The EU’s Digital Operational Resilience Act (DORA) regulations came into effect on January 17, 2025, two years after they were officially adopted.
The regulation aims to strengthen the financial sector’s resilience to a range of digital risks, including cyber threats and technology failures.
It establishes a comprehensive framework that requires financial institutions to take strong operational resilience measures and better prepare for and respond to information and communications technology (ICT) disruptions.
Key provisions of the Act include risk management, incident reporting, testing and auditing, and third-party risk management.
But what does DORA actually mean for businesses, and what should they keep in mind?
Tiernan Connolly, MD, Kroll’s Cyber and Data Resiliency Practice
“DORA explicitly requires organizations to first identify critical business processes and then map these to the underlying technology assets and third parties that support them. This essentially guides enterprises to identify critical dependencies and risks and ensure real-time monitoring and regular testing of these dependencies.
“DORA will impact the cybersecurity landscape by increasing transparency in incident reporting, harmonizing testing standards such as red teaming, and enforcing rigorous third-party risk management protocols. These changes will force businesses to adopt proactive and sustainable resilience measures to reduce long-term risk and improve the integrity of their digital operations.
“While DORA is currently receiving a lot of attention, of course another EU regulation is on the horizon. It is the EU Cyber Resilience Act. The bill will be phased in and fully implemented by 2027. DORA’s main focus is on building strong. Security and vulnerability management mechanisms are included in the supplier’s development and post-sales support processes for products with digital elements. “This will complement DORA by ensuring that suppliers are also responsible for the security of products consumed by business organizations.”
Joe Vaccaro, CEO of Cisco ThousandEyes
“At its core, DORA is about expanding digital resilience to include the ICT providers that financial services companies rely on to serve their customers.
“In an Internet-centric architecture, you cannot reboot the Internet. Therefore, businesses need a new operating system to manage outages. They need to understand what hidden dependencies are. For example, you may use a third-party service for your application’s voice and messaging capabilities, but do you know the dependencies of that service, such as the cloud provider on which it is hosted?
“For financial services organizations, this means understanding how to deploy processes to discover and catalog third-party dependencies, map them, and track those connections on an ongoing basis.
“Not only financial transactions, but all digital experiences today are powered by digital supply chains that span proprietary and non-owned networks. DORA may apply to the financial services sector, but achieving digital resilience in the face of disruption is a matter for boards of directors, no matter what industry they operate in.”
Andre Troskie, CISO, EMEA, Veeam
“Organizations should, at a minimum, ensure that third parties implement robust risk management processes. As part of this, organizations should require the renegotiation of all third-party service level agreements (SLAs) to ensure DORA compliance is an essential prerequisite of their business. “No matter how time-consuming it may be, organizations cannot underestimate the importance of ensuring third-party compliance.”
Richard Lindsay, Senior Advisory Consultant, Orange Cyberdefense
“If left to do so, there are likely to be serious consequences. First, the financial services industry is an attractive target for malicious actors and the likelihood of a breach has never been higher. Second, DORA is not ruthless. With fines of up to 1% of global daily turnover and more than €1 million for individual senior executives, it could certainly be used by IT and security leaders to reiterate the importance of cybersecurity and board compliance.
“By and large, DORA does not require anything through its innovative requirements. Most problems can be solved by investing in comprehensive cyber risk assessments, integrated incident reporting, cyber resilience testing, and cross-framework governance. “However, as new regulations become more complex and threats of retaliation become more visible, it is understandable that many companies will take a more reactive approach to compliance requirements.”
Desre Sheen, Head of Capgemini’s UK Financial Services Consulting Practice
“Financial institutions are signaling that they have achieved the minimum level of compliance required. However, the main challenge is maintaining and developing the underlying culture over time. Additionally, any plan must be a living document because the definition of critical business services may change. It is also important to keep in mind that all regulations require some level of interpretation. This means that not all companies will be equally compliant.”
John Smith, Veracode EMEA CTO
“A key step organizations should take is to implement a comprehensive digital operational resiliency testing program that encompasses a wide range of testing methodologies to thoroughly assess the security and resiliency of their systems. Regular vulnerability assessments and scans are important for organizations to identify potential weaknesses in their software systems. It is also important to perform open source analysis to assess the security and licensing risks associated with open source components integrated into your application.
”DORA also mandates threat-driven penetration testing (TLPT) for critical systems. To comply with this requirement, organizations must identify all relevant ICT systems, processes and technologies that support critical functions and operations, including functions outsourced to third-party providers, and assess which functions should be covered in penetration testing.
“DORA goes beyond the principle of test, test, test again and emphasizes ICT security awareness and education. Organizations should implement mandatory ICT security awareness programs and digital operational resilience training for all employees, including senior management. These programs should be tailored to the complexity of the various roles and responsibilities within the organization and should include software security best practices with a focus on secure coding practices and their importance in maintaining overall security.”
Tim Wright, Partner and Technology Attorney at Fladgate
“Small businesses in particular face greater challenges due to resource constraints, the complexity of DORA’s 500-plus requirements, and the need to deal with a wide range of third-party service providers. This is further complicated by the fact that DORA casts a wide net that catches a wide range of providers who do not offer general IT services and companies gold-plate DORA’s broad requirements and take a one-size-fits-all approach. If your company is having trouble achieving full compliance by the deadline, you must demonstrate good faith efforts and maintain open communication with regulators. Authorities are likely to take a targeted approach to enforcement, focusing on serious and visible violations.
“In terms of potential punitive measures for non-compliance, the EU’s usual approach is to offer fewer carrots, more sticks and, in the worst case scenario, huge fines. Additionally, continued non-compliance may result in periodic fines of up to 1% of average daily global turnover for up to six months. Other potential sanctions include public censure, restrictions on business activities, and potential license suspension.
“The initial implementation costs will be significant. This is especially true (relatively speaking) for small businesses. The long-term benefits of improved operational resilience and improved risk management are expected to deliver a return on investment as implementation leads to a safer and more resilient financial ecosystem. DORA will also lead to a surge in demand for cybersecurity professionals, particularly those with expertise in financial sector regulation and ICT risk management, but in the longer term, increased demand also presents significant opportunities for career advancement and recognition of cybersecurity professionals. .”
Bob Wambach, Vice President of Dynatrace Product Portfolio
“Compliance only applies to banks so far. Financial services companies in Europe and the UK must not only meet the basic requirements of DORA, but also empower their teams to respond immediately to operational disruptions and cyber incidents. This means going beyond check-box compliance measures. Organizations must prioritize continuous testing of their services and embrace a culture of resilience first. Integrating observability and security data to support real-time AI-based anomaly detection is the optimal way to quickly assess risk before it escalates into a full-blown incident that violates compliance thresholds and exposes customers.
“It is yet to be seen how strictly EU regulators will enforce the rules related to DORA, but one thing is certain: no financial institution wants to be the first to suffer shortfall.”
Andrew Rose, CSO of SoSafe
“The impact of DORA should be minimal for many organizations in the financial services and ICT industries, which have been key targets of cybercrime in recent years. These industries have already developed the cyber maturity to defend themselves and comply with regulatory scrutiny by prioritizing areas such as risk governance, incident response, operational resilience testing, and third-party risk management, which are requirements that DORA will enforce.
“However, for previously unregulated companies that will now fall within the scope of DORA, such as credit rating agencies and certain types of exempt lending, factoring and mini-bonds, as well as those involved in new financial models such as crypto exchanges and peer-to-peer Lending platforms will experience a new level of control requirements. However, there is no cause for alarm, as DORA simply requires a reasonable level of control over a broader scope, and given the losses seen by many cryptocurrency companies (more than $2 billion lost in 2024), this cannot come soon enough.
“Given that most cyber breaches result from human error, oversight and omission, any attempt to extract real value from compliance with regulations such as DORA must be complemented by awareness, education and training of users, their families and everyone else. It has to be effective to be effective. customer. “The technologies attackers use are evolving at a rapid pace, and compliance is essential, but empowering employees to be the first line of defense is also a top priority.”
Want to learn more about cybersecurity and cloud from industry leaders? Check out the Cybersecurity and Cloud Expos in Amsterdam, California, and London. Explore other upcoming enterprise technology events and webinars from TechForge here.
