The European Union has ushered in a new era for financial sector security with the full implementation of the Digital Operational Resilience Act (DORA). The regulation, which entered into force on January 16, 2023, and became applicable as of January 17, 2025 , aims to strengthen the information and communication technology (ICT) security of financial entities across the EU.
DORA, officially Regulation (EU) 2022/2554, creates a unified regulatory framework to ensure the financial sector can withstand, respond to, and recover from all types of ICT-related disruptions and threats. The regulation's philosophy is based on the belief that digital resilience is a prerequisite for the stability and reliability of the financial system. Prior to DORA, operational risk management primarily focused on allocating capital to cover potential losses, an approach that failed to fully address ICT resilience. The new regulation closes this gap by recognizing that ICT incidents can threaten the stability of the entire financial system.
The Scope of DORA
DORA applies to more than 22,000 financial entities and ICT service providers operating within the EU. Its broad scope includes banks, insurance companies, investment firms, crypto-asset service providers, payment and electronic money institutions, and critical third-party ICT providers, such as cloud platforms and data analytics services. The regulation applies the principle of proportionality, allowing for simplified implementation for smaller enterprises.
The Five Pillars of DORA
The regulation is structured around five key pillars designed to create a holistic resilience framework:
ICT Risk Management: Entities are required to establish a comprehensive framework to identify, assess, and mitigate ICT risks. This includes identifying all ICT-supported business functions and their related assets.
ICT-Related Incident Reporting: DORA establishes a standardized process for reporting major ICT-related incidents to competent authorities. Firms must implement systems to monitor, detect, and classify incidents, with specific timelines for reporting.
Digital Operational Resilience Testing: Financial entities must conduct regular testing of their ICT systems to assess their resilience. This includes annual basic testing and, for significant entities, advanced threat-led penetration testing (TLPT) at least every three years.
ICT Third-Party Risk Management: The regulation places a strong emphasis on managing risks originating from third-party ICT service providers. Financial entities remain fully responsible for compliance, even when outsourcing. Contracts must include specific clauses allowing for audits and inspections by the entity and regulators.
Information Sharing: DORA encourages financial entities to participate in arrangements for sharing cyber threat information and intelligence.
Penalties and Enforcement
Non-compliance with DORA can lead to significant penalties. Financial entities may face fines of up to 2% of their total annual worldwide turnover. For individuals, fines can reach €1,000,000. Critical ICT third-party providers face even higher fines. Furthermore, Member States can impose criminal penalties for severe violations. Regulators have the authority to conduct inspections, demand remedial actions, and suspend contracts with ICT providers.
The implementation of DORA marks a critical shift for the EU's financial sector, moving the focus from simple capital adequacy to a more holistic and proactive approach to digital resilience. Organizations are now tasked with embedding these requirements into their strategies and daily operations to ensure the stability and integrity of the European financial system in the new digital age.