The Digital Operational Resilience Act (DORA) is a European Union (EU)-wide regulatory framework aimed at enhancing the digital operational resilience of financial service institutions (FSIs) operating within the EU. It ensures that these entities can withstand, respond to, and recover from all types of Information and Communication Technologies (ICT)-related disruptions and threats. DORA applies to a wide range of financial entities that have operations within the EU, as well as critical ICT third-party service providers to such financial entities. The regulation will take effect on January 17, 2025.
In recognizing Genesys role as an ICT third-party service provider of potentially critical services, we understand that achieving compliance with DORA is about empowering and supporting our financial services customers and partners to meet their regulatory obligations, while strengthening their resilience. Within this shared responsibility model, our goal is to offer clarity on our approach and demonstrate how we effectively maintain the continuity and security of our services.
At Genesys, our commitment to compliance began early, with the establishment of a regulatory task force. This cross-functional team, supported by executive sponsorship, is charged with overseeing regulatory developments and ensuring the implementation of all necessary controls across our organization. The task force ensures that our operational practices remain consistent with the requirements of applicable regulations, including DORA, as they evolve, facilitating our customers’ and partners’ journeys toward compliance.
Genesys operates under a robust security and compliance framework, continuously validated through independent third-party attestations. These attestations serve to reinforce the security, privacy, and resilience of our solutions. Understanding the complexities that financial institutions face in meeting their regulatory requirements, Genesys has a dedicated Contact Center as a Service (CCaaS) Center of Excellence (COE), composed of security, privacy, and compliance professionals, who provide structured guidance through close collaboration with various business units and stakeholders. Genesys has also developed a Financial Services Addendum (FSA) tailored specifically to address the compliance needs of our in-scope financial services customers and partners, including those involved through vendor arrangements.
For those seeking deeper engagement or tailored guidance, Genesys encourages its customers and partners to reach out to their designated account executive or customer success manager to connect with our COE. Our experts are prepared to offer detailed insights and recommendations that will aid in ensuring alignment with DORA obligations and enhance the overall resilience of the digital ecosystems we support.
This publication offers a comprehensive overview of key DORA requirements and outlines how Genesys aligns its activities with these principles. It outlines the five pillars of the DORA framework—ICT risk management, incident reporting, operational resilience, third-party risk management, and information sharing and oversight—and explains how these pillars are embedded into Genesys’ operational practices. In doing so, Genesys not only addresses the requirements of DORA, but also helps its financial services customers and partners benefit from a trusted service provider committed to operational resilience, security, and data protection.
Additionally, this publication details Genesys’ certification and compliance programs and compliance strategy. It also answers frequently asked questions regarding DORA.
Genesys is dedicated to upholding the highest standards of security, privacy, and operational resilience. To support our compliance efforts and provide assurance to our customers, we have obtained and continuously maintain the following certifications and participate in recognized compliance programs.
Certification/compliance program
Description
GDPR compliance
Reflects Genesys compliance with EU data protection laws, ensuring that personal data is handled with care and transparency.
C5
Ensures Genesys meets a baseline security level for cloud computing that is used by professional cloud service providers, auditors and cloud customers.
ISO/IEC 27001: Information Security Management System (ISMS)
Ensures Genesys maintains a systematic approach to managing sensitive information, including robust security controls.
ISO/IEC 27017: Code of practice for information security controls for cloud services
Provides additional cloud-specific security controls that Genesys implements to ensure the secure delivery of cloud services.
ISO/IEC 27018: Protection of personally identifiable information (PII) in public clouds
Focuses on protecting personal data in cloud environments, ensuring Genesys complies with data protection regulations.
Payment Card Industry Data Security Standard (PCI DSS)
Genesys complies with standards designed to secure cardholder data and transactions for payment processing services.
SOC 1: Service Organization Control 1
Provides assurance on the effectiveness of Genesys internal controls related to financial reporting.
SOC 2 Type II: Security, availability and confidentiality
Provides in-depth validation of Genesys security and operational controls over time.
SOC 2: Service Organization Control 2
Ensures Genesys services meet rigorous standards for data security, availability, processing integrity, confidentiality and privacy.
These certifications and compliance programs are integral to Genesys Cloud operations, demonstrating our commitment to security, privacy, and operational excellence. For further information on these efforts please visit: Genesys compliance and Genesys security.
Under Genesys’ integrated compliance strategy, we align DORA’s regulatory requirements with our existing compliance programs by embedding its core pillars into our operational processes. This approach ensures that compliance is not treated as a separate function, but is integrated into our business practices, allowing us to proactively meet DORA’s standards, while maintaining resilience across our operations.
Genesys takes a broad approach to risk management by including developing regulatory environments, such as DORA, NIS2 and the EU AI Act. We have a holistic approach that integrates ICT risk, AI governance, business continuity and disaster recovery, and cybersecurity measures into a cohesive strategy. This unified approach fosters resilience, promotes innovation and helps protect our services from evolving risks across regulatory domains.
We have an incident reporting system that not only addresses DORA’s reporting obligations, but also aligns with other regulations such as the NIS2 directive, which allows for efficient communication with our customers and partners and assures that incidents are reported and acted upon promptly.
Our subcontractor management process includes risk-based due diligence, contractual compliance measures and audits in line with identified risk profiles. This approach provides continuous monitoring of subcontractor performance and compliance so that all parties that are involved in delivering critical services adhere to the highest standards.
Our training programs are regularly updated to cover regulatory developments. Employees across the organization receive training, emphasizing the importance of security and privacy, including awareness of and responsibilities under applicable regulatory frameworks. Genesys employees are equipped with access to the knowledge necessary to maintain compliance in their daily operations and decision-making processes.
Collaboration across teams enables a unified understanding of Genesys’ obligations under regulations like DORA and ensures a coordinated response. This collective effort breaks down silos, ensuring all teams operate from the same playbook. Regular cross-functional meetings and system updates keep us agile in the face of regulatory changes, fostering a culture of proactive compliance that enhances our operations across all services and regions.
While DORA is the focus of this publication, it’s also essential to acknowledge the overlapping and complementary requirements of NIS2 and the upcoming EU AI Act.
NIS2: As a directive that enhances cybersecurity across critical sectors in the EU, NIS2 shares several common objectives with DORA, particularly in cybersecurity risk management and incident reporting. Genesys is monitoring the enactment of NIS2 by individual EU countries and will evaluate such developments as part of our broader risk management framework, as applicable.
EU AI Act: The EU AI Act introduces regulations on the deployment and use of AI, particularly for high-risk AI systems. For Genesys, this means AI-driven services must comply with requirements of the AI Act, including risk management, transparency and human oversight. Genesys is closely tracking developments in the EU AI Act to ensure alignment with DORA’s requirements, maintaining operational integrity and trust across its compliance measures.
For more information, please visit here.
The Digital Operational Resilience Act, or DORA, is a European Union (EU)-wide regulatory framework aimed at enhancing the digital operational resilience of financial service institutions (FSIs) operating within the EU. It ensures that these entities can withstand, respond to, and recover from all types of Information and Communication Technologies (ICT)-related disruptions and threats. The regulation will become effective on January 17, 2025.
The full text of the DORA regulation can be accessed on the European Insurance and Occupational Pensions Authority’s website. Guidelines, Regulatory Technical Standards (RTS), and Implementing Technical Standards (ITS) can be found on the European Banking Authority’s website and also here.
DORA applies to a wide range of financial entities who have operations within the EU, including credit institutions, investment firms, insurance companies and crypto-asset service providers, as well as ICT third-party service providers to such financial entities (collectively “Entities”).
The five pillars of DORA are:
Under DORA, FSIs are required to manage risks associated with using ICT third-party service providers that provide critical ICT services. As a provider of ICT services to these FSIs, Genesys and its partners must ensure their respective services are resilient, secure and compliant with DORA requirements. It’s important to note that while the regulatory bodies could deem Genesys “Critical,” in which case it would become regulated directly, the FSI using the service determines the general criticality of services. Genesys has undertaken a company-wide effort to uphold compliance with DORA requirements and views such compliance as imperative to maintaining trust and doing business with FSIs that have operations in the EU.
Up to one percent of a critical ICT third-party service provider’s daily turnover from the preceding business year. Additionally, other penalties include:
Please visit our Trust Center for more information about how Genesys is responding to applicable regulations and directives.
DORA is applicable to customers in the EU/EEA, regardless of the supply model. Genesys will support its customers (and reseller partners to such customers) to comply with DORA.
The European Supervisory Authorities (ESA): 1) the European Banking Authority (EBA); 2) the European Insurance and Occupational Pensions Authority (EIOPA); and 3) the European Securities and Markets Authority (ESMA), prepared and released a set of policy products to facilitate the application of DORA. These policy products include guidelines, regulatory technical standards (RTS), and implementing technical standards (ITS) that outline how the applicable entities should comply with DORA.
The first set of policy products was delivered on January 17, 2024, and the second set was delivered on July 17, 2024, with an additional RTS released on July 26, 2024. FSIs and some ICT third-party service providers are actively working on establishing internal processes and procedures that adhere to DORA, which involves integrating DORA principles into existing operational frameworks and preparing for ongoing assessments by regulatory bodies.
It is unclear whether Genesys will be designated as a critical ICT third-party service provider under DORA. The regulation gives relevant authorities the power to designate certain service providers as critical, but the designation process is yet to be determined. However, Genesys is proactively taking steps to ensure that its services are prepared to be treated as critical or important, as defined in the regulation, by its financial services customers, regardless of the official designation, and has designed its contracts and service offerings to address the requirements set forth for critical or important functions.
Genesys continuously monitors DORA developments and requirements, as well as the competent regulators’ interpretation and enforcement of this regulation, and is taking proactive measures to ensure compliance for this evolving regulatory landscape. In early 2023, Genesys created a company-wide task force with executive sponsorship. This team monitors ongoing regulatory updates and is in the process of implementing further enhancements to our services, both cloud and software, and enterprise controls.
The work of the task force will aid in Genesys compliance under DORA and provide a structured approach to assist our financial services customers on their DORA compliance journey. All Genesys business units and stakeholders support this team, and it operates to consult Genesys customers and partners on DORA key technical requirements, as they relate to the use of Genesys services.
With respect to the Genesys Cloud platform, Genesys operates these cloud-based services with a number of advanced security and compliance control frameworks, which can be found here. As part of this program, we continue to add new third-party attestations to validate our compliance posture. Genesys has also created a dedicated team of security, privacy, and compliance experts — the Contact Center as a Service (CCaaS) Center of Excellence (COE). To engage our CCaaS COE expert team, please contact your account sales team or customer success manager.
Navigating the complex regulatory landscape of DORA requires a strategic and integrated approach. Genesys is committed to compliance to not only meet regulatory requirements, but also to enhance our operational resilience, protect our services, and maintain the trust of our customers. By leveraging our certifications, compliance programs and a unified compliance strategy, Genesys is well-positioned to continue providing secure and reliable services to financial entities across the EU.
For further guidance on your compliance strategy, or to learn more about how Genesys can support your operational resilience, please contact your account sales team or customer success manager. You may also visit the Genesys Trust Center for more information.
This publication is provided for informational purposes only and should not be construed as legal advice. The content is subject to change as our approach and response evolves over time. Genesys makes no warranties or representations as to the accuracy, completeness, or timeliness of the information contained herein. Compliance with DORA, NIS2 and the EU AI Act is a complex process that may require legal consultation. Genesys shall not be liable for any errors, omissions or actions taken in reliance on this publication. Readers are encouraged to seek professional legal advice to address specific concerns and ensure full compliance with applicable laws and regulations.
