The EU’s Digital Operational Resilience Act (DORA) regulation got here into full impact on January 17, 2025, two years after its official adoption.
The regulation goals to strengthen the resilience of the monetary sector towards varied digital dangers, together with cyber threats and know-how failures.
It establishes a complete framework that requires monetary establishments to place in place sturdy operational resilience measures and to be higher ready for and ready to answer ICT (Information and Communications Technology) disruptions.
Key provisions of the Act embody Risk Management, Incident Reporting, Testing and Audit, and Third-Party Risk Management.
But what does DORA imply, virtually, for companies, and what do they should be aware of?
Tiernan Connolly, MD, Cyber and Data Resilience observe at Kroll
“DORA explicitly requires organisations to first identify their critical business processes, and then map them to the underlying technology assets, as well as third parties that support them. This essentially guides firms towards identifying critical dependencies and risk, and ensuring real-time monitoring, as well as regular testing of these dependencies, is in place.
“DORA is set to influence the cybersecurity landscape by mandating higher transparency in incident reporting, harmonising testing standards like red teaming, and enforcing stringent third-party risk management protocols. These changes will prompt businesses to adopt proactive and sustainable resilience measures, reducing long-term risks and enhancing digital operational integrity.
“While DORA is currently getting a lot of attention, there is, of course, another EU regulation on the horizon: the EU Cyber Resilience Act, which will undergo a phased implementation culminating in full applicability by 2027. Its primary focus is on building robust security and vulnerability management mechanisms into vendors’ development and post-sale support processes for products with digital elements. This will complement DORA by ensuring vendors are also accountable for securing the products which enterprise organisations consume.”
Joe Vaccaro, head of Cisco ThousandEyes
“What’s key about DORA is the broadening of digital resilience to include the ICT suppliers that financial services companies rely on to deliver their services to customers.
“In an Internet-centric architecture, you can’t go and reboot the Internet. So businesses need a new operational posture to manage disruptions. They need to understand what their hidden dependencies are. For example you might be using a third-party service for voice and messaging features in your application, but do you know the dependencies of that service, like which cloud provider it’s hosted on?
“For financial services organisations, this means they will need to understand how they can discover and inventory their third-party dependencies, to map them, and to deploy processes to track that connectivity on an ongoing basis.
“Not just financial transactions but all digital experiences today are powered by a digital supply chain that spans across owned and unowned networks. While DORA may apply to the financial services sector, achieving digital resilience in the face of disruptions is a boardroom issue no matter what industry you’re in.”
Andre Troskie, EMEA discipline CISO, Veeam
“At a minimum, organisations need to ensure that third-parties implement robust risk management processes. As part of this, organisations need to require the renegotiation of all third-party service level agreements (SLAs) to cement DORA compliance as an essential prerequisite for work. Although time-consuming, organisations can’t afford to underestimate the importance of securing third-party compliance.”
Richard Lindsay, principal advisory advisor at Orange Cyberdefense
“Remaining non-compliant is likely to have severe ramifications. Firstly, the financial services industry is an attractive target for bad actors, and the likelihood of breach has never been higher. Secondly, DORA is not toothless – fines of up to 1% of worldwide daily turnover and over €1m for individual senior leadership are significant and can certainly be used by IT and security leaders to reiterate the importance of cybersecurity and compliance to the board.
“All in all, DORA doesn’t mandate anything by way of revolutionary requirements. Most can be addressed by investing in comprehensive cyber risk assessments, integrated incident reporting, cyber resilience testing and cross-framework governance. However, amid the tangle of new regulations, it’s understandable that many firms are taking a more reactive approach to compliance requirements once the threat of reprisals becomes tangible.”
Desre Sheen, head of UK Financial Services Consulting Practice at Capgemini
“Financial institutions are signalling that they have achieved the minimum required for compliance. However, the main challenge will be sustaining and evolving the underlying culture over time. Additionally, all plans need to be living documents, as the definition of a critical business service may change. It’s also important to be mindful that all regulations require a certain level of interpretation, and that means not every firm will be equally compliant.”
John Smith, Veracode EMEA CTO
“Among the steps organisations will need to take, a key one will be implementing a comprehensive digital operational resilience testing program that encompasses a wide range of testing methodologies to thoroughly assess their systems’ security and resilience. Regular vulnerability assessments and scans are crucial for organisations to identify potential weaknesses in software systems. It is also vital to conduct open-source analyses to evaluate the security and license risks associated with any open-source components integrated into their applications.
”DORA additionally mandates threat-led penetration testing (TLPT) for essential programs. To adjust to this requirement, organisations ought to begin by figuring out all related ICT programs, processes, and applied sciences that help their essential features and operations, together with these outsourced to third-party suppliers and assess which features should be lined by the penetration assessments.
“Beyond the mantra of test, test, and test again, DORA emphasises ICT security awareness and training. Organisations should implement compulsory ICT security awareness programs and digital operational resilience training for all employees, including senior management. These programs should be tailored to match the complexity of different roles and responsibilities within your organisation, and should include software security best practices, with a focus on secure coding practices and their importance in maintaining overall security.”
Tim Wright, associate and know-how lawyer at Fladgate
“Smaller firms in particular face greater challenges due to resource constraints and the complexity of DORA’s 500-plus requirements, as well as having to deal with a wide range of third-party service providers. This is compounded because DORA casts such a wide net catching a wide range of providers who do not supply typical IT service and are often seeing firms gold plating DORA’s extensive requirements and taking a one-size fits all approach. Where a firm faces issues meeting full compliance by the deadline, they should demonstrate good faith efforts and maintain open communication with regulators. Authorities are likely to take a targeted approach to enforcement, focusing on significant and visible breaches.
“In terms of potential punitive measures for non-compliance, it’s the usual EU approach of less carrot, more stick, with the risk of mega fines for the worst cases. On top of that, periodic penalty payments of up to 1% of average daily worldwide turnover can be imposed for continued non-compliance, lasting up to six months. Other potential sanctions include public reprimands, business activity restrictions and potential license suspensions.
“While the initial implementation costs will be substantial, especially for smaller firms (relatively speaking). The expectation is that the longer-term benefits of enhanced operational resilience and improved risk management will pay back the investment as implementation will lead to a more secure and resilient financial ecosystem. DORA will also create a surge in demand for cybersecurity professionals, particularly those with expertise in financial sector regulations and ICT risk management, but in the longer term, the increased demand presents significant opportunities for career advancement and recognition for cybersecurity professionals.”
Bob Wambach, VP Product Portfolio at Dynatrace
“Compliance will only take banks so far. Financial services firms both in Europe and the UK must be prepared not just to meet the baseline requirements of DORA, but to empower their teams to respond instantly to operational disruption and cyber incidents. This means going beyond checkbox compliance measures. Organizations must prioritise continuous testing of their services and embrace a culture of resiliency first. Converging observability and security data to support real-time, AI-powered anomaly detection is the optimal way to rapidly assess risks before they escalate into full-blown incidents that breach compliance thresholds and leave customers exposed.
“It remains to be seen how strictly EU regulators will enforce the rules surrounding DORA, but one thing is certain: no financial institution wants to be the first to fall short.”
Andrew Rose, CSO at SoProtected
“For many organisations within financial services and ICT, industries that have been a key target for cyber criminals in recent years, the impact of DORA should be minimal. These industries have already developed cyber maturity to defend themselves and adhere to regulatory scrutiny, prioritising areas such as risk governance, incident response, operational resilience testing, and 3rd party risk management – requirements that DORA will now enforce.
“However, for previously unregulated firms that will now fall into the scope of DORA, such as credit rating agencies and certain types of exempt lending, factoring, and mini-bonds, and those associated with new financial models, such as crypto exchanges and peer-to-peer lending platforms, they will experience a new level of control requirements. There is no reason for alarm however as DORA simply requires a sensible level of controls across a wider scope, and given the losses we have seen from many crypto firms (more than $2b lost in 2024) this cannot come soon enough.
“Given that the majority of cyber breaches originate from human error, oversight and omission, any attempt to extract real value from becoming compliant with regulations such as DORA will only be effective if supplemented with awareness, education and training for both users, their families and customers. Technologies used by attackers are developing at pace and while compliance is essential, empowering our people to become our first line of defence must also be a priority.”
Want to be taught extra about cybersecurity and the cloud from business leaders? Check out Cyber Security & Cloud Expo happening in Amsterdam, California, and London. Explore different upcoming enterprise know-how occasions and webinars powered by TechForge right here.