top of page
logo_horizontal.png

Understanding DORA regulation: The Digital Operational Resilience Act

  • Writer: Volodymyr Garbar
    Volodymyr Garbar
  • 3 days ago
  • 3 min read

Updated: 3 days ago

In January 2025, the European Union’s Digital Operational Resilience Act (DORA) will become fully enforceable, transforming the regulatory cybersecurity landscape for financial services. Designed to ensure digital resilience across the financial ecosystem, DORA introduces comprehensive requirements for ICT risk management, incident handling, testing, and third-party oversight. Here's what every affected organisation needs to know.



Illustration representing the five pillars of the DORA cybersecurity framework including ICT risk management, incident reporting, third-party risk, resilience testing, and information sharing.


What Is DORA regulation?

DORA (Regulation (EU) 2022/2554) is an EU-wide regulatory framework focused on the digital operational resilience of financial institutions. Unlike earlier regulations, DORA specifically targets ICT risks—cybersecurity incidents, third-party service disruptions, and digital infrastructure failures. It applies to over 22,000 financial entities and their critical ICT providers, including banks, insurers, investment firms, crypto platforms, and cloud or software vendors.



Who Must Comply?

DORA covers a wide range of entities:

  • Banks, insurers, and pension funds

  • Crypto-asset service providers

  • Payment service providers and crowdfunding platforms

  • ICT providers that serve regulated financial entities

If you are part of the digital supply chain to a financial institution in the EU, DORA likely applies to you.



When Does DORA Take Effect?

  • Published: January 16, 2023

  • In force: January 17, 2025

Entities are expected to use this two-year window to fully align with DORA’s framework and be audit-ready by the enforcement date.



The 5 Pillars of DORA


1. ICT Risk Management

Organisations must develop an ICT risk management framework that includes:

  • Clear governance roles and responsibilities

  • Ongoing risk assessments

  • Incident response and recovery plans

  • Monitoring, alerting, and backup strategies

  • Communication and learning mechanisms

Importantly, DORA supports a proportional approach—meaning smaller organisations may adopt lighter implementations, while large enterprises must meet higher standards.


2. ICT-Related Incident Reporting

Mandatory reporting for major ICT incidents is a cornerstone of DORA. Entities must:

  • Detect and classify incidents based on severity

  • Notify national competent authorities within strict timeframes

  • Optionally report significant cyber threats for industry-wide awareness

An efficient and structured incident management process is essential to meet these requirements.


3. Digital Operational Resilience Testing (DORT)

DORA introduces rigorous and regular testing:

  • Annual security testing of critical systems

  • Threat-Led Penetration Testing (TLPT) every 3 years

These tests must be conducted by independent experts and focus on real-world threats, requiring organisations to validate their resilience under simulated attacks.


4. ICT Third-Party Risk Management

The regulation demands greater scrutiny and control over third-party providers:

  • Risk-based vendor assessments

  • Security provisions within contracts

  • Centralised registry of all ICT-related third-party agreements

  • Audit rights and exit strategies

Supply chain risk is no longer optional—it's a regulatory obligation.


5. Information Sharing

DORA promotes collective cyber resilience by encouraging:

  • Participation in threat intelligence sharing communities (e.g., ISACs)

  • Reporting systemic threats to competent authorities

Although voluntary, these practices significantly strengthen threat detection and sector-wide preparedness.



How to Prepare for DORA


Step 1: Assign Governance and Ownership

Designate a senior executive or committee responsible for DORA implementation and oversight. Ensure top-level sponsorship to align the organisation and allocate resources.


Step 2: Conduct a Gap Assessment

Benchmark current practices against DORA’s requirements. Identify gaps in risk management, incident handling, and third-party governance.


Step 3: Create a Compliance Roadmap

Prioritise remediation based on risk and impact. Define timelines and deliverables for policies, tools, and process updates.


Step 4: Implement Controls and Technology

Deploy solutions to support continuous monitoring, incident response, risk analysis, and audit readiness. Tools may include SIEM, SOAR, EDR, and vulnerability scanners.


Step 5: Formalise Third-Party Management

Review contracts, perform vendor risk assessments, and maintain a central third-party register. Ensure performance clauses and data protection obligations are embedded.


Step 6: Develop a Testing Strategy

Plan for annual system tests and prepare for TLPT with internal or external teams. Simulate disruptions, review results, and prioritise remediation.


Step 7: Document and Train

Update or create policies on incident response, ICT risk, and DR/BCP. Train staff on roles and responsibilities, response workflows, and reporting obligations.



Enforcement Measures

Non-compliance with DORA can lead to:

  • Fines up to €10 million or 5% of global turnover

  • Public reprimands and reputational damage

  • Withdrawal of financial licenses in severe cases

  • Compensation liabilities for client or third-party harm


Conclusion

DORA brings a new era of digital accountability for the financial sector. It’s not just about avoiding penalties—it's about building resilience, protecting clients, and maintaining trust in the digital economy. Organisations that act early will not only ensure compliance but also strengthen their overall cybersecurity maturity in the process.

bottom of page