When Equity Bank, KCB, or Co-operative Bank settles a euro-denominated trade through a European correspondent, that transaction now passes through an institution legally bound by DORA. The same applies to Kenyan banks using SWIFT services, European cloud providers, or core banking modules supplied by EU-headquartered vendors. DORA — the Digital Operational Resilience Act — is an EU regulation, but its third-party reach makes it a Nairobi boardroom issue. And with the Central Bank of Kenya tightening its own Guidance on Cybersecurity for the Banking Sector, the two frameworks are starting to collide on the same desks.
What DORA Actually Demands
DORA consolidates ICT risk requirements that were previously scattered across EBA guidelines and national supervisory expectations. It applies to banks, insurers, investment firms, crypto-asset service providers, and — critically — their ICT third-party service providers. The regulation rests on five pillars:
- ICT risk management — a documented framework with board accountability, not delegated to the CISO alone
- Incident reporting — major ICT-related incidents must be classified and reported to competent authorities within strict windows (initial notification within 4 hours of classification)
- Digital operational resilience testing — including Threat-Led Penetration Testing (TLPT) for significant entities, aligned with the TIBER-EU framework
- ICT third-party risk management — contractual requirements, exit strategies, and a register of information on all ICT providers
- Information sharing — voluntary arrangements for threat intelligence exchange between financial entities
For a Kenyan bank, the direct legal obligation may not apply. The contractual obligation almost certainly does.
How DORA Reaches Kenyan Banks
Three pathways pull Kenyan institutions into scope:
Correspondent banking relationships. European counterparties are now required to maintain a register of information on ICT third parties and assess concentration risk. Kenyan banks providing services to EU financial entities — or receiving them — will be asked to evidence ICT risk controls, incident reporting capability, and resilience testing. Expect new clauses in your existing contracts at renewal.
Subsidiaries and group structures. Banks with European parents or sister entities (think groups with Mauritius, UK, or EU footprints) face intra-group expectations that flow down through internal policy, not just regulation.
Shared technology stacks. If your core banking platform, payment switch, or cloud workload sits with a provider designated as a Critical Third-Party Provider (CTPP) under DORA, that provider's compliance posture becomes part of your operational reality — including how incidents affecting them must be reported.
Mapping DORA to the CBK Guidance
The good news: a bank that has done genuine work on the CBK Guidance on Cybersecurity (2017, with subsequent updates) and the Data Protection Act 2019 has already built much of the foundation. The overlap is significant:
- Both require board-level ICT risk governance
- Both demand incident classification and regulatory reporting (CBK requires notification within 24 hours; DORA tightens this further)
- Both require third-party risk assessments and contractual controls
- Both expect business continuity testing
The gaps are where DORA goes further: the register of information (a structured inventory of every ICT contract, far more detailed than typical vendor lists), TLPT (intelligence-led red team exercises every three years for significant entities), and subcontractor visibility down to the chain that supports critical functions.
A bank that can answer 'which fourth-party provider supports the cloud region hosting our SWIFT gateway, and what is their incident response SLA?' is DORA-ready. Most cannot answer this today.
A Practical 90-Day Starting Point
Don't treat DORA as a separate compliance silo. Fold it into your existing GRC programme:
- Days 1–30: Conduct a scoping assessment. Identify every contractual touchpoint with EU financial entities and every ICT provider that supports a critical or important function. This becomes the seed of your register of information.
- Days 31–60: Gap-assess against the five DORA pillars using your existing CBK Guidance controls as the baseline. Focus on incident classification thresholds, third-party contract clauses, and exit strategy documentation.
- Days 61–90: Commission a threat-led penetration test scoped against your most critical banking functions — payment processing, core banking, customer-facing channels. Even if you are not legally required to do TLPT, the exercise produces evidence your EU counterparties will increasingly demand.
DORA is not coming to Kenya. It is already here, riding on the contracts your treasury and procurement teams sign every quarter. The banks that treat it as an extension of their existing resilience programme - rather than a foreign compliance burden - will close deals their competitors lose.
If you need a DORA-CBK gap assessment or a threat-led penetration test scoped to your critical banking functions, the SecureZaidi GRC and offensive security teams work with East African financial institutions on exactly this. Talk to us before your next correspondent contract renewal.