The EU Digital Operational Resilience Act (DORA) entered into force on January 17, 2025, after a two-year preparation window. Most retail traders comparing XM and Exness in 2026 have not heard of it. Most broker comparison sites do not mention it. The omission is not innocent — DORA is a regulation that materially changes how CySEC-licensed entities of XM and Exness must run their technology stack, manage their cloud providers, and respond when things break. It also has nothing to do with the offshore entities of either broker. That asymmetry is the point of this piece.
This Desk does not generally write about EU technology regulation. We write about it here because the practical retail consequences of DORA are not abstract: when a forex broker's order routing system goes down for forty-five minutes during the New York open, DORA defines whether that incident gets reported to the regulator, whether the trader has an enforceable right to information about what happened, and whether the broker's cloud provider — typically AWS, Azure, or a specialist forex hosting provider in LD4 or NY4 — sits inside or outside the regulatory perimeter. For traders choosing between XM and Exness in 2026, none of this is hypothetical. Both brokers run real ICT operations. Both have CySEC-licensed entities subject to DORA. Neither has been transparent about how their offshore entities differ in ICT-resilience posture from their EU entities.
What DORA Actually Requires
DORA rests on five operative pillars. First, ICT risk management: regulated entities must maintain a formal ICT risk framework, with board-level accountability, that is documented and continuously updated. Second, incident management and reporting: a "major" ICT-related incident triggers mandatory reporting to the competent authority within tight timelines, with a classification framework that uses thresholds — affected client count, financial impact, duration of disruption. The major-incident threshold is reached, in summary, when more than 10% of clients or transactions are affected, when over 100,000 clients are involved, when financial impact exceeds €100,000, or when critical functions are disrupted for more than two hours. Third, digital operational resilience testing: scheduled penetration testing and threat-led testing for larger entities. Fourth, information sharing arrangements between regulated entities. Fifth, and most consequentially for retail brokers, ICT third-party risk management — the explicit bringing of cloud providers, data center operators, market data vendors, and order routing infrastructure providers inside the regulatory perimeter.
The European Supervisory Authorities designated a first list of "critical" ICT third-party providers in November 2025. That designation matters because it places those providers — typically large cloud hyperscalers and specialist financial infrastructure firms — under direct ESA oversight rather than only under the indirect oversight that runs through their broker customers. For XM and Exness CySEC entities, this means that the cloud and infrastructure dependencies underlying the trading platform are no longer an internal operational matter but a regulated one.
DORA applies to almost all EU financial entities including banks, insurers, brokers, payment institutions, investment firms, and crypto-asset service providers. The retail forex broker entities sitting under CySEC licenses are squarely within scope. The offshore entities — XM's IFSC Belize entity, XM's FSA Seychelles entity, Exness (SC) Ltd in Seychelles, Exness's other non-EU pathways — are not within DORA's scope. They sit under their respective frameworks, which in the Seychelles case has its own ICT and corporate governance posture under the FSA's recently expanded code of corporate governance, but which is not DORA-equivalent.
The Asymmetry Between Entities
A retail trader onboarded to XM's Cyprus-licensed entity in 2026 trades with a broker whose ICT incident response, cloud provider oversight, and operational resilience are inside DORA's regulatory perimeter. A retail trader onboarded to XM's Belize or Seychelles entity trades with a broker whose ICT operations may technically share infrastructure with the Cyprus entity, but whose contractual and regulatory exposure to DORA reporting and oversight is materially different. The same logic applies to Exness: clients onboarded through the Cyprus pathway sit inside DORA, clients onboarded through Seychelles sit outside.
The asymmetry is not theoretical. It plays out in three observable dimensions.
Incident reporting visibility. A major ICT incident affecting the EU entity must be reported to the competent authority. A material incident affecting only the offshore entity may be reported under the offshore framework's lighter-touch requirements, or in some cases not reported at all. From the trader's perspective, DORA does not give the trader a direct right to be told about the incident — it gives the regulator a right to be told. But the regulatory record produced by mandatory reporting becomes part of the broker's supervisory file and can be referenced by the trader through subject access requests under GDPR or by counsel during dispute escalation. Offshore traders have no equivalent leverage.
Third-party provider accountability. When the broker's primary cloud provider has an outage, DORA-covered EU entities must demonstrate they have contractual and operational mitigations. Offshore entities operate under whatever the offshore regulator considers adequate, which has historically been less prescriptive. A retail trader experiencing a platform outage on a CySEC-entity account can — in theory and increasingly in practice — pursue an investigation that reaches the cloud provider. An offshore trader experiencing the same outage typically cannot.
Continuity testing. DORA requires periodic operational resilience testing including, for systemically relevant firms, threat-led penetration testing using realistic threat scenarios. The findings shape how brokers harden their infrastructure. The offshore entities are not under that obligation. The infrastructure may be the same — but the testing discipline and the consequence of finding vulnerabilities differs.
What This Means in Three Concrete Scenarios
Scenario one: an extended platform outage during NFP week. A retail trader at XM Cyprus and a retail trader at XM Seychelles both lose platform access for ninety minutes during the U.S. nonfarm payroll release. The Cyprus account-holder operates under a regime where, if the broker meets DORA's major-incident threshold, the incident must be classified, reported to CySEC, and form part of the broker's supervisory record. The Seychelles account-holder's outage is a contractual matter between the trader and the broker under FSA Seychelles' framework, with looser reporting obligations. Both traders may experience identical real-world impact. Their leverage in any subsequent dispute is not identical.
Scenario two: a cloud provider outage. An ICT third-party provider — say, a regional AWS availability zone — has a disruption that affects order routing for several hours at both brokers. Under DORA, the EU entities of XM and Exness must have contractual mitigations, alternative routing arrangements, and documented contingency plans. The offshore entities may have similar arrangements as a matter of operational best practice but are not subject to DORA's specific prescriptions. In practice, the brokers run shared infrastructure across entities, so the operational outcome may be similar — but the regulatory follow-up and the trader's access to the incident record differs.
Scenario three: a cyber incident affecting client data. A successful cyberattack compromises client KYC documents at both brokers. DORA, working alongside GDPR for personal data, defines mandatory reporting timelines and content for the EU entities. The offshore entities operate under their respective data protection frameworks, which in the Seychelles case has been expanded but is not GDPR-equivalent. The Cyprus account-holder benefits from a regulatory architecture that combines DORA's ICT incident reporting with GDPR's data breach reporting; the Seychelles account-holder relies on the broker's voluntary disclosure and the Seychelles framework's specific provisions.
Why XM and Exness Marketing Does Not Mention Any of This
The honest reason is that DORA is technical, dry, and not a competitive advantage when articulated precisely. Saying "we comply with DORA on our CySEC entity" raises the question of what happens at the offshore entity, which the broker would prefer the trader not to ask. Saying "we have robust ICT risk management" sounds like marketing copy, which is what it is. The regulatory reality — that the EU entities operate under a more prescriptive technology framework than the offshore entities — is not something the brokers want to highlight, because most retail clients of both brokers in the MENA, South Asia, and Africa markets are onboarded through offshore pathways where DORA does not apply.
The lack of marketing coverage is not the same as the lack of substantive difference. The difference is real. It just does not show up in the spread comparison or the bonus offer.
The Decision Reading
For a retail trader in 2026 choosing between XM and Exness, DORA is one of several factors that argue for CySEC-entity onboarding rather than offshore-entity onboarding when the choice is available. The other factors — investor compensation availability, MiFID II execution reporting, the prohibition on bonuses at the EU entity, the prohibition on the highest leverage bands at the EU entity — pull in different directions. A scalper who needs 1:500 leverage onboarded to a CySEC entity will be capped at 1:30 retail leverage and will not get the trading conditions the offshore entity offers. The DORA argument does not override that.
The DORA argument does say: when your broker's platform breaks, when your trade does not execute, when your cloud provider has an outage that affects your account, the regulatory record produced by DORA reporting at the CySEC entity is a real asset that the offshore entities do not provide. Whether that asset is worth giving up the leverage and the bonus depends on the trader's specific profile.
For traders who maintain accounts at both an EU entity and an offshore entity at the same broker — a not-uncommon pattern among more sophisticated retail clients — DORA gives an additional reason to keep the EU entity for the function it serves: a regulatory backstop when something breaks.
Honest Limits
This Desk has not reviewed XM's or Exness's internal DORA compliance documentation, has not seen their ICT risk frameworks, and has not had access to any reportable incident records that may have been filed with CySEC since DORA took effect. The analysis here reflects the regulatory framework as published and the brokers' observable disclosures as of May 2026. DORA enforcement in 2025 was largely a transition year, with regulators reviewing firms' new frameworks rather than levying penalties; 2026 is the year in which more substantive enforcement is expected to begin. Specific incident records and supervisory outcomes will continue to develop. The asymmetry between EU and offshore entities described above is structural and unlikely to narrow in the short term — but the practical magnitude of the difference will become clearer as DORA's enforcement record accumulates.