WHAT IS DORA?

The Digital Operational Resilience Act (DORA) marks a fundamental shift in how financial institutions approach risk, moving from traditional compliance frameworks toward a model centered on operational resilience.Applicable not only to EU-based financial entities but also to organizations operating in or providing services to the EU financial ecosystem—including those in Türkiye—DORA introduces a unified regulatory framework designed to ensure that institutions can withstand, respond to, and recover from ICT-related disruptions.With the compliance deadline set for January 17, 2025, organizations are expected to have already assessed their readiness and addressed critical gaps. However, for many, DORA is not merely a deadline-driven exercise—it is an ongoing transformation.

At its core, DORA focuses on five key pillars:

• ICT risk management

• Incident reporting

• Digital operational resilience testing

• Third-party risk management

• Information sharing

One of the most challenging aspects for organizations is third-party dependency risk. Financial institutions increasingly rely on external ICT providers, including cloud service providers. Under DORA, these relationships are subject to strict oversight, requiring detailed contractual arrangements and continuous monitoring.Another critical requirement is resilience testing, including advanced threat-led penetration testing (TLPT). This shifts organizations from passive compliance to actively stress-testing their systems against realistic cyber threats.DORA also introduces stringent incident reporting obligations, requiring firms to classify and report major ICT-related incidents within tight timelines. This necessitates the integration of legal, compliance, and IT functions in ways that many organizations are not yet structurally prepared for.

Dual-Use Technologies & DORA: A New Layer of Risk

Beyond its direct regulatory requirements, DORA intersects with a growing concern in compliance: dual-use technologies.Dual-use technologies—those that can be used for both civilian and military purposes—are becoming increasingly relevant in financial and technological ecosystems. These include advanced software, AI systems, encryption technologies, and data analytics tools.

From a DORA perspective, the use of such technologies introduces additional layers of risk classification and regulatory scrutiny. Organizations must ensure that these tools are not only secure but also compliant with export control regulations and sanctions regimes.

This creates a convergence between operational resilience and geopolitical compliance. For example, a technology provider supporting a financial institution may inadvertently expose the institution to sanctions risks if its tools are linked to restricted jurisdictions or entities.Therefore, organizations should adopt a more integrated compliance approach that considers:

• Export control regulations

• Sanctions screening

• ICT risk governance

• Vendor due diligence

In practice, this means that DORA compliance cannot be treated in isolation. It must be embedded within a broader compliance architecture that accounts for geopolitical risks and emerging technologies.

Final Note:

DORA is not just a regulatory obligation—it is a structural shift. Institutions that approach it strategically will not only achieve compliance but also gain a competitive advantage in resilience, trust, and long-term sustainability.

Dual-Use Export Controls: Expanding the Compliance Lens

Building on the earlier discussion of dual-use technologies, it is critical to understand that compliance obligations extend far beyond internal risk management. The European Union’s dual-use export control regime introduces a structured legal framework that directly impacts how organizations develop, transfer, and commercialize sensitive technologies.

At its core, dual-use regulation applies to items—including software and technology—that can be used for both civilian and military purposes. However, the scope is broader than many assume. It covers not only physical exports but also intangible transfers, such as:

• Cloud-based access to controlled software

• Technical assistance provided remotely

• Email or digital file transfers containing sensitive data

This means that even routine cross-border collaboration can trigger export control obligations.

A key concept introduced by EU regulation is the “catch-all” control mechanism. Under this principle, even if an item is not explicitly listed as controlled, it may still require authorization if there is knowledge—or reasonable suspicion—that it could be used in connection with:

• Weapons of mass destruction

• Military end-use in embargoed destinations

• Human rights violations, including surveillance misuse

For compliance teams, this creates a significant burden: decision-making must incorporate not only legal classification but also contextual risk assessment.

Another critical area is end-user and end-use verification. Exporters are required to conduct due diligence to ensure that the recipient of a dual-use item is legitimate and that the intended use aligns with regulatory expectations. This includes screening against sanctions lists, verifying ownership structures, and identifying potential diversion risks.The EU framework also emphasizes internal compliance programs (ICPs). Organizations are expected to implement structured procedures covering classification, licensing, employee training, and audit mechanisms. In practice, regulators increasingly view the absence of a robust ICP as a compliance failure in itself.From a strategic perspective, dual-use regulation is no longer a niche legal issue. It intersects directly with:

• Sanctions compliance

• Cybersecurity governance

• Supply chain transparency

• Geopolitical risk management

For companies operating in or with the EU, particularly in sectors such as fintech, AI, and advanced manufacturing, dual-use compliance is becoming a core component of corporate risk architecture.

Scope 3 Emissions and Exemptions: Critical Points for Companies

Scope 3 emissions refer to all indirect greenhouse gas emissions that occur outside of a company's direct control but are linked to its operations. These emissions cover both upstream and downstream stages of the value chain and generally constitute the largest portion of the total carbon footprint.

While Scope 1 and Scope 2 emissions stem directly from operations and energy use, Scope 3 encompasses a much broader area. These include:

-Supply chain emissions-Product use stage - Logistics and distribution activities - Business travel and employee transportation -Waste management

However, in practice, measuring and reporting Scope 3 emissions is quite challenging. Therefore, both international standards and regulatory frameworks provide for certain exemptions and flexibilities.

Exemptions and Flexibility Areas

Firstly, many regulations adopt a phased compliance approach for Scope 3. Instead of requiring companies to submit complete data across all categories, they are asked to report emissions with the highest materiality.

This includes:

• Allowing for estimated calculations in cases where data access is not possible

• Limiting reporting obligations for small and medium-sized enterprises (SMEs)

• Voluntary reporting instead of mandatory reporting may be preferred in the initial years

The European Union's Border Carbon Adjustment Mechanism (BCAM/BCAM) has introduced new obligations, particularly for companies operating in sectors such as cement, steel, and aluminum.

Under this mechanism:

• Initially, only direct emissions (Scope 1) are reported

• However, it is expected that Scope 3 emissions will also be included in the system in the future

This creates a significant risk area for Turkish exporting companies. Firms trading with the EU, in particular, will also have to monitor their indirect emissions.

Financial Reporting and Audit Aspects

In accordance with the Public Oversight Authority (KGK) and international standards, sustainability reporting is increasingly integrated with financial reporting.

In this context:

• Scope 3 emissions directly affect a company's climate risks and long-term costs. • Transparency and comparability have become critical for investors. • Incomplete or inaccurate reporting can create reputational and regulatory risks.

Strategic Assessment

While Scope 3 emissions may initially appear as an obligation, when managed correctly, they can create a competitive advantage for companies. Specifically, they can trigger transformation in areas such as:

• Supply chain optimization

• Energy efficiency

• Low-carbon product development

In conclusion, Scope 3 emissions and related exemptions directly impact not only the environmental but also the commercial and strategic positions of companies. Therefore, companies should treat this area as a long-term transformation opportunity, rather than simply aiming for minimum compliance.