As we become more reliant on digital systems, the frequency and sophistication of cyber attacks, hacking, and financial scams continue to rise.
According to IT Governance, over 2.2 billion records were breached across 457 incidents in Europe in 2024 alone.
The financial sector remains one of the most vulnerable industries to cyber attacks, with potentially devastating consequences.
In 2020, the EU Systemic Risk Board examined cyber risk across the EU financial sector.
It found that vulnerabilities often stem from how businesses utilise technology and networks.
Interconnected CRM, payment, and finance systems, reliance on third-party providers, and operations spanning multiple jurisdictions all contribute to the heightened risk.
What The Research Shows
European breach volumes remain high, with IT Governance reporting over 2.2 billion records exposed across 457 incidents in 2024 alone.
That scale of exposure is one reason regulators are tightening expectations around ICT resilience in financial services.
The Five Pillars of DORA
To strengthen digital security, DORA introduces five core requirements - or "pillars" - for financial entities.
1. ICT Risk Management
Organisations must establish internal governance to identify, manage, and mitigate ICT risks.
This includes frameworks for setting objectives and overseeing risk management activities.
2. Managing ICT Third-Party Risk
Firms must assess third-party ICT providers and remain accountable for all regulatory obligations, even when outsourcing critical ICT services.
3. Reporting ICT-Related Incidents
Any major incident affecting systems must be promptly reported to the appropriate supervisory authority.
Affected organisations must also submit interim and final reports outlining impact, root cause, and actions taken.
4. Testing Digital Operational Resilience
Entities must regularly test ICT systems at least annually.
Larger firms must also carry out threat-led penetration testing every three years.
5. Information Sharing
Firms are encouraged to collaborate and share threat intelligence, provided it's done securely and in line with GDPR requirements.
DORA Compliance for Financial Entities
Implementing DORA will be complex.
Many of the detailed requirements were not available at launch, making the two-year implementation window challenging for firms already transitioning to ISO 27001:2022.
Crucially, DORA is an EU regulation, meaning it automatically applies across all member states without separate national laws.
DORA and ICT Service Providers
ICT providers designated as supporting a critical function must meet DORA's standards and are subject to direct regulatory oversight.
This may pose difficulties for vendors without effective resilience monitoring processes.
"DORA raises the bar on how firms map ICT dependencies, test recovery, and evidence oversight of third-party services. The operational question is whether those controls hold up when systems fail under pressure."
In 2021, the FCA, PRA, and Bank of England introduced rules to strengthen UK operational resilience.
However, DORA is more prescriptive on ICT and cyber resilience, and UK entities must determine whether their activities bring them into scope.
UK firms with EU operations still need to assess whether DORA brings their activities into scope.
That scope review should cover subsidiaries, branches, outsourced ICT arrangements, and cross-border service delivery.
Summarising DORA
DORA sets a consistent EU-wide standard for ICT resilience in the financial sector.
It's mandatory for financial institutions operating within EU jurisdictions and significantly raises the bar for cyber preparedness.
As with ISO 27001, DORA is not a one-off.
Ongoing monitoring, testing, and improvement are essential to remain compliant.
"Many firms will need to review their supply chains and resilience practices carefully. DORA places a clear spotlight on governance and long-term cyber maturity."
Sam Kendall, Digital Marketing Manager, Beyond Encryption (Mailock)
FAQs
What Is DORA Designed to Improve?
It aims to strengthen digital operational resilience across financial entities and important ICT providers.
What Are the Five DORA Pillars?
The core areas are ICT risk management, third-party risk, incident reporting, resilience testing, and information sharing.
Why Does Communication Security Matter Under DORA?
Incident handling and operational resilience depend on controlled, evidenced communication with customers, suppliers, and internal teams.
Huw Thomas, Beyond Encryption's Data, Compliance and Operations Manager, plays a crucial role in shaping our information security decisions and procedures across both our products and daily operations.