In January 2025, any and all organisations that are either licensed financial institutions or are (or intend to) servicing licensed financial institutions located within the European Union (EU) will need to abide by new regulation that has been dubbed the Digital Operational Resilience Act, or DORA for short. This latest piece of legislation from the EU aims to ensure that organisations operating in the financial services industry are well prepared and protected from a number of different risk management perspectives, and do not pose a risk to the overall financial ecosystem of the EU.
DORA has been built on five main pillars:
- ICT Risk Management
- Incident Reporting
- Digital Operational Resilience Testing
- ICT Third-Party Risk Management
- Information Sharing
Each one of these pillars tackles the different areas where an organisation may have exposed risks which can have a detrimental effect on its ability to operate. We will discuss each one of these pillars further on, but first let’s take a brief look at the timeline associated with this regulation.
With the first draft of DORA published by the European Commission as part of Digital Finance Package (DFP) in September 2020, and subsequently being adopted by the European Council in November 2022, DORA finally entered into force in January 2023. This meant that the preparatory period of 24 months could begin so that all financial institutions, third-party service providers and local supervisory authorities could work on becoming compliant by January 2025, at which point the act would become enforcable.
Now that the timeline of DORA is explained, we can delve into the different pillars, what they mean for financial institutions, and what needs to be done in order to ensure that each institution is compliant.
As a general note, it is important to point out here that although a regulatory document specific to DORA exists (https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022R2554&from=FR), this document is then supplemented with a host of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) which are published after and go into more details as to what is required of each section of the original regulation. These documents aim to explain the hows and whats of the regulation and are a guide for teams looking to implement measures to abide by the act.
ICT Risk Management
This is about building a strong foundation. Every financial institution must create policies, processes, and governance structures to identify, manage, and reduce digital risks. It’s not just about installing firewalls — it’s about having a culture of resilience across the whole company.
Examples:
- A bank must map all critical IT systems (online banking, payment processing, ATM networks) and understand what happens if one goes down.
- They must ensure backups, disaster recovery sites, and business continuity plans are ready.
- A fintech firm processing card payments would need a clear playbook: if their payment gateway fails, how do they reroute transactions to keep shops running?
Incident Reporting
It’s not enough to fix problems internally — regulators want to know when major digital disruptions occur so they can spot systemic risks (e.g. if 10 banks are all down because of the same cloud outage).
DORA sets uniform standards for reporting incidents (like severity levels, deadlines, and formats).
Examples:
- A stockbroker experiences a denial-of-service attack on its trading platform. If trading halts for customers for more than a certain threshold, it must be reported.
- A mobile banking app is down across Europe for half a day due to a failed software update — the provider reports this so regulators can judge if clients’ trust and market stability are at risk.
Digital Operational Resilience Testing
It’s one thing to say “We’re Secure” but another to prove it. DORA requires regular testing, from basic vulnerability scans to advanced Threat-Led Penetration Testing (TLPT) for the largest firms. This ensures companies don’t just plan on paper but stress-test their systems against realistic cyberattack scenarios.
Examples:
- A large bank undergoes a “red team” exercise where ethical hackers simulate insider threats, ransomware, and phishing campaigns.
- A smaller credit union runs disaster recovery tests to make sure customer data can be restored within hours if their servers fail.
- Insurance companies might simulate a simultaneous cyberattack and hardware crash to check if claims processing can continue.
ICT Third-Party Risk Management
Financial institutions are deeply reliant on third-party providers (cloud hosting, data analytics, payment processors). DORA says that if your provider fails, you are still responsible. Firms must manage contracts carefully, diversify suppliers, and avoid putting all eggs in one basket.
Examples:
- A bank using a public cloud service provider must negotiate contracts that guarantee security, availability, and access for regulators.
- If a payment provider outsources fraud monitoring to another tech firm, the bank must check their subcontractors too in order to cover due diligence for the whole supply chain.
- A hedge fund might need a backup provider if its main algorithm-trading platform goes offline.
Information Sharing
Cybercriminals often attack multiple institutions at once. DORA encourages secure sharing of threat intelligence (patterns of attacks, phishing domains, malware strains) within the financial ecosystem. This way, learning spreads faster than the attacks.
Examples:
- Banks in the EU notice a new type of phishing text message targeting mobile payment apps. They share the details (while anonymising customer data) so peers can block the scam before it spreads.
- Payment processors exchange insights about a ransomware gang’s tactics, helping smaller firms that might not have the same resources prepare better.
In summary, all of these five pillars are interwoven to cover all aspects of operational resilience in the digital realm, making DORA a robust regulatory framework aimed at protecting the financial ecosystem of the EU as well as its citizens.
ICT Risk Management ensures firms prepare.
Incident Reporting ensures firms report problems quickly.
Digital Operational Resilience Testing ensures firms prove their resilience.
ICT Third-Party Risk Management ensures firms manage supplier dependencies.
Information Sharing ensures firms learn collectively.