In January 2025, the European Union’s Digital Operational Resilience Act (DORA) will become fully enforceable, transforming the regulatory cybersecurity landscape for financial services. Designed to ensure digital resilience across the financial ecosystem, DORA introduces comprehensive requirements for ICT risk management, incident handling, testing, and third-party oversight. Here's what every affected organisation needs to know.
DORA (Regulation (EU) 2022/2554) is an EU-wide regulatory framework focused on the digital operational resilience of financial institutions. Unlike earlier regulations, DORA specifically targets ICT risks—cybersecurity incidents, third-party service disruptions, and digital infrastructure failures. It applies to over 22,000 financial entities and their critical ICT providers, including banks, insurers, investment firms, crypto platforms, and cloud or software vendors.
DORA covers a wide range of entities:
If you are part of the digital supply chain to a financial institution in the EU, DORA likely applies to you.
Entities are expected to use this two-year window to fully align with DORA’s framework and be audit-ready by the enforcement date.
Organisations must develop an ICT risk management framework that includes:
Importantly, DORA supports a proportional approach—meaning smaller organisations may adopt lighter implementations, while large enterprises must meet higher standards.
Mandatory reporting for major ICT incidents is a cornerstone of DORA. Entities must:
An efficient and structured incident management process is essential to meet these requirements.
DORA introduces rigorous and regular testing:
These tests must be conducted by independent experts and focus on real-world threats, requiring organisations to validate their resilience under simulated attacks.
The regulation demands greater scrutiny and control over third-party providers:
Supply chain risk is no longer optional—it's a regulatory obligation.
DORA promotes collective cyber resilience by encouraging:
Although voluntary, these practices significantly strengthen threat detection and sector-wide preparedness.
Designate a senior executive or committee responsible for DORA implementation and oversight. Ensure top-level sponsorship to align the organisation and allocate resources.
Benchmark current practices against DORA’s requirements. Identify gaps in risk management, incident handling, and third-party governance.
Prioritise remediation based on risk and impact. Define timelines and deliverables for policies, tools, and process updates.
Deploy solutions to support continuous monitoring, incident response, risk analysis, and audit readiness. Tools may include SIEM, SOAR, EDR, and vulnerability scanners.
Review contracts, perform vendor risk assessments, and maintain a central third-party register. Ensure performance clauses and data protection obligations are embedded.
Plan for annual system tests and prepare for TLPT with internal or external teams. Simulate disruptions, review results, and prioritise remediation.
Update or create policies on incident response, ICT risk, and DR/BCP. Train staff on roles and responsibilities, response workflows, and reporting obligations.
Non-compliance with DORA can lead to:
DORA brings a new era of digital accountability for the financial sector. It’s not just about avoiding penalties—it's about building resilience, protecting clients, and maintaining trust in the digital economy. Organisations that act early will not only ensure compliance but also strengthen their overall cybersecurity maturity in the process.