Introduction
It all began on January 17, 2025. The world was introduced to the Digital Operational Resilience Act (DORA), a European Union regulation framework designed to ensure organisations in the financial sector can defend, respond to, and recover from all types of ICT-related disruptions and threats.
What impact will this have on the financial industry? Well, guess what it’s time to grab a cuppa and dive in!
This blog will explore the whole Digital Operational Resilience Act (DORA), ultimately covering its key components and why financial institutions need to comply.
A bit like DORA the Explorer!
Why does the Digital Operational Resilience Act (DORA) Matter?
It’s now mandatory for all financial institutions to comply with this new act on the block.
Imagine a scenario where a major bank’s online services go down due to a cyberattack. Customers can’t access their accounts, transactions halt, and trust erodes. DORA aims to prevent such situations from happening by:
- Standardising Risk Management: Ensuring all financial entities have a consistent approach to managing ICT risks.
- Mandating Incident Reporting: Requiring the timely reporting of significant ICT-related incidents to relevant authorities.
- Overseeing Third-Party Providers: Ensuring third-party ICT service providers meet strict security standards.
With the financial sector becoming more digitalised and interconnected than ever, the risk of cyberattacks and ICT disruption will likely escalate. As the saying goes, ‘With connectivity comes vulnerability.’
Hence, a clear structure and framework will address these challenges by setting up effective systems and protocols that will strengthen digital resilience across the EU’s financial sector.
Who does DORA apply to?
The Digital Operational Resilience Act applies to a broad spectrum of financial entities and third-party providers, including:
- Banks and credit institutions
- Insurance and reinsurance companies
- Investment firms
- Payment institutions
- Electronic money institutions
- Crypto-asset service providers
- Central counterparties and securities depositories
- Trade repositories
- Crowdfunding service providers
- Managers of alternative investment funds
- Pension schemes with more than 15 members
It also extends to cloud providers and data centres that are deemed critical to the operations of these financial entities.
The Core Pillars of the Digital Operational Resilience Act
1.ICT Risk Management
At the heart of DORA lies the emphasis on ICT (Information and Communication Technology) risk management. Financial entities are expected to:
- Identify and assess risks: Regularly evaluate potential ICT threats impacting operations.
- Implement protective measures: Establish controls to prevent incidents, such as firewalls, encryption, and access controls.
- Detection: Use effective monitoring tools to identify unusual activities or breaches.
- Develop response strategies: Have clear plans to address incidents so that you can minimise damage and restore services as soon as possible.
- Ensure recovery and learning: Post-incident reviews to understand causes and improve future responses. Don’t forget to retest, as this will allow you to handle future responses effectively.
2. Incident Reporting
DORA mandates a standardised process for reporting significant ICT-related incidents. Key requirements include:
- Monitoring: Continuous tracking of ICT systems to detect incidents that can disrupt operations within the organisation.
- Classification: Each incident is assessed against pre-defined criteria which will evaluate the impact the incident has had on its operations.
- Timely reporting: Notifying relevant authorities on time and in a professional manner. This includes filling out any incident documents and templates.
- Communication: Informing stakeholders, including clients and partners, about incidents and the steps that the financial institution has taken to resolve the matter.
3. Digital Operational Resilience Testing
Test. test and test…
We all know testing is the only way to find out what works and what doesn’t. Thus, regular testing is crucial when evaluating solutions for particular threats against IT systems.
DORA requires:
- Periodic assessments: Conducting tests to evaluate system resilience and identify vulnerabilities.
- Advanced testing: For critical systems, performing threat-led penetration testing (TLPT) to simulate real-world cyberattacks alongside Red Team and Blue Team simulations.
- Addressing findings: Your test results will allow you to implement the correct measures to strengthen your security defences.
4. ICT Third-Party Risk Management
We all know that financial institutions often rely on third-party ICT providers, whether that’s for the cloud or data.
To be honest, sometimes these institutions can be overly reliant and possibly blinded, but this is where DORA steps in.
Dora emphasises the need to manage these relationships effectively by:
- Due diligence: Doing your research. Before any engagement or partnership, assess your potential third-party provider on what they stand for (resilience) and their security background. How secure are they? Can you trust them?
- Contracts: Make sure your contracts adhere to security standards, data protection and incident response rules.
- Everlasting Monitoring: Remember it’s a marathon, not a sprint. Consistently review your third-party provider’s performance. Have they improved? Most importantly, do they comply with DORA requirements?
Fewer vulnerabilities in the supply chain = Higher resilience, ultimately more dominance over the market.
5. Information Sharing
Sharing is caring, people!
The Digital Operational Resilience Act encourages all financial entities to participate in information sharing. It’s a team sport, I guess. So if we collectively work together to enhance our cybersecurity measures, then together we can strengthen the walls of our financial industry.
- Sharing threat intelligence: Exchanging information about emerging threats, vulnerabilities, and incidents.
- Combine defence strategies: Work together to develop and implement best practices to mitigate threats and lessen the impact if an attack were to occur.
- Engaging with authorities: Coordinating with regulatory bodies to align security standards and responses.
A unified defence front is the best front. Ok, I think I’m starting to sound like we’re going to war, so let’s move on to the key benefits of DORA.
Key Benefits of DORA
While the benefits of the Digital Operational Resilience Act are clear, here are a few:
- It prevents financial organisations from any financial losses from operational disruptions.
- Strengthens security posture across the financial sector, ultimately increasing productivity and efficiency across all areas of business.
- Compliance with more risk management, regular testing and greater security protocols.
- Demonstrates an organisation’s commitment to achieving security compliance and digital resilience, ultimately building trust between them and their customers.
- The framework allows for collaboration between different financial entities, which in my opinion, is the greatest defence, as there will be fewer disruptions and threats.
My Opinion?
Digital transformation has taken a turn for the better. It enhances data insights while improving the quality of work in any given industry. But are we safe?
The answer is yes. Yes, digitalisation has made the financial industry heavily interconnected. And yes, there are going to be more disruptions and threats of cyberattacks.
But guess what, there are also more digital tools and systems in place to prevent such things from happening.
The Digital Operational Resilience Act changes how financial firms view and manage ICT risk. The downside is that a lot more investment will be needed. Firms will have to invest in new technologies, update systems, and train staff, ensuring they meet the requirements of the framework. Ultimately, this will help create a culture of digital resilience.
For IT providers, DORA brings increased scrutiny. Providers working with EU financial firms will be subject to the EU’s regulatory framework, which could mean adapting their services or facing penalties for non-compliance.
Essentially, DORA is putting the squeeze on IT companies serving EU financial firms. They’ll need to get their act together with EU regulations or risk fines, and they may have to tweak what they offer to fit the bill.
Nonetheless, DORA represents a significant step forward in securing the EU’s financial sector against digital threats. While the road to compliance may be challenging, the end goal is worth it.
For those navigating this journey, remember that resilience isn’t just about technology; it’s about people, processes, and preparedness.
Here’s to a more resilient, secure and trustworthy financial ecosystem!
References
EIOPA. (2025). Digital Operational Resilience Act (DORA). Www.eiopa.europa.eu. https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en
Jelle Groenendaal. (2024, November 11). RiskTalk: What is DORA and why is digital resilience important? 3rdrisk.com; 3rdRisk. https://www.3rdrisk.com/blog/risktalk-dora
O’Neill, S. (2024, August 6). Digital Operational Resilience Act (DORA): Regulation Summary. Grant Thornton Ireland. https://www.grantthornton.ie/insights/factsheets/digital-operational-resilience-act-dora-regulation-summary/
Precisely Editor. (2024, September 17). DORA: What It Is and Why It Matters for Financial Entities. Precisely. https://www.precisely.com/blog/data-security/understanding-dora-what-it-is-and-why-it-matters-for-financial-entities
PricewaterhouseCoopers. (n.d.). DORA and its impact on UK financial entities and ICT service providers. PwC. https://www.pwc.co.uk/industries/financial-services/insights/dora-and-its-impact-on-uk-financial-entities-and-ict-service-providers.html
Sears, D. (2025, January 10). Why the DORA Regulation Matters Beyond the EU – Forescout. Forescout. https://www.forescout.com/blog/why-the-dora-regulation-matters-beyond-the-eu/