The EU Digital Operational Resilience Act (DORA) came into force in January 2025 and impacts how financial entities prevent and respond to cyber threats and other ICT-related disruptions.
In this article, we summarise key information about DORA and what financial institutions need to be aware of, now that it is enforceable.
What is DORA?
DORA is law introduced by the European Union (EU) to ensure that financial entities can withstand, respond to, and recover from various ICT-related disruptions and threats. DORA is designed to enhance the digital resilience of the EU financial sector, ensuring it remains stable and secure in an increasingly digital landscape.
What is the purpose of DORA?
The primary purpose of DORA is to strengthen the digital operational resilience of EU-regulated financial institutions. By implementing DORA, the EU aims to mitigate the risks associated with ICT disruptions and cyber threats, thus protecting the financial system's integrity and stability. DORA seeks to:
- Ensure that financial entities can manage and withstand ICT disruptions
- Improve the overall cybersecurity posture of the financial sector
- Establish a harmonised regulatory framework for digital operational resilience across the EU
Who does DORA apply to?
DORA applies to a very broad range of EU-regulated financial entities (as set out in Article 2 of DORA). This includes banks, insurance companies, investment firms, payment service providers, and other financial institutions. Entities must adhere to its requirements to avoid penalties and ensure they can continue operating within the EU's financial market.
DORA also creates an oversight framework for critical ICT service providers (these service providers are designated as critical under Article 31 of DORA).
Although DORA does not apply in the UK, it is still relevant for many UK-based financial entities with operations in the EU (e.g., EU-regulated affiliates) and UK ICT service providers who offer services to financial entities in the EU.
What are the five pillars of DORA?
DORA is built upon five pillars that outline the core focuses for financial entities to achieve digital operational resilience. Around each pillar DORA sets out very prescriptive requirements. In summary, these pillars are:
- ICT risk management: Financial entities must implement robust ICT risk management frameworks to identify, assess, and mitigate ICT-related risks effectively
- ICT incident management and reporting: Entities must establish mechanisms for identifying, classifying and, where required by DORA, reporting ICT-related incidents to the relevant authorities
- Digital operational resilience testing: Regular testing of ICT systems and processes is mandated to ensure they can withstand disruptions and cyber threats
- Third-party risk management: Financial institutions must manage risks associated with their reliance on third-party ICT service providers, ensuring these providers meet the necessary resilience standards; this pillar also mandates, among other things, certain provisions that must be included in financial entities' agreements with third-party ICT service providers
- Information sharing: DORA encourages financial entities to share information on cyber threats and vulnerabilities to foster a collaborative approach to improving the sector's resilience
Speak to us about DORA
DORA is a complex regulation with exacting requirements. We can advise on these requirements and help you put strategies in place to maintain compliance. Contact one of our experts below for further information.
