If your Nairobi-headquartered bank processes EUR-denominated transactions, partners with a European correspondent bank, or provides ICT services to an EU financial entity, DORA already applies to you. The Digital Operational Resilience Act came into full force on 17 January 2025, and its extraterritorial reach catches more East African financial institutions than most boards realise.
DORA compliance requirements for financial institutions in East Africa are no longer theoretical. Kenyan banks with subsidiaries in the EU, pan-African payment processors serving European merchants, and Mauritius-based fund administrators are all in scope. The regulation treats ICT risk as a board-level concern and demands evidence — not assurances.
Who in East Africa Actually Falls Under DORA?
DORA applies directly to EU-regulated financial entities, but its third-party provisions extend obligations to any ICT service provider — wherever based — that serves them. For East African institutions, scope typically triggers through one of four routes:
- EU subsidiaries or branches: Kenyan, Tanzanian, or Ugandan banking groups with EU operations (think KCB's previous European exposure, or Equity Group's correspondent relationships).
- ICT service provision to EU financial entities: African fintechs, cloud providers, and SaaS vendors serving European banks must meet DORA's third-party risk requirements.
- Cross-border payment and remittance corridors: Operators handling EU-originated flows face contractual cascades from European counterparties.
- Designation as a Critical Third-Party Provider (CTPP): A small but growing category of African tech firms could face direct EU supervisory oversight.
If your contracts with European partners are being renegotiated in 2025, expect DORA clauses on incident reporting, audit rights, and exit strategies. Read them carefully before signing.
The Five Pillars You Must Operationalise
DORA is structured around five core requirement areas. Each one needs documented evidence, not just policy statements.
1. ICT Risk Management Framework
Your board must own ICT risk explicitly. This means a documented framework covering identification, protection, detection, response, and recovery — broadly aligned with NIST CSF or ISO 27001 structures. The Central Bank of Kenya's Guidance Note on Cybersecurity already pushes you in this direction; DORA simply raises the bar on board accountability and evidence.
2. ICT-Related Incident Reporting
Major incidents must be classified and reported to the relevant EU competent authority within tight windows — initial notification within 4 hours of classification, intermediate report within 72 hours, and final report within one month. Your SOC and incident response runbooks need to handle these timelines, which are stricter than the ODPC's 72-hour breach notification under the Kenya Data Protection Act. Security Operations Service Page
3. Digital Operational Resilience Testing
Annual vulnerability assessments and penetration tests are the floor. Significant institutions must conduct Threat-Led Penetration Testing (TLPT) at least every three years, modelled on the TIBER-EU framework. TLPT is not a standard pentest — it uses real threat intelligence on actors targeting your sector to simulate genuine attack scenarios.
4. ICT Third-Party Risk Management
This is where most East African institutions will struggle. DORA demands a register of all ICT third parties, contractual clauses covering audit rights and subcontracting, concentration risk analysis, and documented exit strategies for critical providers. If you rely heavily on AWS Cape Town, Azure South Africa, or a single core banking vendor, you need a credible exit plan on paper.
5. Information and Intelligence Sharing
DORA encourages — though doesn't mandate — participation in threat intelligence sharing arrangements. For African banks, this means engaging with FS-ISAC, the AfricaCERT community, and sector-specific groups tracking actors like the FIN groups and ransomware operators increasingly targeting African financial services.
Where East African Institutions Are Falling Short
From our work with regional banks and payment providers, three gaps appear consistently:
- Third-party registers exist on paper but aren't operational — they're spreadsheets that haven't been updated in 18 months.
- Incident classification logic is missing — teams can detect incidents but can't reliably decide what counts as "major" under DORA's criteria.
- Exit strategies for cloud and core banking providers are aspirational — nobody has tested whether they could actually migrate within stated recovery objectives.
The institutions that will pass DORA scrutiny are not those with the thickest policy binders. They are the ones that can produce a tested incident report, a current third-party register, and evidence of a TLPT exercise on demand.
What to Do in the Next 90 Days
Start with a focused gap assessment against DORA's five pillars, mapped to what you already have under ISO 27001, the CBK Guidance Note, and the Kenya DPA. Prioritise the third-party register and incident reporting workflow — these are the most visible to EU counterparties and the easiest for them to test. GRC and Compliance Services
Don't try to build a parallel DORA programme. Extend your existing GRC framework, close the specific gaps, and build evidence as you go.
SecureZaidi helps East African enterprises achieve and maintain compliance. Get in touch.