As cyber threats continue to grow, the European Union is strengthening digital resilience requirements for financial entities through the DORA Regulation (Digital Operational Resilience Act). The regulation introduces a unified framework designed to improve ICT security, operational resilience, and incident management across the financial sector.
Read this article to learn what the DORA Regulation is, which entities it applies to, and what obligations it introduces for financial institutions and fintech companies.
DORA – What Is the EU Regulation of the European Parliament and the Council?
The DORA Regulation is part of the EU digital finance legislative package. Its purpose is to create a consistent framework for managing digital operational resilience across the financial sector while adapting regulations to the rapid development of financial technologies.
The regulation was developed by the European Union with support from institutions including the European Central Bank. It establishes unified requirements for ICT risk management, cybersecurity, incident reporting, and operational resilience for financial entities operating within the European Union.
Main Objectives of the DORA Regulation
The main objective of the DORA Regulation is to ensure a high level of digital operational resilience across the financial sector. According to Article 3 of the regulation, digital operational resilience refers to the ability of financial entities to maintain the security and reliability of their ICT systems and continue providing critical services during disruptions or cyber incidents.
The regulation focuses on three key objectives.
Strengthening Digital Resilience
DORA strengthens the digital resilience of financial entities by improving cybersecurity practices, protecting customer data, and supporting cooperation between financial institutions and supervisory authorities.
Financial entities must be able to detect, respond to, and recover from ICT disruptions without interrupting critical services.
Harmonisation of Regulations
The regulation introduces a unified approach to digital operational resilience across the European Union. Harmonised requirements help organisations operate under consistent standards regardless of the member state in which they operate.
This is particularly important for organisations operating across multiple markets and using shared digital infrastructure.
Eliminating Gaps and Inconsistencies
DORA fills regulatory gaps related to cybersecurity and operational resilience in the financial sector. It introduces clear requirements for:
- ICT risk management,
- incident reporting,
- operational resilience testing,
- third-party ICT risk management,
- continuous monitoring.
The regulation also increases awareness that insufficient digital resilience may threaten the stability of the financial sector as a whole.
In practice, DORA is intended to improve the reliability and security of digital financial services across the European Union.
When Does the DORA Regulation Apply?
The DORA Regulation entered into force on January 16, 2023. Financial entities must comply with its requirements by January 17, 2025.
By that date, organisations are expected to implement ICT risk management frameworks, incident response procedures, resilience testing programs, and third-party ICT risk management processes.
DORA Regulation – Who Does It Apply To? Entities Covered by DORA
The DORA Regulation applies to a broad range of financial entities and ICT service providers operating within the financial sector.
Entities covered by DORA include:
- credit institutions,
- payment institutions,
- electronic money institutions,
- investment firms,
- insurance and reinsurance undertakings,
- insurance intermediaries,
- crypto-asset service providers,
- crowdfunding service providers,
- central counterparties,
- central securities depositories,
- trading venues,
- management companies,
- alternative investment fund managers,
- credit rating agencies,
- data reporting service providers,
- trade repositories,
- securitisation repositories,
- institutions for occupational retirement provision,
- account information service providers,
- administrators of critical benchmarks,
- third-party ICT service providers.
Organizations covered by the regulation must adapt their internal processes, controls, and governance models to meet the new operational resilience requirements.
Key Pillars of the DORA Regulation Related to Third-Party ICT Service Providers
ICT Risk Management
DORA requires financial entities to establish comprehensive ICT risk management frameworks supported by documented policies, procedures, tools, and governance mechanisms.
Organisations must identify, classify, and document ICT-related business functions and ensure appropriate protection of critical systems and infrastructure.
ICT-Related Incidents
The regulation introduces requirements for ICT incident management, including:
- incident detection,
- classification,
- impact assessment,
- response procedures,
- reporting obligations.
Financial entities must report significant ICT-related incidents to the appropriate supervisory authorities within defined timelines.
Digital Operational Resilience Testing
DORA requires organisations to regularly test their digital operational resilience.
Testing should include:
- vulnerability assessments,
- network security testing,
- scenario-based testing,
- penetration testing,
- open-source analysis.
Key ICT systems and applications must be tested at least annually.
ICT Third-Party Risk Management
The regulation introduces strict requirements for managing relationships with external ICT providers, including cloud service providers.
Organizations must:
- assess ICT third-party risks,
- identify critical ICT providers,
- define exit strategies,
- prepare transition plans,
- continuously monitor third-party performance and security.
Information Sharing Arrangements
DORA encourages financial entities to share information related to cyber threats and vulnerabilities.
This includes sharing:
- threat intelligence,
- indicators of compromise,
- tactics, techniques and procedures (TTPs),
- cybersecurity alerts,
- lessons learned from incidents.
The goal is to improve collective resilience across the financial sector.
What Penalties Apply for Non-Compliance with the DORA Regulation?
Financial supervisory authorities have the power to impose penalties on organisations that fail to comply with DORA requirements.
Penalties depend on:
- the severity of the violation,
- the impact on the institution,
- the potential effect on financial stability.
For serious violations, organisations may face fines of up to 10% of annual turnover.
Critical third-party ICT service providers may also face penalties. In some cases, fines may reach up to 1% of the provider’s average daily global turnover for each day of non-compliance.
Beyond financial penalties, non-compliance may also increase operational risk, reputational damage, and regulatory scrutiny.
Benefits of Implementing DORA Requirements
Although DORA introduces significant regulatory obligations, it also provides important business benefits.
Implementing DORA requirements can help organisations:
- improve cybersecurity maturity,
- strengthen operational resilience,
- increase visibility into ICT risks,
- improve incident response capabilities,
- enhance trust among customers and investors,
- standardize risk management processes,
- strengthen governance and oversight.
The regulation also helps organizations better manage dependencies on external ICT providers and improve preparedness for cyber incidents and operational disruptions.
How Should Organisations Prepare for the DORA Regulation?
Organisations should approach DORA implementation as a continuous operational resilience program rather than a one-time compliance initiative.
Financial entities should implement ICT incident management processes that include:
- developing early warning mechanisms,
- defining internal escalation procedures,
- preparing communication plans for employees, customers, regulators, and media relations,
- establishing procedures for detecting, monitoring, documenting, classifying, and assessing incidents,
- implementing incident response and recovery procedures,
- assigning responsibilities for different incident scenarios,
- ensuring timely reporting of significant incidents to management and supervisory authorities.
Organisations must also implement regular digital operational resilience testing and continuously monitor ICT risks across both internal systems and external providers.
DORA Regulation – Summary
The DORA Regulation, together with the NIS2 Directive and the Cyber Resilience Act, forms a key part of the European Union’s cybersecurity strategy.
The regulation requires financial entities to strengthen ICT risk management, improve operational resilience, and establish more effective incident management processes. These measures are intended to protect both financial institutions and users of digital financial services.
Organisations that begin preparing early will be better positioned to reduce operational risk, avoid regulatory penalties, and strengthen customer trust.
In practice, DORA compliance is no longer only a regulatory requirement. It is becoming an essential element of operational resilience and long-term competitiveness in the financial sector.
