TL;DR:
- DORA (Regulation (EU) 2022/2554) is an EU regulation, effective January 2025, that sets a consistent baseline for how financial entities manage ICT risk and operational resilience.
- It is built around five pillars covering risk management, incident reporting, resilience testing, third-party oversight, and information sharing.
- Financial entities must prove resilience in practice, including strict regulatory reporting timelines for major ICT incidents and regular testing of their ability to withstand disruption.
- While aligned with ISO 27001, DORA is more prescriptive and enforceable, making digital operational resilience a regulatory requirement rather than a best-practice choice.
What DORA is, who it affects, and what “good” looks like
If you run a financial services business in the EU, or you provide tech to one, DORA (the Digital Operational Resilience Act) is now part of your world.
DORA (formally Regulation (EU) 2022/2554) is an EU legislation designed to make sure financial services can keep running even when technology fails or gets attacked. Think cyber incidents, cloud outages, ransomware, broken change releases, supplier problems, and all the messy real life things that stop systems working.
DORA entered into force on 16 January 2023 and has applied from 17 January 2025.
DORA essentially takes the best of what works well already and makes these good practices a baseline for institutions within the EU to follow in a uniform manner.
Over the last decade or so, large financial organisations have invested heavily in ICT risk management, service availability protection and disaster recovery internally, and with third party oversight. However, these practices have developed inconsistently and unevenly across the EU with regulatory duplications and varying levels of enforcement.
By establishing a comprehensive EU-wide regulatory framework, it aims to ensure that banks, insurers, investment firms, payment companies, crypto service providers, along with other financial market participants can withstand, repel and respond, recover from, and adapt to cyber-attacks and system failures.
This is not a “write a policy and tick a box” regulation. It expects you to prove you can prevent, detect, respond to, and recover from ICT disruption, and that you control your third-party risk properly.
Who needs to care?
DORA applies across a wide range of financial organisations (banks, insurers, investment firms, payment institutions, and many more). One of the big points is consistency: instead of every country doing resilience differently, DORA standardises expectations across the EU.
ICT suppliers to financial entities
If you provide ICT services to EU financial firms (cloud, hosting, managed services, SaaS, security tooling, core platforms, outsourced IT), you are not directly “regulated like a bank”, but you will feel DORA through procurement, contract changes, audits, assurance demands, incident reporting obligations, and testing requirements.
And if you end up designated as a critical ICT third-party provider, there is an EU oversight regime run through the European Supervisory Authorities.
The five pillars DORA covers
DORA is easiest to understand as five connected pillars, each addressing a critical aspect of digital operational resilience:
- ICT risk management
- ICT related incident management and reporting
- Digital operation resilience testing
- ICT third party risk management
- Information sharing arrangements
Let’s break those down in practical terms.
ICT risk management: show me you’re in control
Financial entities must maintain a formal, well documented ICT risk management framework that identifies critical systems, assigns clear ownership, and enables the continuous management of ICT risk. That framework must support the protection of systems, the timely detection of incidents, an appropriate response to disruption, and the controlled recovery of services.
The key point is that under DORA, resilience must be embedded into day to day operations. It is not enough to have policies in place. Financial entities must be able to demonstrate that their controls and processes operate effectively in practice.
Incident reporting: know what is reportable, and be ready to prove your process
This pillar aims to harmonise how financial entities detect, manage, classify, and report ICT related incidents across the EU. The challenge is not just speed. Financial entities need a clear and repeatable process for assessing incidents, deciding whether they are reportable, and escalating them through the right channels. DORA’s incident management framework is designed to ensure that reporting decisions are supported by governance, documentation, and a consistent internal process, rather than being made ad hoc under pressure.
For major ICT related incidents, financial entities must be able to provide timely notifications and follow-up reporting to the relevant competent authority. That means being able to show how decisions were made, who was responsible, and why the response followed the right process. In practice, the real test is whether a firm can make the right reporting decision quickly and support it with clear evidence, not just whether it can submit a form on time.
Reporting timelines for a major ICT related incident
- Initial notification: within 4 hours of classification as major, and no later than 24 hours after detection.
- Intermediate report: within 72 hours.
- Final report: within 1 month.
Digital operation resilience testing
The purpose of this pillar requires financial entities to regularly test their ability to withstand and recover from ICT disruptions, not just document policies. For the same reason we have fire drills, a well-rehearsed disruption contingency plan means less service downtime!
These tests range from basic vulnerability assessments, scenario-based exercises and disaster recovery testing. For larger institutions, threat-led penetration tests should be a part of conforming to this pillar to simulate a real-world attack. This accurately represents current threat intelligence and helps institution security staff assess where improvement is needed, as well as practise mitigating real-time threats.
ICT third-party risk management
This pillar emphasises the interactions and risks involved with third party organisations and the supply chain. Financial entities must maintain a clear inventory of ICT service providers, understand which suppliers support critical or important functions, and assess concentration risk. Contracts with ICT providers must include minimum security, availability, audit, and exit requirements.
It is the responsibility of the financial entity that is outsourcing to third parties to ensure that their partners adopt good standards of digital security and operational resilience. As a result, contracts should be periodically reviewed to ensure monitoring standards are up to scratch, and if they’re not, discrepancies and risks are documented. This should all be part of the financial entity’s ICT third-party risk strategy.
Given the modern-day dependency on centralised cloud computing, this pillar is very important.
Information sharing arrangements
DORA encourages voluntary information sharing between financial entities on cyber threats, vulnerabilities, and incidents. Although participation is optional, collaboration ensures a collective resilience across the sector by sharing intelligence on attack techniques, indicators of compromise and emerging risks.
An example of this currently is the sector body FS-ISAC which was set up especially for sharing information between financial sector entities for the purpose of maintaining resilience throughout the industry.
DORA vs ISO 27001; what’s the real difference?
The real difference is purpose. ISO 27001 is a general standard for managing information security across any organisation. DORA is a financial sector regulation focused specifically on digital operational resilience under ICT disruption.
That matters because, while the two share some common foundations, they are designed to achieve different things. ISO 27001 helps organisations build and maintain a structured security management system. DORA goes further for in-scope financial entities by setting more specific and enforceable expectations around operational resilience, including incident reporting, resilience testing, third-party risk management, and the ability to demonstrate that these arrangements work in practice.
In simple terms, ISO 27001 helps firms build a strong security baseline. DORA builds on similar principles, but applies them in a more targeted way to make sure financial services can withstand, respond to, and recover from disruption.
Penalties and enforcement
The penalties for non-compliance aren’t completely clear, as quoted directly from the DORA regulation itself (EU 2022/2554):
“Without prejudice to the right of Member States to impose criminal penalties in accordance with Article 52, Member States shall lay down rules establishing appropriate administrative penalties and remedial measures for breaches of this Regulation and shall ensure their effective implementation.”
Essentially, this states that it is up to the individual EU member state to decide the level of sanctions at their own discretion.
Conclusion
DORA is not trying to reinvent cybersecurity or operation resilience in the financial sector, rather regulate and remove inconsistencies across already well-run institutions across the EU.
As financial entities are becoming increasingly more reliant on shared infrastructure and cloud computing, the impact of a single point of failure only grows. DORA recognises this reality and makes it clear that being able to keep services running through disruption is just as important as preventing incidents in the first place.
Similarly, the new EU regulation, the Cyber Resilience Act (CRA) shows a clear direction and security baseline for products and technology entering the market.
References:
https://www.digital-operational-resilience-act.com/Article_50.html
