Liechtenstein may be one of Europe’s smallest states, but its financial services sector—including banks, insurance companies, and investment firms—has a significant international reach. Because the principality is a member of the European Economic Area (EEA) via the European Free Trade Association (EFTA), it often adopts or aligns with EU regulations to maintain access to the single market. Although the Digital Operational Resilience Act (DORA) specifically targets EU-based financial entities, Liechtenstein’s close ties with EU and EEA frameworks mean many of DORA’s principles can become relevant for local institutions and service providers.
In this post, I’ll examine the potential impact of DORA on Liechtenstein, discuss whether the adoption process differs from EU member states, and highlight existing regulations that parallel DORA’s objectives. I’ll also provide a concise list of Liechtenstein-based auditors that can help organizations navigate DORA-like requirements.
Why DORA matters in Liechtenstein
DORA outlines robust ICT risk management, incident reporting, and third-party oversight requirements for financial institutions across the EU. While Liechtenstein is not an EU member, it participates in the EEA, which typically means transposing or adapting relevant EU regulations for local use, ensuring seamless market access. Hence, if DORA is incorporated into the EEA framework, Liechtenstein could be obliged to adopt its core provisions—or voluntarily align with them to preserve the country’s reputation for strong regulatory standards.
Local financial institutions and fintech companies that partner with EU-based clients or handle cross-border transactions may need to demonstrate DORA-equivalent controls. Aligning with these expectations can:
- Preserve cross-border business: EU institutions may require proof of compliance to maintain or expand partnerships.
- Enhance competitiveness: A strong track record in cyber resilience and operational stability can help Liechtenstein’s financial sector stand out globally.
- Ease regulatory adaptation: Should Liechtenstein formally integrate DORA into its legal framework, organizations already meeting these standards will face fewer adjustments.
Is the process different from other countries?
EU member states must implement DORA directly as an EU regulation. Liechtenstein, by contrast, goes through EEA mechanisms to decide whether to adopt or adapt new EU directives and regulations. This means:
- Potential delay or variation: Incorporation into the EEA Agreement might take additional time or incorporate specific Liechtenstein stipulations.
- Local guidance from the FMA: The Financial Market Authority (FMA) Liechtenstein typically interprets and enforces any new EEA-aligned regulations, issuing circulars or clarifications.
While DORA is not yet fully integrated into the EEA framework, Liechtenstein’s financial institutions with EU-facing operations may proactively align with DORA-like rules to meet partner expectations, especially around incident reporting and vendor management.
Existing Liechtenstein regulations that mirror DORA principles
Even before DORA’s emergence, Liechtenstein maintained a robust legal environment to ensure financial stability, data protection, and cyber security. The table below details some relevant measures and how they connect to DORA-like principles:
| Liechtenstein regulation or measure | Focus area | How it aligns with DORA |
| Financial Market Authority (FMA) regulations | Oversee risk management, internal controls, and prudential requirements for banks and other financial entities | Echo DORA’s emphasis on structured governance, vendor due diligence, and ongoing assessment of ICT risks |
| Data Protection Act (aligned with GDPR standards) | Enforces data privacy rules, including breach notification requirements | Complements DORA’s stance on safeguarding sensitive information and promptly reporting incidents affecting data |
| Potential NIS Directive adaptation (if integrated via the EEA) | Addresses cybersecurity obligations for operators of essential services | Resonates with DORA’s call for mandatory incident disclosure, risk monitoring, and collaboration among stakeholders |
These measures, while not identical to DORA, form a foundation that many Liechtenstein institutions already follow. Should DORA be incorporated into EEA regulations, local legislation could be updated or expanded to meet the Act’s detailed obligations.
Impact beyond finance
Although DORA is tailored for financial services, it indirectly reaches any critical IT providers supporting those entities. In Liechtenstein, that includes:
- Cloud service companies or data centers hosting sensitive financial data
- Fintech startups offering payment solutions, mobile banking apps, or blockchain tools
- Software developers and IT consultancies managing vital systems for banks or insurers
A major security incident within one of these service providers might trigger DORA’s reporting obligations for an EU-based (or EEA-aligned) client. Consequently, tech firms may find themselves asked to demonstrate DORA-level controls in contracts and compliance audits—encouraging broader adoption of robust security protocols throughout Liechtenstein’s digital ecosystem.
List of DORA auditors in Liechtenstein
DORA itself does not specify a registry of approved auditors, but several consultancies and audit firms in or near Liechtenstein provide expertise in operational resilience, cybersecurity, and regulatory compliance. Below is a concise list:
| Firm | Primary expertise | Additional notes |
| Deloitte Switzerland/Liechtenstein | Cyber risk management, operational audits, governance, and compliance | Global network with local resources knowledgeable about Liechtenstein’s financial sector |
| KPMG Liechtenstein | ICT risk assessments, financial services audits, internal controls | Known for advising banks, insurers, and cross-border clients on EU/EEA regulations |
| PwC Switzerland/Liechtenstein | Cybersecurity, incident response, data privacy, governance & risk | Offers tailored solutions for institutions of various sizes, including cross-border coverage |
| BDO (Switzerland/Liechtenstein) | Internal controls, operational risk, mid-market advisory | Often supports smaller financial entities and specialized tech providers |
| Grant Thornton (Switzerland/Liechtenstein) | Regulatory consulting, ICT audits, risk management | Provides a pragmatic approach to aligning local practices with evolving EU directives |
| CCS Group (based in Liechtenstein) | Local IT consultancy, cybersecurity services, risk management | Specialized knowledge of the principality’s regulatory environment and client base |
When selecting an auditor, Liechtenstein-based institutions should confirm the firm’s familiarity with FMA requirements, EEA regulatory processes, and the potential interplay with EU mandates like DORA.
Balancing autonomy with global standards
Liechtenstein’s participation in the EEA means that any relevant EU regulation, including DORA, will be assessed for potential integration into local law. While the principality retains flexibility in how it adopts new rules, market pressures and cross-border opportunities already incentivize many financial entities and tech providers to align with DORA-level protections. In a world where cybersecurity incidents can erode trust overnight, proactively meeting higher operational resilience standards not only satisfies regulatory expectations but also strengthens Liechtenstein’s standing as a safe, forward-thinking financial hub.
