The EU Digital Operational Resilience Act (DORA) came into force on 17 January 2025, two years after its official adoption.
The aim of the regulation is to strengthen the resilience of the financial sector against various digital risks, including cyber threats and technological failures.
It introduces a comprehensive framework that requires financial institutions to implement robust operational resilience measures and to be better prepared and able to respond to ICT (information and communication technology) disruptions.
Key provisions of the Act include risk management, incident reporting, testing and auditing and third party risk management.
But what does DORA mean in practice for businesses and what do they need to be aware of?
Tiernan Connolly, MD, practices Cyber and Data Resilience at Kroll
“DORA specifically requires organizations to first identify their critical business processes and then map them to the core technology assets as well as the third parties that support them. This essentially leads companies to identify critical dependencies and risks and ensure real-time monitoring as well as regular testing of these dependencies.
“DORA is poised to influence the cybersecurity landscape by requiring greater transparency in incident reporting, harmonizing testing standards such as red teaming, and enforcing strict third-party risk management protocols. These changes will lead businesses to adopt proactive and sustainable resilience measures, reduce long-term risks and strengthen digital operational integrity.
“While DORA is currently receiving a lot of attention, there is of course another EU regulation on the horizon: the EU Cyber Resilience Act, which will undergo phased implementation culminating in full applicability by 2027. It primarily focuses on building robust mechanisms to manage security and vulnerabilities into vendor development and after-sales support processes for products with digital elements. This will complement DORA by ensuring that vendors are also responsible for the security of the products that business organizations consume.”
Joe Vaccaro, head of Cisco ThousandEyes
“What is key about DORA is the extension of digital resilience to include the ICT suppliers that financial services companies rely on to deliver their services to customers.
“In an Internet-centric architecture, you cannot restart the Internet. So businesses need a new operating position to handle the disruption. They need to understand what their hidden addictions are. For example, you may be using a third-party service for voice and messaging functionality in your app, but do you know the service’s dependencies, such as which cloud provider it’s hosted on?
“For financial services organizations, this means they will need to understand how they can identify and inventory their third-party dependencies, map them, and deploy processes to continuously monitor that connectivity.
“Not just financial transactions, but all digital experiences today are powered by a digital supply chain that includes both proprietary and non-proprietary networks. While DORA may apply to the financial services sector, achieving digital resilience in the face of disruption is a boardroom issue no matter what industry you’re in.”
Andre Troskie, EMEA Field CISO, Veeam
“At a minimum, organizations must ensure third parties have robust risk management processes in place. As part of this, organizations must require a renegotiation of all third-party Service Level Agreements (SLAs) to establish compliance with DORA as a fundamental prerequisite for work. Although time-consuming, organizations cannot afford to underestimate the importance of ensuring third-party compliance.”
Richard Lindsay, Senior Advisor at Orange Cyberdefense
“A non-compliant balance is likely to have serious consequences. First, the financial services industry is an attractive target for bad actors, and the likelihood of a breach has never been higher. Second, DORA is not toothless – fines of up to 1% of global daily turnover and over €1m for individual senior management are significant and can certainly be used by IT and security leaders to reiterate to the board the importance of cyber security and compliance regulations.
“All in all, DORA does not mandate anything revolutionary. Most can be addressed by investing in comprehensive cyber risk assessment, integrated incident reporting, cyber resilience testing and cross-framework governance. However, in the tangle of new regulations, it is understandable that many firms are taking a more reactive approach to compliance requirements once the threat of retaliation becomes tangible.”
Desre Sheen, head of the UK Financial Services advisory practice at Capgemini
“Financial institutions are signaling that they have reached the minimum required for compliance. However, the main challenge will be to maintain and develop the core culture over time. In addition, all plans must be living documents because the definition of a critical business service can change. It is also important to remember that all regulations require a certain level of interpretation, which means that not every business will be equally compliant.”
John Smith, CTO, Veracode EMEA
“Among the steps organizations will need to take, a key step will be to implement a comprehensive digital operational resilience testing program that includes a wide range of testing methodologies to thoroughly assess the security and resilience of their systems. Regular vulnerability assessments and scans are essential for organizations to identify potential weaknesses in software systems. It is also essential to conduct open source analyzes to evaluate the security and licensing risks associated with any open source components integrated into their applications.
“DORA also mandates threat-led penetration testing (TLPT) for critical systems. To meet this requirement, organizations should begin by identifying all relevant ICT systems, processes and technologies that support their critical functions and operations, including those that are outsourced, and assess which functions need to be covered by penetration tests.
“Besides the mantra of test, test and test again, DORA emphasizes ICT security awareness and training. Organizations should implement mandatory ICT security awareness programs and digital operational resilience training for all employees, including senior management. These programs should be tailored to match the complexity of the various roles and responsibilities within your organization and should include software security best practices focusing on secure coding practices and their importance to maintaining overall security.”
Tim Wright, partner and technology lawyer at Fladgate
“Smaller firms in particular face greater challenges due to resource constraints and the complexity of DORA 500 and above requirements, as well as having to deal with a wide range of third-party service providers. This is compounded by the fact that DORA casts such a wide net that captures a wide range of providers that do not provide typical IT services, and we often see firms catering to DORA’s extensive requirements and using a one-size-fits-all approach. If a firm is experiencing issues that they fully meet by the deadline, they should demonstrate a good faith effort and maintain open communication with regulators. Authorities are likely to take a targeted approach to enforcement, focusing on significant and visible violations.
“In terms of potential punitive measures for non-compliance, it is the usual EU approach of less carrot, more whip, with the risk of large fines in the worst cases. In addition, penalties of up to 1% of average daily global turnover for up to six months may be imposed for continued non-compliance. Other possible sanctions include public reprimands, restrictions on business activity and potential license suspension.
“While the initial cost of implementation will be significant, especially for smaller firms (relatively speaking). The long-term benefits of increased operational resilience and improved risk management are expected to return the investment, as implementation will lead to a safer and more resilient financial ecosystem. DORA will also create an increase in demand for cyber security professionals, particularly those with experience in financial sector regulation and ICT risk management, but in the long term, the increased demand represents significant opportunities for career progression and recognition for cyber security professionals.
Bob Wambach, Vice President of Product Portfolio at Dynatrace
“For the time being, only the banks will have to comply. Financial services firms in both Europe and the UK must be prepared not only to meet the basic requirements of DORA, but also to enable their teams to respond immediately to operational disruptions and cyber incidents. This means going beyond check-box compliance measures. Organizations must prioritize continuous testing of their services and first adopt a culture of resilience. Converging observability and security data to support real-time anomaly detection using artificial intelligence is the optimal way to quickly assess risks before they escalate into full-blown incidents that cross compliance limits and leave customers exposed.
“It remains to be seen how strictly EU regulators will enforce the DORA rules, but one thing is certain: no financial institution wants to be the first to fall behind,” he added.
Andrew Rose, CSO at SoSafe
“For many organizations in financial services and ICT, industries that have been a key target for cybercriminals in recent years, the impact of DORA should be minimal. These industries have already developed the cyber maturity to defend against and comply with regulatory scrutiny, prioritizing areas such as risk management, incident response, operational resilience testing and third-party risk management – requirements that DORA will now enforce.
“However, for previously unregulated firms that will now fall under DORA, such as credit rating agencies and certain types of exempt loans, factoring and mini-bonds, and those associated with new financial models such as crypto exchanges and peer-to-peer lending platforms, will experience a new level of control requirements. However, there is no need to worry because DORA simply requires a sensitive level of controls on a wider scale, and given the losses we have seen from many crypto firms (over $2 billion lost in 2024), it cannot come soon enough.
“Given that most cyber breaches originate from human error, oversight and omission, any attempt to derive real value from compliance such as DORA will only be effective if it is accompanied by awareness, education and training for both users , their families and customers. Technologies used by attackers are evolving at a rapid pace, and while compliance is critical, empowering our people to be our first line of defense must also be a priority.”
Want to learn more about cybersecurity and the cloud from industry leaders? Check out the Cyber Security & Cloud Expo in Amsterdam, California and London. Explore other upcoming enterprise technology events and webinars powered by TechForge here.
