Understanding DORA: The EU’s Vision for a Resilient Digital Economy

The European Union has long been at the forefront of shaping forward-thinking data policies. After laws for data protection (GDPR) and comprehensive cybersecurity (NIS Directive), the Digital Operational Resilience Act (DORA) is yet another initiative that demonstrates its commitment to maintaining resilience.

DORA strengthens the financial sector by requiring firms to build critical resilience. Unlike other frameworks, it enforces ICT risk management and testing.

The deadline is January 2025, and according to a McKinsey survey, only 31% of organizations are confident that they’ll meet it! However, most surveyed companies plan to spend about €5-15 million on DORA planning and execution, seeing it as a way to build trust and reliability in their financial services.

We’re here to help you understand DORA’s intricacies so you can fast-track the process and navigate the future of European finance.

What is the Digital Operational Resilience Act (DORA)?

The Digital Operational Resilience Act, or DORA, is an EU legislative framework for financial entities in the region to protect against information and communication technology (ICT)-related incidents and other cyber threats. The goal is to enhance digital resilience across financial services while standardizing requirements across the member states.

The regulation was published in the official journal of the European Union in December 2022, came into force on January 16, 2023, and is effective from January 17, 2025. A two-year gap period has been given for preparations, during which organizations can set up the required systems and work on process enhancements.

DORA’s reach: Key Entities Impacted

DORA imposes strict requirements on two groups that are essential for maintaining financial stability—financial entities and third-party service providers. More than 22,000 of these entities are impacted by compliance.

Financial entities

The regulation applies to financial entities using ICT systems to conduct their operations including:

• Banks
• Financial institutions
• Investment firms
• Insurance companies
• Pension funds
• Asset managers
• Financial market institutions
• Crypto-Asset Service Provider
• Crowdfunding service providers

ICT service providers

It also applies to third-party ICT service providers that support financial entities such as:

• Cloud service providers
• Data centers
• Cybersecurity services such as incident management
• Other outsourced IT services

The ICT service providers that are located outside the EU but support EU-based financial institutions are also required to comply with DORA.

The Need for DORA to Strengthen Operational Resilience

With increasing reliance on digital financial services, whether for daily operations or customer transactions, these became lucrative targets for attackers. Several high-profile incidents highlighted the sector’s under-preparedness when dealing with breaches, system failures, and operational disruptions. Take the case of the global IT blackout caused by Crowdstrike—banks, insurance companies and airlines, every sector slowed down and it was one of the largest outages in IT history.
So, one of the prime reasons for establishing DORA was to protect sensitive financial information from cyber risks and attacks.

Secondly, the requirements for ICT risk management varied across EU member states leading to inconsistent and inefficient practices. Many financial services were also increasingly hiring third-party ICT providers which introduced additional risks without adequate oversight measures. DORA helped standardize the requirements, creating a fair and consistent playing field for all financial entities in the region and also minimizing third-party risks.

Lastly, the legislation was created for the greater interest of the customers as they expected uninterrupted services even at the time of incidents. The Act helped financial entities maintain operational continuity and build trust among the customers.

How the European Commission Shapes DORA Compliance?

The European Commission’s role in DORA extends beyond the traditional legislative function to come across more as a harmonizer, strategic overseer and a global influencer on digital resilience.

Unlike other EU regulations, such as GDPR, where interpretation varies by jurisdiction, DORA thrives on standardization. The EU Commission acts as an anchor that holds everything together and ensures consistent practices across the diverse financial sector in the region.

Next, the enforcement of regulations like GDPR is managed by national Data Protection Authorities (DPAs) in each country, and the commission oversees it at a broader policy level. However, in the case of DORA, the oversight is more centralized under European Supervisory Authorities (ESAs), which include the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA).
For example, Lead overseers have been appointed to monitor the resilience of third-party ICT providers and work with the Commission and the supervisory bodies to mitigate risks posed by vendor dependencies.

Beyond Enforcement, the commission plays an active role in balancing innovation with resilience by addressing new and emerging risks such as AI and blockchain. And lastly, above everything, the commission promotes DORA globally as a benchmark of digital resilience and acts as a frontline defender of security.

DORA’s Five Essential Pillars

The five pillars of DORA lay the foundation of the framework as they help mitigate ICT risks and help weave a strong security fabric to safeguard the financial sector’s stability.

The 5 DORA pillars are:

ICT Risk Management (Article 5-11)

The first pillar of the DORA Act requires organizations to establish and adopt a comprehensive ICT risk management framework to identify, mitigate, and recover from ICT-related disruptions. It also advocates for a clear governance structure for ICT risk management where senior management defines risk tolerance, reviews and approves policies, creates accountability, and oversees implementation. The requirements include:

• Creating an ICT asset inventory and mapping data flow through various systems, software and devices to pinpoint associated risks.
• Conducting risk assessment and analysis to understand the likelihood and impact of the identified risks. These must be conducted annually or whenever a significant incident occurs.
• Implementing policies such as information security and backups and technical controls such as encryption and firewalls to mitigate the risks.
• Developing and testing business continuity and disaster recovery plans
• Continuously monitoring and managing risks in real-time by reporting any issues promptly

ICT-related Incident Management, Classification and Reporting (Article 15-17)

The next DORA pillar sets incident reporting and management requirements for financial entities to ensure ICT-related incidents are effectively handled. Organizations must create a robust incident response plan with clear roles and responsibilities and establish mechanisms for anomaly detection, incident containment, and mitigation. The requirements include:

• Identifying incidents and classifying them based on severity levels
• Establishing protocols for incident escalation to the right people
• Reporting documents to the authorities within a stipulated period and with all details
• Conducting root cause analysis and implementing measures for improvement

The severity level of an incident is decided based on operational impact, financial impact, reputational damage, regulatory implications and other factors. A major incident under the act is the one that causes significant disruption of services, affects a high number of users or clients, results in a significant data breach or has a cascading effect on other financial entities.

The notification deadlines are as follows:

•  Initial report: Within 24 hours of incident awareness and no later than 4 hours after classifying the event as major
• Interim report: Within 72 hours from the initial report
• Final report: Within one month from interim report

Operational Resilience Testing (Article 12-14)

DORA mandates regular ICT system testing for financial entities to ensure they can withstand and recover from incidents and restore normal business operations quickly. The goal is to strengthen the resilience strategy and work on the loopholes identified during the testing procedures to stay abreast of digital threats. The key requirements under this pillar include:

• Identifying in-scope ICT systems and infrastructure
• Selecting a testing methodology and approach such as vulnerability assessments, penetration tests, threat-led penetrating testing, or scenario-based testing. The frequency of tests must also be defined.
• Executing tests and simulated disruptions, including evaluating third-party service providers
• Analyzing the test results and identifying areas of improvement

Third-party risk management (Article 28-33)

The next pillar under DORA emphasizes the importance of managing risks associated with ICT third-party service providers. It acknowledges the increasing reliance on vendor services and requires financial entities to maintain robust oversight of operational resilience risks posed by such partnerships. The following are the requirements under this pillar:

Identifying critical third-party relationships

• Conducting vendor due diligence, risk assessments and onsite or virtual security audits to understand vendor risk profiles
• Including security and compliance clauses in Service Level Agreements (SLAs)
• Establishing continuous monitoring systems to track third-party systems in real-time for both risk and performance

Information sharing arrangements (Article 19-21)

The fifth pillar under DORA focuses on strengthening the entire financial sector’s resilience by establishing systems for information sharing on threats, vulnerabilities, and risks. The goal is to promote collective learning and threat intelligence sharing to minimize any effort duplication while strengthening the financial ecosystem. The requirements include:

• Deploying threat intelligence platforms or other secure information-sharing mechanisms
• Participate in industry forums and other collaborative engagements for knowledge sharing
• Establishing mechanisms for validating and updating the shared information
• Using data loss prevention tools and other techniques to protect sensitive information while sharing insights to ensure compliance with data protection and privacy laws

DORA and Its Interaction with Other EU Regulations

The beauty of EU regulations, whether it’s GDPR, NIS2, CRA, or DORA, is that while each has its own focus, they complement each other well. The security practices implemented for one can serve as a foundation to enhance the others.

Here’s how DORA interacts with other EU regulations:

DORA and GDPR

While GDPR focuses on protecting personal data, DORA focuses on the operational resilience of financial entities. However, they complement each other in various ways, and one can be used to build a strong security foundation that can be used by the other.

For example, DORA requires financial services to have robust incident response mechanisms, third-party risk management practices and business continuity and data availability measures. These can be used to prepare for GDPR, which also requires incident response notifications (even though with different timelines), secure third-party data processing and availability of personal data.

DORA and NIS2

The key difference between DORA and the Network and Information Systems Directive (NIS2) is their focus on different sectors—NIST 2 covers essential services and digital service providers. However, cybersecurity, risk management and operational resilience are key to both the frameworks. The frameworks intersect at many points, such as the reference to supply chain risk management in NIS2 and third-party risk management in DORA or the reference to resilience testing in DORA and regular testing and audits within NIS2. The regulations aim that organizations are well-equipped to handle evolving digital threats and attacks.

DORA and CRA

The EU Cyber Resilience Act (CRA) requires hardware and software products to maintain cybersecurity standards throughout their lifecycle. Establishing DORA baselines can reduce the compliance burden for CRA by minimizing duplication of effort for vulnerability management, incident response and a risk management framework. Similarly, the manufacturers that are CRA compliant can offer secure digital products that can help meet operational resilience requirements for DORA.

Why is the UK’s Operational Resilience Regime Compared to DORA?

The UK Operational Resilience Regime is a framework designed to enhance the operational resilience of the finance sector in UK and is often compared to DORA. Let’s see how the two stand against each other:

Basis	UK’s Operational Resilience Regime	DORA
Objective	Enhance operational resilience across the financial sector in the UK	Strengthen ICT risk management for financial entities in the EU
Oversight	Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA)	European Supervisory Authorities (ESAs)
Scope	Broader, covering various operational risks beyond ICT	ICT-focused
Approach	Principle-based	Prescriptive
Final Rule Timeline	Expected in 2025	Effective January 2025
Critical Third-Party (CTP) Alignment	Designed to align with DORA to reduce regulatory friction	Includes detailed requirements for Critical Third-Party Providers
Compliance Burden	Helps institutions operating in both regions use a unified framework	Specific obligations for EU-based financial institutions

What should financial entities start doing already?

The EU commission will continue to ensure that DORA remains relevant and adaptive to uphold the highest standards of operational resilience. And if you are starting to prepare for it already, you must begin understanding the key pillars and evaluate where you stand. Implement robust incident management systems, identify your critical vendors, review existing contracts and start testing your organization’s capability to withstand and recover from ICT disruptions.
If you’re looking for an implementation partner that can do the heavy lifting for you, count on Sprinto.

Under Bring-Your-Own-Framework, the platform allows you to enable custom frameworks where you can import the relevant criteria and map them to Sprinto controls. The platform helps you with implementation guidance and allows you to leverage automated control checks, common control mapping, automated evidence collection, customizable policy templates and continuous monitoring mechanisms. These capabilities help you move from months of work to weeks of manhours and give maximum output with minimal effort.

Want to see the product in action? Take a tour and talk to our experts.

FAQs

What are the penalties for DORA?

Fines for financial institutions can go as high as 2% of their annual worldwide turnover, while individuals could face penalties of up to €1,000,000. For third-party ICT service providers, the stakes are even higher, with fines reaching €5,000,000, and individuals could be fined up to €500,000. Depending on how serious the violation is, regulators might even suspend operations.

What is DORA for TRPM?

DORA for Third-party Risk Management (TRPM) highlights the crucial role the act plays in ensuring that financial entities identify and mitigate ICT-related risks posed by third-party vendors. Key requirements include risk assessments of third parties, oversight, and accountability, security audits for critical vendors, and continuous

How should entities prepare for DORA?

To prepare for DORA, entities must:

• Understand the requirements and evaluate current practices
• Develop an ICT risk management framework
• Establish a strong governance structure
• Implement required policies and controls
• Establish a third-party risk management program
• Establish strong incident management procedures
• Train employees
• Monitor and improve