Liechtenstein may be small, but its financial sector plays on the same field as Europe’s biggest players. And when the EU dropped DORA — the Digital Operational Resilience Act — into the regulatory arena, Liechtenstein didn’t just watch from the sidelines. Thanks to its membership in the European Economic Area (EEA), DORA is now more than a rumor; it’s law.
Let’s break down what this means. I’ll show you how DORA now applies in Liechtenstein, how the rules got there, what’s already in place to help firms comply, and why even tech vendors and consultants need to pay attention.
Download our free DORA compliance checklist template
Why DORA is now part of Liechtenstein’s legal DNA
DORA isn’t just another compliance trend. It’s a full-on shift in how financial institutions manage ICT (information and communication technology) risks. Think of it as moving from “we’ll fix it if it breaks” to “prove it won’t break in the first place.”
For Liechtenstein, DORA became legally binding via the EEA-DORA-DG Act, which entered into force on February 1, 2025. That means if you’re a bank, insurer, payment provider, or other regulated financial intermediary operating in Liechtenstein, you’re now expected to:
- Run real incident simulations.
- Govern ICT risks with clear roles and responsibilities.
- Monitor your third-party providers like a hawk.
Why does this matter? Because many Liechtenstein institutions operate cross-border. DORA compliance is no longer a competitive edge — it’s the price of admission.
Don’t know if you’re DORA-compliant?
We’ve created a free tool to assess your organization’s DORA readiness in just minutes. Get your compliance score and find gaps now, before auditors do.
How Liechtenstein’s implementation path differs (but ends up in the same place)
Unlike EU member states, which get EU regulations delivered straight to their legal front door, Liechtenstein has to go through a few extra steps. Here’s how it works:
- EEA relevance check: DORA is assessed as relevant for the EEA.
- Joint Committee incorporation: The EEA Joint Committee adds DORA to the EEA Agreement.
- National implementation: Liechtenstein transposes it into national law — in this case, via the EEA-DORA-DG Act.
Yes, the route is different. But the destination? Same rules, same obligations.
The local twist comes from the Financial Market Authority (FMA) Liechtenstein. They don’t just enforce DORA — they interpret it, contextualize it, and publish local guidance. So if you want to know how DORA will actually play out on the ground, keep one eye on Brussels and the other on Vaduz.
PRO TIP
Monitor FMA consultation papers and EU Joint Committee updates to anticipate when DORA might be formally adopted—this can help avoid compliance bottlenecks during transitional phases.
Building on existing rules: You’re not starting from scratch
Here’s the good news. Liechtenstein didn’t wait for DORA to start caring about digital resilience. In fact, it has a solid regulatory base that already overlaps with DORA’s demands:
- FMA Guideline 2021/3: Already covered ICT governance, outsourcing, and incident handling.
- Data Protection Act (GDPR): Strong controls for data processing and breach reporting.
- Cyber Security Act (CSG) implementing NIS2: Focused on critical infrastructure, including financial services.
These existing frameworks give firms a head start. But DORA dials up the detail — requiring formal testing programs, incident playbooks, and third-party concentration risk assessments. It’s not a copy-paste job. It’s an upgrade.
What this means for tech providers (yes, you too)
Let’s say you’re a cloud provider, a fintech startup, or even an IT consultancy in or near Liechtenstein. You might think, “DORA doesn’t apply to me directly.”
Wrong mindset.
Even if you’re not designated as a critical ICT third-party provider under EU rules, your financial clients will:
- Bake DORA terms into your contracts (think SLAs and incident reporting timelines).
- Demand proof that you’re not a weak link.
- Involve you in their resilience testing and audits.
In short: your client’s compliance becomes your concern. If you cause an incident, they have to report it. That makes your resilience their regulatory risk.
Real talk: If your B2B pitch doesn’t mention DORA-readiness by now, you’re already behind.
PRO TIP
If you’re a service provider, embed DORA-aligned controls in client-facing materials like SLAs, RFPs, or business continuity plans. This can boost trust and win bids from EU-regulated financial institutions.
The registers you need to maintain under DORA
DORA isn’t just about governance policies and test results. It also expects you to keep detailed, structured records — aka, registers. These registers aren’t optional. They’re your evidence base when the regulator comes knocking.
Here are the big ones you need to track:
- ICT Asset Register: A comprehensive list of all information and communication technology systems, components, and services you rely on — including internal tools and third-party dependencies.
- ICT Incident Register: A log of all ICT-related incidents, regardless of impact. This helps you identify patterns, spot systemic weaknesses, and prepare your reporting obligations under DORA.
- Digital Operational Resilience Testing Register: Records of all the testing activities you run — what was tested, when, how, what was found, and what was fixed. If it’s not documented, it didn’t happen.
- ICT Third-Party Register: A structured list of your ICT service providers, contracts, functions outsourced, and risk assessments. This is crucial for identifying concentration risks and proving oversight.
Maintaining these registers isn’t about bureaucracy. It’s about building a living map of your operational resilience. And yes, they need to be updated continuously — not just once a year before the audit.
Made For Financial Institutions
Copla Registry
Handle DORA ICT Register 5x faster
Ensure DORA compliance in Malta with Copla
Copla is built for teams that want DORA compliance without burning out their staff or their budget. By pairing an automation-first platform with expert CISOs, Copla delivers 4 main advantages:
- Helps to reduce compliance workload by up to 80%
- Automates key DORA and NIS2 compliance tasks
- Guides you through the compliance process step-by-step
- Provides CISO-level leadership without the overhead
On top of that, clients typically save over €60K per year compared to hiring in-house staff to handle the same compliance workload, while staying continuously audit-ready.
The only compliance management platform you’ll need
Copla brings together capabilities such as asset and risk registries, evidence mapping, audit verification, regulatory reporting, vulnerability management, awareness training, and incident tracking — all in one place.
FAQ
-
What is DORA and why does it matter for businesses in Liechtenstein?
-
How can businesses in Liechtenstein prepare for DORA compliance?
-
When do Liechtenstein businesses need to be DORA-compliant?
-
How does DORA strengthen trust in Liechtenstein’s business ecosystem?
