If you manage M&A operations or due diligence processes in the financial sector, January 17, 2025 marked a paradigm shift. From that date, Regulation (EU) 2022/2554, known as DORA (Digital Operational Resilience Act), became fully applicable, bringing with it concrete obligations, not just abstract principles.
This guide answers a specific question: what changes, in practical terms, for those handling confidential document flows during due diligence processes? And how does a Virtual Data Room (VDR) become a compliance tool, rather than simply an organizational one?
What is DORA?
DORA is the European regulation requiring the financial sector — banks, insurance companies, asset management firms, funds, payment institutions, intermediaries, and their ICT providers — to manage risks related to digital systems in a documented, tested, and continuous way.
It is not a recommendation: it is a directly applicable obligation in all 27 EU Member States, with no need for national transposition (although Italy issued its implementing Legislative Decree, published in the Official Gazette No. 58 of March 11, 2025).
The key point for M&A lawyers is this: DORA also applies to third-party ICT service providers performing critical functions for financial entities. This includes platforms used to share confidential documents during due diligence processes.
Who is subject to DORA: the full list
Article 2 of the Regulation identifies more than twenty categories of entities subject to its provisions. Among the most relevant for the M&A and legal world are:
credit institutions (banks);
payment institutions and electronic money institutions;
investment firms;
managers of alternative investment funds (AIFs) and UCITS;
insurance and reinsurance undertakings;
credit rating agencies;
crypto-asset service providers;
statutory auditors and audit firms;
third-party ICT providers delivering critical services to any of the entities listed above.
If your law firm or your client falls within one of these categories, or if you use digital tools to manage their due diligence processes, DORA concerns you directly.
“Is a law firm subject to DORA?”
Not directly, unless it provides critical ICT services to regulated financial entities. However, if you manage a due diligence process on behalf of a fund or a bank, the platforms you use must comply with the requirements that DORA imposes on your clients.
The five pillars of DORA: what changes operationally
Pillar I. ICT risk management with accountability at board level
DORA radically redefines governance: responsibility for ICT risk management cannot be delegated away. The management body (Board of Directors) must “define, approve, oversee and be responsible for” all strategies related to technological risk. In practice, the CFO or CRO can no longer simply pass the issue to IT: they must demonstrate active oversight.
For those managing due diligence processes, this means that the document-sharing platforms being used must be assessed, selected, and monitored within this governance framework.
Pillar II. ICT incident management
The new European Regulation introduces precise deadlines for incident handling and reporting:
initial notification to the competent authority within 4 hours from classification of the incident as “major”;
intermediate report within 72 hours;
final report within one month.
For M&A lawyers, this means that any data breach occurring on platforms used during due diligence may trigger regulatory notification obligations for the client financial entity. The VDR must therefore generate detailed and immediately accessible audit logs.
Pillar III. Digital operational resilience testing
Financial entities must carry out periodic testing of their ICT systems, including penetration testing (TLPT, Threat-Led Penetration Testing) for the most significant entities.
For providers of digital services used in due diligence processes, this implies the need to demonstrate that their infrastructures are subject to documented security testing.
Pillar IV. ICT third-party risk management
DORA requires financial entities to:
conduct rigorous due diligence on each ICT provider before onboarding;
maintain an updated register of all contractual arrangements with ICT providers;
negotiate contracts including specific clauses on audit rights, resilience, and exit strategies;
apply flow-down clauses where the provider relies on subcontractors (for example, a cloud provider outsourcing disaster recovery);
report annually to authorities the number of new ICT contracts entered into.
In practical terms, if a fund or a bank uses a VDR for its due diligence process, that VDR is considered an ICT provider. The contract with the VDR must comply with DORA’s contractual requirements. In the event of a breach, liability falls on the financial entity, not on the provider.
Pillar V. Threat intelligence sharing
DORA establishes a framework, on a voluntary basis, for the sharing of cyber threat intelligence among financial entities. For due diligence, this is less directly relevant, but it does imply that the platforms used must allow for the extraction and sharing of security logs in standardized formats.
The role of the VDR in DORA compliance
A Virtual Data Room becomes a critical infrastructure component for managing documents in an ICT compliance framework. This is why choosing the right VDR is not just an operational detail.
What a VDR must guarantee to be DORA-compatible
Complete and verifiable audit trail: every access, download, print, and modification must be tracked with RFC 3161 timestamps and SHA-256 hashes to ensure the forensic integrity of the log.
Dynamic watermarking: documents must display the viewer’s identity, making any leak traceable.
Granular permissions by folder and document: access management must be documented and revocable in real time.
Certified export (Deal Binder): at the end of the due diligence process, the documentation package must be exportable in an offline verifiable format, with an integrity manifest.
GDPR compliance: the processing of personal data contained in the documents must comply with Regulation (EU) 2016/679, with options for export, deletion, and consent management.
Infrastructure with certified SLAs: guaranteed uptime, EU-based data centers, end-to-end encryption.
SimpleVDR meets these requirements natively: audit trail with SHA-256 hashing, dynamic watermarking, certified export with digital signature and offline verification through SVDR-Check, GDPR-ready compliance, and European data centers. Setup in less than 60 seconds.
Sanctions: why compliance is not optional
The sanctioning regime under DORA, detailed in the Italian implementing Legislative Decree (March 2025), distinguishes between:
serious violations (governance, management of critical providers, failure to report incidents): fines of up to 10% of the entity’s total annual turnover;
less serious violations (operational failures, delays in non-critical notifications): fines of up to 7% of annual turnover;
“critical” ICT providers designated by the European Commission: periodic penalties of up to 1% of average worldwide daily turnover for each day of non-compliance.
For audit firms included within the scope of the Regulation, non-compliance may even lead to market exclusion. These are not theoretical risks: the European supervisory authorities (EBA, EIOPA, ESMA) have already launched their supervisory activities.
The Digital Operational Resilience Act is not a bureaucratic requirement intended only for bank compliance departments. It is an operational framework that reshapes how legal and financial professionals must approach document management in extraordinary transactions.
The choice of Virtual Data Room, the structure of contracts with ICT providers, and the ability to produce verifiable evidence are now all part of the professional diligence required.
SimpleVDR was designed with these requirements in mind: certifiable audit trail, defensible watermarking, offline verifiable export, and native GDPR compliance. Simple tools for complex obligations.
Request a FREE DEMO
Activate your account in 60 seconds. Discover how SimpleVDR supports DORA compliance.
Start now for free