The EU Digital Operational Resilience Regulation (DORA) came into effect on 17 January 2025, two years after its official adoption.
The aim of the regulation is to strengthen the resilience of the financial sector against various digital risks, including cyber threats and technology failures.
It establishes a comprehensive framework that requires financial institutions to implement robust resilience measures and to be better prepared for ICT (information and communication technology) disruptions.
Key provisions of the Act include risk management, incident reporting, testing and auditing and third party risk management.
But what does Dora mean, practically for businesses and what do they need to keep in mind?
Tiernan Connolly, MD, Cyber and Data Resilience Practice at Kroll
“Dora explicitly requires organizations to first identify their critical business processes and then map them to the underlying technology assets and the third parts that are. This essentially guides companies to identify critical dependencies and risks and ensure real-time monitoring as well as regular testing of these dependencies.
“DORA is intended to impact the cybersecurity landscape by ManDat’s high transparency in incident reporting, harmonizing standard testing standards such as red teaming, and undercutting stingy third-party risk management protocols. These changes encourage businesses to adopt proactive and sustainable measures for resilience, reduce long-term risk and strengthen digital operational integrity.
“While Dora is currently getting a lot of attention, another EU plant regulation is on the horizon: the EU Cyber Resilience Act, which will undergo a phased implementation culminating in full applicability by 2027. A security and vulnerability management mechanism into the supplier development and after-sales support process for products with digital elements.This complements DORA ensting suppliers are also responsible for ensuring the products that business organizations consume.
Joe Vaccaro, Head of Cisco Thousands
“At DORA, expanding digital resilience is key, which includes the ICT suppliers that financial services companies rely on to deliver their services to customers.
“In an internet center architecture, you can’t go and restart the internet. Soinses needs a new operating posture to handle the disruption. They need to understand what their hidden addictions are. For example, you may use a third-party service for voice and messaging functionality in your app, but do you know the service’s dependencies, such as cloud hosting?
“For financial services organizations, this means they will need to understand how they can discover and invest their third-party dependencies, map them and deploy processes to track that connection to aa on and on and on and on and on aa on aa on aa on and he aa he aa he and he
“Not just financial transactions, but all digital experiences today are driven by a digital supply chain that spans owned and unowned networks. While Dora may apply to the financial services sector, achieving digital resilience in the face of disruption is a boardroom issue no matter what you’re in. ”
Andre Troskie, Emea Field Ciso, Veeam
“At the very least, you need organizations to ensure third parties have robust risk management processes in place. As part of this, the organization must require all third party Service Level Agreements (SLAs) to be negotiated for this compliance as a basic prerequisite for work. Although time-consuming, importers cannot afford to underestimate third-party compliance. “
Richard Lindsay, Senior Advisor at Orange Cyberdefense
“Remaining non-compliant is likely to have serious consequences. First, the financial services industry is an attractive target for bad actors, and the likelihood of a breach has never been higher. Second, DORA is not toothless – fines of up to 1% of global daily turnover and over €1m for individual leadership are meaningful and can certainly be used and security leaders to reiterate the importance of cyber security and compliance with the advice.
“All in all, Dora doesn’t lead anything through revolutionary demands. Most can be added by investing in understanding cyber risk insurance, integrated incident reporting, cyber resilience testing and cross-framework management. However, amid the tangle of new regulations, it is understandable that many firms are taking a more reactive approach to compliance requirements once the threat of a recovery becomes tangible. “
Desre Sheen, head of UK financial services advisory practice at Capgemini
“Financial institutions are signaling that they have reached the minimum required for compliance. However, the main challenge will be to maintain and develop the core culture over time. Additionally, all plans must be living documents as the definition of a critical business service may change. It is also important to remember that all regulations require some level of interpretation and this means that not every business will be equally compliant.
John Smith, Veracode EMEA CTO
“Among the steps organizations will need to take, a key one will be implementing an understanding of a digital operations testing program that uses a wide range of testing methodologies to thoroughly assess their system’s security and support. Regular vulnerability assessments and scans are essential for organizations to identify potential weaknesses in a software system. It is also important to conduct open source analytics to evaluate the security and licensing risks associated with any open source component integrated into their applications.
“DORA also mandates threat-led penetration testing (TLPT) for critical systems. To meet this requirement, it should start by identifying all systems, processes and ICT technologies for reinforcement that support their critical functions and operations, including those outsourced to third-party providers, and assess which functions need to be covered by penetration tests.
“In addition to the mantra of test, test and test, Dora re-emphasises ICT security awareness and training.” Organizations should implement mandatory ICT security and digital operational resilience programs for all employees, including senior management. These programs should be tailored to match the complexity of different roles and responsibilities in your organization and should include software security best practices with a focus on secure coding practices and their importance in maintaining overall security.
Tim Wright, partner and technology lawyer at Fladgate
“Smaller firms in particular face greater challenges due to resource constraints and the complexity of DORA’s 500 plus requirements, as well as having to deal with a wide range of third party service providers. This is compounded because Dora casts such a wide net to catch a wide range of providers who do not provide typical IT services and often see companies that cater to extensive Dora requirements and cover one six approvals. Where a firm is faced with meeting full compliance by a deadline, it should demonstrate good faith efforts and maintain open communication with regulators. Authorities are likely to adopt targeted enforcement approaches focusing on significant and visible violations.
“In terms of potential punitive measures for non-compliance, this is the usual EU approach of fewer carrots, more sticks, with the risk of mega fines for the worst cases. In addition, periodic penalties of up to 1% of average daily global turnover can be imposed for continued non-compliance, lasting up to six months. Other potential sanctions included public reprimands, business restrictions and potential suspensions.
“Although the initial cost of implementation will be significant, especially for smaller firms (relatively speaking). The longer-term benefits of increased operational resilience and improved risk management are expected to return the investment, as implementation will lead to a safer and more resilient financial ecosystem. DORA will also create an increase in demand for cyber security professionals, particularly those with expertise in financial sector regulation and ICT risk management, but in the longer term, the increased demand presents significant opportunities for career advancement and recognition as a cyber security professional. ”
Bob Wambach, VP Product Portfolio at Dynamis
“Compliance will still only be taken by banks. Financial services companies in both Europe and the UK need to be prepared not only to meet the basic requirements of DORA, but to empower their teams to respond immediately to operational disruptions and cyber incidents. This means going beyond check box compliance measures. Organizations must prioritize continuous testing of their services and first adopt a culture of resilience. Converging observability and security data to support real-time, A-pones anomaly detection is the optimal way to quickly assess risks before they escalate into full-blown incidents that breach compliance thresholds and leave the customer exhibit.
“It remains to be seen how stringent EU regulators will increase the rules surrounding Dora, but one thing is certain: no financial institution wants to be the first to fair shorts.”
Andrew Rose, CSO at Sosafe
“For many financial services and ICT organizations this has been a key target for cybercriminals in recent years, the impact of DORA should be minimal. These industries have already developed the cyber maturity to defend and comply with the regulatory vote, prioritizing areas such as risk management, incident liability, operational resilience testing and third-party risk management – requirements that Dora will now.
“For previously unregulated firms that now fall within the scope of DORA, such as credit rating agencies and certain types of exempt loans, factoring and mini-bonds and those associated with new financial models such as cryptocurrencies and peer-to-peer lending platforms are experiencing a new level of control requirements. However, there is no cause for alarm because Dora simply requires a sensitive level of controls across a wider range, and given the losses we’ve seen from many crypto firms (over $2 lost in 2024), it can’t come soon enough.
“Given that most cyber breaches originate from human error, oversight and omission, any attempt to derive real value from complying with regulations such as Dora will only be effective if accompanied by awareness, education and training for both users, their, their Families and customers. Technologies used by attackers are evolving at a pace and while compliance is essential, our people must also be a priority to become our first line of defense. “
Want to learn more about cybersecurity and the cloud from industry leaders? Check out the Cyber Security & Cloud Expo in Amsterdam, CA and London. Explore other upcoming tech events and webinars and webinars powered by Techforge here.