DORA in M&A: Why Operational Resilience Is the New Due Diligence Frontier
The Hidden Liability
In January 2025, DORA became applicable to all financial entities in the EU. Since that date, every European financial institution must comply with DORA's requirements for ICT risk management, incident reporting, resilience testing, third-party risk management, and information sharing.
When a financial institution acquires another, it acquires the target's DORA compliance posture — or lack thereof. The acquirer inherits:
- Legacy ICT systems that may not meet Art. 7 reliability requirements
- Unpatched vulnerabilities that violate Art. 9 protection requirements
- Incomplete asset registers that fail Art. 8 identification requirements
- Third-party contracts without Art. 30 provisions, creating immediate compliance gaps
- Testing gaps where critical functions have not been tested per Art. 24-27
- Incident management processes that may not meet Art. 17-23 requirements
Each of these gaps is a compliance liability that becomes the acquirer's responsibility on day one of closing. Unlike financial liabilities, which can be quantified in advance, ICT risk liabilities are often discovered during integration — when it is too late to adjust the deal terms.
Why M&A Due Diligence Must Now Include DORA
The Regulatory Pressure
Supervisory authorities review M&A transactions involving regulated financial entities. The ECB (for significant institutions under SSM) and national competent authorities assess whether the combined entity will meet regulatory requirements — including DORA.
A supervisor examining a proposed acquisition will ask:
- "What is the target's DORA compliance status?"
- "What ICT risks does the target bring to the combined entity?"
- "What is the integration plan for harmonizing ICT risk management frameworks?"
- "What is the cost and timeline to bring the target into compliance?"
If the acquirer cannot answer these questions, the supervisory approval process may be delayed or conditioned on specific remediation commitments.
The Valuation Impact
ICT risk has become a material factor in M&A valuation. Significant DORA compliance gaps discovered during due diligence can reduce deal value by 5-15%:
| DORA Gap Category | Remediation Cost Range | Valuation Impact |
|---|---|---|
| Legacy system modernization (Art. 7) | EUR 5-50 million | 3-8% of deal value for mid-sized institutions |
| Third-party contract remediation (Art. 30) | EUR 1-5 million | 1-2% (legal costs + renegotiation) |
| Testing programme build (Art. 24-27) | EUR 2-10 million | 1-3% (tools, team, execution) |
| Incident management implementation (Art. 17-23) | EUR 1-5 million | 0.5-1.5% |
| Register of information completion (Art. 28) | EUR 0.5-2 million | 0.5-1% |
These costs are additive. A target with significant gaps across multiple areas can face a cumulative valuation impact of 10-15% — millions to hundreds of millions of euros depending on institution size.
The Resilience Due Diligence Checklist
Pillar I: ICT Risk Management (Art. 5-16)
Key questions:
- Does the target have a documented, board-approved ICT risk management framework?
- Is the ICT asset register complete, accurate, and dependency-mapped?
- Has a BIA been conducted with validated RTOs and RPOs?
- What is the current vulnerability posture? How many critical vulnerabilities are unpatched?
- What is the change management maturity?
Pillar II: Incident Management (Art. 17-23)
Key questions:
- Does the target have a documented incident classification process aligned with DORA criteria?
- How many ICT incidents occurred in the past 24 months? What was the severity distribution?
- Has the target ever filed an Art. 19 major incident notification?
- What is the mean time to detect (MTTD) and mean time to resolve (MTTR)?
Red flags: No documented incident process; incident records showing recurring root causes; MTTD > 24 hours for any incident affecting critical functions.
Pillar III: Resilience Testing (Art. 24-27)
Key questions:
- Does the target have a documented testing programme?
- Which critical functions have been tested in the past 12 months?
- What were the results? Were findings remediated?
- Has the target conducted or been subject to TLPT?
Red flags: No testing programme; critical functions untested > 12 months; findings unremediated > 6 months.
Pillar IV: Third-Party Risk (Art. 28-44)
Key questions:
- Does the target maintain a register of information per Art. 28(3)?
- How many ICT third-party providers support critical functions?
- Do contracts include Art. 30 provisions?
- What is the concentration risk?
- Are exit strategies documented for critical vendors?
Red flags: No register of information; critical vendor contracts without Art. 30 provisions; single-vendor dependency for critical functions without exit strategy.
Pillar V: Information Sharing (Art. 45-49)
Key questions:
- Does the target participate in information sharing arrangements?
- What threat intelligence feeds and ISAC memberships are in place?
Cross-Cutting: Technology Estate Assessment
Beyond DORA-specific requirements, M&A due diligence must assess the technology estate that will need to be integrated:
| Assessment Area | Key Question | Integration Risk |
|---|---|---|
| Technology stack diversity | How different are the acquirer's and target's technology stacks? | High diversity = long, expensive integration |
| Technical debt | How much undocumented, unmaintained code is in production? | High debt = hidden reliability and security risk |
| Skills availability | Are key systems maintained by a small number of irreplaceable individuals? | Key-person dependency = operational risk |
| End-of-life systems | How many systems are running on unsupported software? | Unsupported systems = unpatched vulnerabilities |
| Data architecture | Can customer and transaction data be migrated or integrated? | Incompatible data models = costly migration |
Integration Planning Under DORA
Day-One Compliance
On the closing date, the combined entity must comply with DORA. This creates a day-one compliance challenge: the acquirer's DORA framework must extend to cover the target's operations, or the target's framework must be maintained in parallel until integration.
Day-one priorities:
- Unified incident reporting process (so that incidents at the target entity are reported through the acquirer's Art. 17-19 process)
- Merged register of information (Art. 28(3) requires the combined entity's full third-party landscape)
- Extended risk management framework (Art. 5-6 applies to the combined entity's operations)
Integration Timeline
Full DORA integration for a mid-sized acquisition typically requires 12-18 months:
- Months 1-3: Unified governance, incident reporting, board reporting
- Months 4-6: Asset register consolidation, third-party contract remediation
- Months 7-12: Technology integration, testing programme alignment, BCP harmonization
- Months 13-18: Full operational integration, consolidated testing, optimized vendor portfolio
The M&A DORA Scorecard
Quantify the target's DORA posture with a scorecard:
| Domain | Score (0-10) | Weight | Weighted Score |
|---|---|---|---|
| ICT risk framework maturity | ___ | 15% | ___ |
| Asset register completeness | ___ | 10% | ___ |
| Vulnerability management | ___ | 15% | ___ |
| Incident management capability | ___ | 15% | ___ |
| Testing programme maturity | ___ | 15% | ___ |
| Third-party risk management | ___ | 15% | ___ |
| Technology estate health | ___ | 15% | ___ |
| Total | 100% | ___/10 |
Score interpretation:
- 8-10: Strong DORA posture. Minimal remediation required. Standard integration.
- 5-7: Moderate gaps. Remediation budget of 2-5% of deal value. Extended integration timeline.
- 3-4: Significant gaps. Remediation budget of 5-10% of deal value. Day-one risks.
- 0-2: Critical gaps. Deal may need restructuring. Supervisory concerns likely.
Key Takeaways
- DORA compliance is now a material M&A due diligence factor. Acquirers inherit the target's ICT risk profile on day one.
- Significant compliance gaps can reduce deal value by 5-15% through remediation costs, integration complexity, and supervisory conditions.
- The resilience due diligence checklist must cover all five DORA pillars plus the technology estate assessment.
- Day-one compliance requires immediate extension of the acquirer's framework, unified incident reporting, and merged registers of information.
- Full DORA integration requires 12-18 months for a mid-sized acquisition, with phased milestones across governance, technology, and operations.
- Supervisors will ask about the target's DORA posture during the M&A approval process. Preparation reduces approval risk and timeline.
Resume en francais
Depuis l'entree en vigueur de DORA en janvier 2025, la conformite a la resilience operationnelle est devenue un facteur materiel de due diligence dans les fusions-acquisitions. L'acquereur herite du profil de risque TIC de la cible le jour de la cloture : systemes heritage, vulnerabilites, dependances tiers et lacunes de conformite. Des ecarts significatifs peuvent reduire la valeur d'une transaction de 5 a 15 % en couts de remediation. La checklist de due diligence resilience doit couvrir les cinq piliers de DORA : cadre de gestion des risques TIC (Art. 5-16), capacite de gestion des incidents (Art. 17-23), maturite du programme de tests (Art. 24-27), gestion des risques tiers (Art. 28-44) et arrangements de partage d'information (Art. 45-49), plus l'evaluation de l'etat technologique (dette technique, systemes en fin de vie, dependance a des personnes cles). La conformite jour-un exige l'extension immediate du cadre de l'acquereur, un reporting d'incidents unifie et des registres d'information fusionnes. L'integration DORA complete necessite 12 a 18 mois pour une acquisition de taille moyenne. Les superviseurs examineront la posture DORA de la cible lors du processus d'approbation.