Digital Operational Resilience Act (DORA)

What the New EU DORA Regulation Means for Businesses

Cyberattacks, system failures, and digital dependencies: these are all issues that businesses are increasingly facing. Resilience against IT-based disruptions of any kind is particularly crucial in the financial sector, where digital systems form the backbone of business processes.
This is precisely where the EU’s Digital Operational Resilience Act (DORA) comes in. This regulation is aimed at making a significant contribution to strengthening the European financial market against cyber risks and information and communication technology (ICT) incidents.

What is DORA?

DORA, EU Regulation 2022/2554, came into force in January 2023 and became mandatory on January 17, 2025. The aim is to strengthen the digital operational resilience of companies in the financial sector, i.e., to ensure that they remain functional even in the event of serious IT disruptions or cyberattacks. These binding measures to strengthen IT security affect not only internal IT systems, but also components provided by external partners and service providers.

Who Must Apply DORA?

DORA became mandatory for all regulated companies in the financial sector in January 2025. These include, for example:

• Banks
• Insurers
• Payment service providers
• Investment firms
• Crypto service providers
• IT service providers with critical relevance (e.g., cloud providers, data centers).

Core Areas of DORA

DORA aims to strengthen the digital operational resilience of the entire European financial sector and covers six key areas.

DORA Requirements for Classifying and Reporting ICT Incidents

Chapter III of DORA includes the obligation to implement management processes that cover not only the handling of ICT-related incidents, but also the monitoring, logging, classification, and reporting of ICT-related incidents.
DORA defines an ICT-related incident as an unplanned event or series of related events affecting the security of network and information systems and having an adverse impact on the availability, authenticity, integrity, or confidentiality of data or on the services provided by the financial institution (Art. 3 No. 8 DORA).
If an incident is classified as serious in accordance with Art. 3 No. 10, Art. 18 DORA, it is subject to mandatory reporting. This includes, for example, cyber-attacks or system failures, which must be reported to the competent supervisory authorities within a short period of time and supplemented by specific measures to restore system security.

Testing Digital Operational Resilience

Chapter IV, Articles 24 to 27 of DORA require all financial companies to comprehensively test their information and communication technology, for which a risk-based, proportionate testing program must be established.
Once the DORA Regulation comes into force, they will be required to carry out regular technical tests in order, for example, to

• test the resilience of IT systems
• analyze open-source software
• test network security and physical security in financial companies
• perform gap analyses and scenario-based tests, compatibility tests, or penetration tests.

This is intended to help financial companies identify, among other things, whether and how well they are prepared for ICT incidents and where they may have vulnerabilities in their digital operational resilience.

DORA Requirements Also Apply to Third-Party Management

Cooperation with and/or provision of solutions by external IT service providers must be transparent, controllable, and clearly regulated by contract. Chapter V, Section I, Articles 28 to 30 of DORA therefore also deals with the risks that may arise from the use of ICT services with third-party service providers.
DORA requires financial companies to assess and monitor ICT third-party risks. A risk assessment and due diligence must therefore be carried out before the contract is concluded. Financial service providers must also consider, throughout the entire period of service provision by an external service provider, how dependent they are on the respective third-party ICT service provider and what risks could arise from the contractual relationship. It must also be ensured that the third-party provider in question can provide support in the event of an ICT incident and, if necessary, can also present exit strategies.

Supervisory Framework for Critical Third-Party Providers

Within the framework of EU financial market regulation, Chapter V, Section II, Articles 31 to 44 of DORA also deals with how the application of DORA should be further specified with regard to critical third-party providers. The aim here is to promote the convergence and efficiency of supervisory approaches to ICT third-party risk in the financial sector and to strengthen the digital operational resilience of financial firms and, at the same time, the stability of the EU financial system as such.
The supervisory framework focuses on those third-party ICT service providers that have been designated by the European supervisory authorities as critical or requiring supervision on the basis of a classification process. The criteria for this are set out in Article 31(2) of DORA and will be supplemented in future by a delegated regulation of the European Commission. The specific guidelines and regulatory and technical implementation standards will be developed by the following three EU authorities:

• European Securities and Markets Authority (ESMA)
• European Banking Authority (EBA)
• European Insurance and Occupational Pensions Authority (EIOPA).

Exchange of Information and Cyber Crisis and Emergency Exercises

In Chapter VI, Article 45, and Chapter VII, Article 49, DORA encourages the exchange of information and insights on cyber threats in order to strengthen the digital operational resilience of the European financial sector. This is because it makes perfect sense to be aware of possible indicators of disruptions, new threat patterns and tactics, techniques and procedures, cybersecurity alerts and configuration tools in order to avoid potential gateways to even greater risks.

What Does DORA Mean in Practice?

Most companies in the European financial sector should now have completed their measures to comply with the Digital Operational Resilience Act.
But even after successfully reviewing, adapting, and implementing all necessary internal processes, IT systems, and contracts, they must continue to keep an eye on DORA. This is because ICT risks will require further iterations against the backdrop of continuous technological developments.

DORA will Continue to Cause Compliance Effort

Even after meeting DORA requirements, many companies will have to regularly review their internal processes, contracts, and IT systems and adjust them if necessary.

IT Security Becomes a Top Priority with DORA

The management of financial companies is explicitly responsible for the proper implementation of the DORA requirements, which once again highlights how important it is for the entire EU financial market to strengthen its resilience to cyberattacks and thus promote trust and stability in the digital financial market.

DORA has Consequences for Cooperation with IT Service Providers:

Clear contracts with third-party providers, comprehensive risk assessments, and escalation plans are mandatory to ensure third-party provider management in accordance with DORA requirements.
Conversely, third-party providers must demonstrate to companies in the financial sector that they comply with DORA requirements and will respond with appropriate measures in the event of an ICT incident.

DORA Strengthens Documentation Requirements

Everything must be documented in a traceable manner—from risk analysis to incident reporting, there is a comprehensive documentation requirement that also includes third-party providers.
For example, around 80 percent of banks in Germany benefit from WebID’s digital identification and signature procedures and for many customers, the DORA requirements have already been implemented on schedule.