DORA and small firms: where to start?

On 17 January 2025, the DORA regulation (Digital Operational Resilience Act) came into force. Its purpose: to strengthen the digital resilience of the European financial sector. Banks, insurers, fund managers, but also insurance and credit intermediaries.

When a broker hears "digital resilience", "ICT risk management" and "penetration testing", the natural reaction is to wonder whether any of this really applies. The short answer: yes, but with a regime adapted to your size.

Are you covered?

The FSMA has published dedicated educational documentation to clarify the matter. The regulation applies to all insurance, reinsurance and ancillary intermediaries registered with the FSMA.

However, obligations vary considerably depending on company size. Firms with fewer than 250 employees and turnover below 50 million euros benefit from a simplified regime. This covers virtually all brokerage firms in Belgium.

What you actually need to do

Five actions that directly concern a firm of 2 to 10 people.

1. Identify your critical ICT providers. List all the software and cloud services you use daily: Portima, your CRM, your email, your e-signature solution, your web host. This is your ICT provider register.

2. Check your contracts. Each critical ICT provider should have a contract mentioning service levels, data location and termination conditions.

3. Implement basic security. Two-factor authentication on sensitive accounts. Regular backups. Unique and complex passwords. An up-to-date antivirus. BZB-Fedafin offers a cybersecurity guide for SMEs in its sector library.

4. Know how to react to an incident. DORA requires you to notify the FSMA of a major incident within 24 hours, with an interim report within 72 hours. Prepare a simple document with contacts, procedure and responsibilities.

5. Document everything. A shared file with the list of your providers, your security measures and your incident procedure is sufficient for a small firm.

The trap of ten tools

Many brokers use a stack of tools: a CRM on one side, comparison software on another, a separate emailing tool, a different web host. Each added tool is an additional ICT provider to audit, a contract to check, an extra risk surface.

The principle of DORA is clear: the fewer critical providers you have, the lower your exposure. An integrated ecosystem covering multiple functions mechanically reduces the number of contracts to manage.

That is one of the reasons we designed the NextMove ecosystem as an integrated platform: a single provider for your website, newsletter and satisfaction measurement. One line in your DORA register instead of three.

Sanctions exist

DORA provides for sanctions of up to 2% of annual worldwide turnover or 10 million euros. For a small firm, the main risk is more indirect: professional liability and cyber insurers now include DORA in their underwriting questionnaires. Non-compliance can lead to exclusions, surcharges or sub-limits.

No panic, just method

Five actions, a shared file, and the certainty of knowing who to call when things go wrong. That is within reach of every firm. And it is the minimum for sleeping soundly.