increasingly signalled in recent years: financial entities remain fully accountable for the risks arising from their service providers.

Outsourcing does not transfer responsibility.

Why Outsourced Treasury Models Are Directly in Scope

The modern outsourced treasury model typically involves a combination of cloud-based treasury management systems, banking connectivity infrastructure, market trading platforms, FX and liquidity counterparties, and third-party data hosting environments. Under DORA, regulated financial entities must maintain a register of ICT third-party providers, classify critical or important functions, conduct rigorous due diligence before contracting, implement contractual provisions aligned with regulatory requirements, and ensure that exit and substitution strategies are clearly documented.

The practical effect is that treasury outsourcing providers themselves enter the regulatory assessment perimeter. The evaluation question has shifted. It is no longer simply whether an outsourcing partner delivers operational efficiency and technical capability. It is whether that partner can operate within a regulated operational resilience framework — and demonstrate that capability in terms that satisfy supervisory scrutiny.
Regulated entities cannot discharge their DORA obligations by selecting an outsourcing provider that is not itself subject to comparable governance and resilience standards.

Governance Accountability Cannot Be Delegated

One of DORA’s most important principles — and one that deserves attention beyond the technical ICT risk discussion — is its reinforcement of senior management accountability. Boards and executive leadership must be able to demonstrate a clear allocation of ICT risk responsibilities, active oversight of outsourced providers, regular and documented resilience testing, and credible recovery and business continuity planning.

This has a direct bearing on how treasury teams structure their outsourcing arrangements. An informal or lightly governed model is no longer sufficient. Governance documentation, reporting transparency and contractual clarity are now central to regulatory compliance — not optional enhancements. Treasury cannot be treated as a back-office utility when its activities are directly linked to payment execution, liquidity management and financial stability within regulated groups.

What Strong Outsourced Treasury Models Look Like Under DORA

From a supervisory perspective, well-structured outsourced treasury models will demonstrate several distinct characteristics. First, the outsourcing provider should operate within a regulated framework — subject to prudential supervision and operational risk oversight in its own right. This is not merely a commercial differentiator; it is a structural indicator of governance maturity.

Second, documented ICT risk controls should cover cybersecurity, system integrity, access management, incident response and change management as an integrated framework rather than a collection of standalone policies. Third, transparency over the sub-outsourcing structure is essential: visibility into cloud infrastructure, connectivity providers and critical technology dependencies is a prerequisite for any comprehensive risk assessment.

Fourth, incident reporting protocols must be defined and tested. DORA imposes specific timelines and escalation pathways for ICT-related incidents, and these need to be embedded in service agreements, not retrofitted after the fact. Fifth, business continuity and disaster recovery must be demonstrable through scenario testing and documented failover procedures — not simply asserted. And sixth, service agreements themselves must reflect DORA’s contractual requirements, including audit rights, access to information and defined termination mechanisms.

A compliant outsourced treasury arrangement is one where governance, resilience and regulatory accountability are built into the operating model — not layered on as a compliance exercise.

The Regulatory Advantage of a Supervised Provider

As an entity regulated by the Central Bank of Ireland, FTI Treasury operates under active supervisory expectations in relation to governance, operational risk and resilience. This is relevant to the DORA discussion for reasons that go beyond positioning.

Regulatory alignment is already embedded in the operating model: the infrastructure, processes and controls maintained by FTI Treasury are designed to meet supervisory standards consistent with DORA’s principles. ICT risk management is governed within a formal compliance architecture, not managed on an ad hoc basis. And engagement with the regulatory community ensures that interpretation of evolving requirements is grounded in supervisory dialogue rather than theoretical commentary.

For treasury teams within regulated groups, this means that partnering with a provider already operating under regulatory oversight materially simplifies the DORA implementation process. The due diligence burden is reduced. Contractual alignment is more straightforward. And the governance documentation required by senior management is more readily available.

Practical Steps for Treasury Leaders

Treasury leaders should proactively assess their operating model against DORA’s requirements rather than waiting for formal supervisory review. The starting point is a clear mapping of all ICT dependencies within treasury operations, followed by a structured classification of which functions are critical or important from a regulatory standpoint.
From there, it is worth reviewing contractual protections with existing providers — with specific attention to audit rights, access provisions and exit strategies. Concentration risk across service providers should also be assessed; over-reliance on a single vendor creates resilience vulnerabilities that regulators are increasingly focused on. And business continuity arrangements should be stress-tested rather than simply documented.

DORA is not a one-off compliance exercise. It establishes a continuous framework of monitoring and governance evolution. Treasury leaders who engage with it now — at the level of operating model design rather than documentation compliance alone — will be better positioned as supervisory expectations continue to develop across the European financial system.

A Structural Shift in How Treasury Outsourcing Is Evaluated

DORA represents more than a new compliance obligation. It signals a structural shift in how third-party risk and operational resilience are assessed across the financial system — and that shift is reaching into treasury functions that have historically operated with limited regulatory visibility.
The practical consequence is that the selection of a treasury outsourcing provider is now a strategic risk decision, not merely a commercial or operational one. Providers will increasingly be evaluated not only on cost efficiency and technical capability, but on the robustness of their regulatory frameworks and the maturity of their resilience architecture.

In this environment, experience operating within a regulated supervisory framework is not a marketing differentiator. It is a structural advantage — one that reduces implementation complexity, supports governance accountability and provides regulators with the transparency they require.

Conclusion

The entry into force of DORA in January 2025 marks a new chapter in digital operational resilience across the European financial system. Treasury functions — particularly those delivered through outsourced models — sit squarely within its scope when supporting regulated entities. The regulatory message is clear: operational resilience is not optional, accountability cannot be outsourced, and governance must be demonstrable.
As a regulated entity supervised by the Central Bank of Ireland, FTI Treasury is positioned to support treasury teams navigating this evolving landscape — combining institutional-grade operational infrastructure with regulatory-aligned governance and a direct understanding of supervisory expectations.
In a post-DORA environment, treasury outsourcing must deliver not only efficiency, but resilience, transparency and regulatory confidence. The providers best equipped to do that are those already operating within the frameworks DORA is designed to reinforce.

To discuss how DORA affects your outsourced treasury model, contact FTI Treasury at ftitreasury.com