What is the Digital Operational Resilience Act (DORA)?

2023 12 14 · 4 min read

DORA. A regulation that will surely be in the spotlight of the European financial market in 2024. 

As technological development continues spurring the financial sector, the regulatory framework must adapt to ensure the robustness and security of digital operations.  

Therefore, The Digital Operational Resilience Act (DORA), recently approved by the European Parliament, stands as a groundbreaking initiative for all financial institutions in the EU. As the DORA regulation deadline looms on 2025 January 17, let us go through the essentials of DORA compliance. 

This blog explains the crucial points of DORA regulations and offers practical insights on how financial institutions can prepare for DORA compliance. We provide a straightforward guide and timeline to help you navigate the DORA requirements efficiently. 

What does the Digital Operational Resilience Act (DORA) mean?  

Let us break down the Digital Operational Resilience Act (DORA), or officially known as Regulation (EU) 2022/2554. This regulation addresses a crucial gap in EU financial regulation by mandating comprehensive operational resilience strategies for financial institutions. 

Before DORA, financial entities primarily managed operational risk through capital allocation, but DORA regulation expands the scope to include protection, detection, containment, recovery, and repair capabilities against Information and Communication Technology (ICT)-related incidents. The regulation explicitly focuses on ICT risk, setting rules for risk management, incident reporting, operational resilience testing, and monitoring third-party ICT risks. 

The relationship between DORA and the Network and Information Security (NIS) 2 Directive is clarified through Commission Guidelines. DORA is considered a sector-specific Union legal act about financial entities, leading to its precedence over NIS 2 Directive requirements. 

Which financial institutions need to apply DORA regulation? 

Ensuring a comprehensive regulatory framework, DORA applies to various financial institutions. The following entities are mandated to adhere to DORA regulations: 

  • Traditional financial entities. This includes banks, investment firms, and credit institutions. 
  • Non-traditional financial entities. DORA extends its applicability to non-traditional entities like crypto-asset service providers and crowdfunding platforms. 
  • Third-party service providers. The scope of DORA covers third-party service providers offering financial firms ICT systems and services, such as cloud service providers and data centres. It also encompasses firms providing critical third-party information services like credit rating services and data analytics providers.  

Compliance with DORA is essential for fostering a resilient and secure financial ecosystem. 

Why is DORA regulation crucial? 

Embracing a new era of regulatory standards, DORA brings exclusive advantages to financial institutions, placing operational resilience at the forefront. You are welcome to explore the key benefits that DORA regulation offers: 

  • Holistic risk management. DORA expands the scope of risk management beyond capital allocation, emphasising a comprehensive approach that covers protection, detection, containment, recovery, and repair capabilities against ICT-related incidents; 
  • Strategic roadmap for digital resilience. Financial entities are prompted to define a robust digital resilience strategy, aligning IT vision with risk-mitigated approaches. This strategic roadmap ensures a proactive stance in handling potential disruptions; 
  • Transparency and incident reporting. DORA demands a structured approach to managing and reporting ICT incidents, fostering transparency. This proactive reporting mechanism ensures that disruptions are promptly addressed and communicated; 
  • Resilience testing for operational fortification. The regulation encourages regular resilience testing, enabling financial institutions to identify vulnerabilities and fortify digital operations. Services like penetration testing, business continuity planning, and threat modelling enhance operational resilience; 
  • Third-Party risk mitigation. Recognising the interconnected nature of the financial ecosystem, DORA mandates thorough assessment and mitigation of risks associated with third-party providers. This approach safeguards financial institutions in an era of collaborative financial services. 

In simple terms, the Digital Operational Resilience Act (DORA) sets up financial institutions for success in the digital age by strengthening their ability to handle challenges, improving risk management, and promoting openness in reporting incidents. 

Have questions about DORA or preparation for DORA compliance? Our IT consultants are ready to evaluate your situation and recommend the optimal solution for your financial institution. 

What are DORA regulation domains?  

In the realm of the Digital Operational Resilience Act (DORA) compliance, financial institutions need to consider four domains that reshape the landscape of operational risk management:  

  • ICT Risk Management and Governance; 
  • Incident Response and Reporting; 
  • Resilience Testing; 
  • Third-Party Risk Management; 

Each domain has specific requirements that financial entities must embed into their people, processes, and products. Let us explore you through each domain, its specialities, and possible actions you may take to ensure digital resilience across financial services

ICT Risk Management and Governance

First is the domain that defines ICT Risk Management and Governance. In this domain, C-level executives and executive committees are responsible for defining a robust digital resilience strategy. This is a crucial step for financial institutions, making digital resilience a key focus in strategic plans as well as getting ready for DORA compliance.  

Within this domain, services such as developing the IT vision, evaluating core risks, devising mitigation strategies, conducting security and risk assessments, evaluating processes and risks, and preparing exit plans for digital channels play a crucial role. These services build the foundation for a solid digital resilience strategy, making sure the IT vision aligns with a smart, risk-aware approach. 

Incident Response and Reporting 

Let us dive into the second domain – Incident Response and Reporting. Here, the focus is establishing systems for monitoring, managing, logging, classifying, and reporting ICT-related incidents. This approach adds a fresh layer of clarity, making sure any issues are quickly dealt with and communicated. 

Handling Incident Response and Reporting requires specific consultations and guidance from Chief Information Security Officers (CISO). The CISO-as-a-Service provides constant watchfulness, guaranteeing a quick response to incidents and solid reporting systems that follow DORA regulations. 

Resilience Testing 

Resilience Testing is the third domain, urging financial entities to conduct regular tests to fortify their digital operations. This proactive method is crucial for finding weaknesses and improving overall operational strength. 

Large financial entities with a critical role in the financial industry must undergo threat-led penetration testing (TLPT) every three years, with their critical ICT providers also participating. Detailed technical standards for TLPT are pending and expected to align with the TIBER-EU framework for threat intelligence-based ethical red-teaming. 

This domain also necessitates services such as digital resilience process implementation, business continuity and resilience planning, and threat modelling. These services identify vulnerabilities, fortify digital operations, and prepare for unforeseen disruptions. 

Third-Party Risk Management 

The fourth important domain is Third-Party Risk Management, acknowledging the interconnected nature of the financial ecosystem. It mandates financial institutions to manage risks associated with third-party providers, a critical aspect in an era of collaborative financial services.  

In the Third-Party Risk Management domain, services like core vendors’ risk evaluation and mitigation and vendors’ due diligence are key players. They make sure risks linked to working with others are carefully checked and dealt with, understanding the close-knit nature of the financial sector. 

Key ICT third-party service providers will be directly supervised by relevant ESAs, with the European Commission determining criteria for their significance. If they meet standards, one EPI will be appointed as lead supervisor. These lead supervisors will enforce DORA requirements, with the authority to prohibit non-compliant contracts with financial firms or other ICT providers. 

Possible domain in the future – Information Sharing 

Information Sharing is not mandatory at present, but financial entities are encouraged to do so. Following the Information Sharing domain, financial institutions must establish learning processes from internal and external ICT-related incidents. DORA regulation encourages entities to engage in voluntary threat intelligence-sharing.  

Shared information should adhere to guidelines, safeguarding data like personally identifiable information (PII) in line with GDPR rules. 

Want to start your DORA regulation implementation? Our seasoned fintech experts are to guide you through DORA compliance without any worries. 

Digital Operational Resilience Act (DORA) timeline in a nutshell 

Financial entities have about a year of preparation before DORA comes into force. This time is super essential for getting everything in line with DORA’s rules.  

Here is a quick rundown of key milestones and actions spanning 2023, 2024, and crucial developments in 2025:  

2023 and 2024: Building the foundation  

  • Gap assessment. Initiate the process with a comprehensive gap assessment, analysing your company’s profile, current maturity level, and compliance with existing guidelines and IT risk management standards;  
  • Roadmap development. Define a roadmap with key deliverables to materialise the digital resilience strategy. Consider the upcoming Regulatory Technological Standards (RTSs) imposed by DORA;  
  • Alignment with ESAs expectations. Institutions must align their frameworks and governance with the expectations of European Supervisory Authorities (ESAs) to embed overarching risk management practices;  
  • Agility. Given the evolving nature of regulatory standards, ensure that the strategy and framework are sufficiently agile to incorporate new Regulatory Technical Standards (RTSs) and Implementation Technical Standards (ITSs);  
  • Collaboration with IT Partners. Consider teaming up with experienced IT partners. They can guide you through the complex DORA regulation process, providing valuable insights and support to ensure a smoother compliance journey.  

Beginning of 2025: Mandatory penetration testing  

  • Preparation for penetration testing. As DORA mandates mandatory penetration testing by the end of 2025, commence preparations well in advance. Check and improve your cybersecurity measures to handle tough testing, finding, and fixing any weaknesses that could threaten your digital operations; 
  • Certification readiness. Get ready for the certification processes required by ESAs. Make sure your institution is prepared for yearly evaluations, testing, and reporting. This means keeping records of your efforts to follow DORA rules and your performance data so you can show how well you are sticking to the regulations.  

End of 2025: Final compliance  

  • Completion of mandatory penetration testing. Undertake mandatory penetration testing to fortify your digital operations further. This step ensures that your institution actively identifies and addresses potential vulnerabilities, enhancing overall operational resilience against cyber threats; 
  • ESA compliance assessment. Complete the DORA adoption by evaluating your organisation’s situation and following processes set by ESAs. This involves demonstrating your institution’s compliance with DORA regulations and showcasing the effectiveness of your digital resilience and risk management strategies; 
  • Ongoing monitoring. Establish reliable mechanisms for continuous monitoring to ensure continuing compliance and resilience against ICT-related incidents. Regularly assess and update your strategies, frameworks, and security measures to stay proactive in the face of emerging threats and evolving regulatory requirements.  

Following this structured timeline not only positions your financial institution for DORA compliance but also fosters a resilient operational environment that can adapt to the dynamic landscape of digital financial services. 

Have you not started with DORA compliance yet? We have got your back! 

As the DORA deadline looms in 2025, your financial institution needs a solid plan. Undertaking a comprehensive gap assessment, aligning with current guidelines, and adopting an agile mindset to adapt to changing standards are pivotal. 

Our team of fintech experts, well-versed in regulations, is ready to guide you. With years of experience within the financial field, our team will navigate you through DORA compliance worry-free. 

Book your consultation today. We will review your case and offer the most-suited action plan for your financial institution. 

Let’s work together

Want to discuss potential opportunities? Pick the most suitable way to contact us.

Book a call

+370 5 2 780 400

     privacy policy