DORA and iGaming: How the EU Digital Operational Resilience Act Affects Licensed Operators

What DORA Requires

DORA establishes five pillars of digital operational resilience that all in-scope entities must implement:

• 1. ICT Risk Management: A documented ICT risk framework, board-approved, with defined risk appetite
• 2. ICT Incident Management: Classification, reporting and root-cause analysis of all ICT incidents
• 3. Digital Operational Resilience Testing: Annual testing including vulnerability assessments and — for significant operators — threat-led penetration testing (TLPT)
• 4. Third-Party ICT Risk Management: Contractual requirements for all critical ICT providers, with ongoing monitoring
• 5. Information Sharing: Participation in threat intelligence sharing arrangements

Which iGaming Operators Are in Scope

DORA applies to financial entities operating in the EU. iGaming operators are brought into scope through their payment processing activities (which classify as financial services), their use of EU-regulated payment providers, and — for those holding both MGA and EU financial licences — direct financial sector classification. If you serve EU players and process payments, DORA applies to you.

The Third-Party Obligation: What You Must Demand From Your Vendors

The most impactful DORA requirement for iGaming operators is third-party ICT risk management. Every critical vendor — your CRM, your PAM, your payment processor, your game content providers — must now contractually commit to specific resilience standards. You must monitor their compliance continuously, not just at contract signing. The Fast Track breach demonstrated exactly why this matters: a certified vendor failed, and the operators who used them bore the regulatory consequences.

• Contractual security standards for all critical ICT providers
• Right to audit your critical vendors
• Incident notification obligations for vendors
• Exit strategies if a critical vendor fails
• Concentration risk assessment (too much dependency on one vendor)

How Panorays Automates DORA Third-Party Compliance

Panorays was built specifically for the challenge DORA codifies: continuous, automated assessment of your entire vendor ecosystem. It monitors all your critical ICT providers in real time, flags new vulnerabilities and configuration changes, and produces the audit-ready reports that DORA requires. One platform replaces the manual questionnaire process that takes months and is out of date the moment it's complete.

Frequently Asked Questions