DORA operational resilience for central counterparties, central securities depositories and trading venues, built for systemic markets where outages are measured in minutes.
Central counterparties, central securities depositories and trading venues are explicitly listed as financial entities under DORA (Regulation (EU) 2022/2554), with CCPs named in Article 2(1)(g), CSDs in Article 2(1)(h) and trading venues in Article 2(1)(i). The same digital operational resilience rules that apply to banks and investment firms therefore apply to the institutions that clear, settle and match the bulk of European financial transactions. DORA has applied since 17 January 2025, and for these infrastructures it sits on top of already demanding sector regimes under EMIR, CSDR and MiFID II.
For market infrastructures this is not a paperwork exercise. CCP clearing and CSD settlement are critical functions whose outage can halt entire markets, and a trading venue's matching engine processes orders continuously with recovery time objectives measured in minutes rather than hours. Most of these entities depend on market-data feeds, connectivity providers, colocation facilities and a small number of specialised technology vendors they do not fully control. DORA forces these operational realities into a governed framework: a board-owned ICT risk strategy, a tested incident response capability, threat-led penetration testing for the most systemically important firms, and contractual control over the third parties that keep clearing, settlement and trading online.
CCPs (DORA Art. 2(1)(g)), CSDs (Art. 2(1)(h)) and trading venues - regulated markets, MTFs and OTFs (Art. 2(1)(i)) - are all DORA financial entities, and each already carries strong sector resilience duties: EMIR requires CCPs to maintain operational reliability and business continuity, CSDR requires CSDs to manage operational risk and maintain continuity arrangements, and MiFID II requires trading venues to ensure systems resilience, sufficient capacity and orderly trading. DORA applies proportionately under Article 4, but proportionality is limited here because these entities are systemically critical: a small CSD or niche trading venue still operates infrastructure whose failure has market-wide consequences, so the digital operational resilience expectations are the highest of any sector and no infrastructure is exempt from the core ICT risk, incident-reporting, testing and third-party rules.
EMIR, CSDR and MiFID II already impose operational-resilience duties on market infrastructures - EMIR Article 34 requires CCPs to maintain business continuity and disaster-recovery arrangements that ensure timely recovery of operations, CSDR Article 45 requires CSDs to identify and manage operational risk and to maintain robust business continuity and disaster recovery, and MiFID II Article 48 (operationalised by Commission Delegated Regulation (EU) 2017/584, known as RTS 7) requires trading venues to ensure systems resilience, adequate capacity, tested failover, business continuity and circuit breakers. DORA acts as the cross-sectoral lex specialis that deepens and standardises the ICT dimension of those duties. Rather than running parallel programmes, firms should map their EMIR Art. 34, CSDR Art. 45 and MiFID II Art. 48 / RTS 7 obligations onto DORA's five pillars so a single control set satisfies all the regimes: DORA's ICT risk framework operationalises the existing continuity and operational-risk clauses, and DORA incident reporting feeds the same evidence base competent authorities and colleges already expect. The challenge unique to market infrastructures is meeting these requirements at systemic scale, where recovery time objectives are measured in minutes and any control gap is examined by the ECB, ESCB members and supervisory colleges as well as the national authority.
Because CCPs, CSDs and major trading venues are systemically important, they are the prime candidates for designation into DORA's threat-led penetration testing regime (Articles 26-27). Most market infrastructures should plan on being designated and run the advanced, intelligence-led testing cycle - typically every three years and TIBER-EU aligned - rather than assuming they will fall below the threshold.
A trading venue's matching engine, gateways and market-data dissemination are critical functions whose failure stops the market. DORA's resilience requirements reinforce MiFID II Article 48 and RTS 7: documented capacity headroom for peak and stressed message rates, tested failover, latency and throttling monitoring, and circuit breakers that halt orderly when systems degrade.
Clearing and settlement cannot tolerate extended downtime. DORA's ICT business-continuity and recovery requirements (Articles 11-12) build on EMIR Article 34 and CSDR Article 45: a secondary processing site, recovery time objectives in minutes, documented recovery point objectives, and regular live failover and data-integrity testing of the settlement and margining engines.
Market infrastructures depend on a small number of market-data feeds, network and connectivity providers, colocation facilities and specialised matching or clearing technology vendors. DORA's third-party rules (Articles 28-30) require these to be inventoried in the register of information, risk-assessed for concentration and substitutability, and contractually governed with audit and access rights and tested fallbacks.
For a CCP, novation, margining and default management are critical functions; for a CSD, securities settlement and the maintenance of securities accounts are critical functions. DORA requires each to be identified, mapped to its supporting ICT assets, protected and recovered to demanding objectives, because an outage in any of them halts the market rather than merely inconveniencing one firm.
Resilience evidence for these infrastructures is examined not only by the national authority but by ESMA, the ECB and ESCB members in their oversight of CCPs and CSDs, and by supervisory colleges for systemic entities. DORA reporting and testing outputs must be fit to satisfy this multi-authority, cross-border audience, with consistent evidence across all the regimes in scope.
Everything tailored to your sector, ready to use on day one.
Yes. CCPs are named in DORA Article 2(1)(g), CSDs in Article 2(1)(h) and trading venues in Article 2(1)(i), so all of DORA applies in full. Your sector regime gives you market authorisation and sets your operational duties; DORA governs and standardises the ICT and digital operational resilience side of running the infrastructure, and your authority will expect evidence of both.
Treat DORA as the detailed ICT framework that operationalises your existing obligations - EMIR Article 34 business continuity for CCPs, CSDR Article 45 operational risk and continuity for CSDs, and MiFID II Article 48 with RTS 7 systems resilience and capacity for trading venues. Map a single control set to DORA's five pillars and reuse it as evidence across all the regimes rather than building separate programmes.
For most market infrastructures this is near-certain. TLPT under DORA Articles 26-27 applies to entities designated by their authority based on systemic importance and ICT risk profile, and CCPs, CSDs and major trading venues are exactly the systemically critical entities the regime targets. Plan on being designated and running the intelligence-led, roughly three-year, TIBER-EU aligned cycle, while still maintaining the full proportionate testing programme of vulnerability scans, penetration tests and scenario-based resilience tests.
DORA does not set a single fixed number, but it requires recovery objectives proportionate to criticality, and for systemic infrastructures that means recovery measured in minutes. This aligns with EMIR Article 34 and CSDR Article 45 expectations of timely recovery and with MiFID II Article 48 tested failover. Document and regularly test your recovery time and recovery point objectives at a secondary site for the matching, margining and settlement engines.
Yes, where you depend on them to deliver clearing, settlement or trading they fall within DORA's third-party rules (Articles 28-30). They must appear in your register of information, be risk-assessed for concentration and substitutability, be backed by tested fallbacks where feasible, and carry audit, access and termination rights in contract - concentration in a small pool of specialised vendors makes this assessment especially important.
Yes. DORA Articles 31-44 establish an EU oversight framework for ICT providers designated as critical to the financial sector, and the matching, clearing, market-data and connectivity vendors that several infrastructures share are plausible candidates. You should flag any such vendor in your register, monitor its potential designation, and ensure your concentration and exit analysis accounts for a provider whose disruption could affect multiple infrastructures at once.
Start free: check your DORA scope, run a gap analysis, or estimate implementation cost. Need the full risk view? See the Risk Assessment Toolkits or compare all kits. All prices exclude VAT; an EU VAT invoice is issued at checkout. Professional templates, not legal advice.
Take our free 5-minute assessment and get an instant DORA compliance score with personalised recommendations.