Skip to main content
Professional team looking at computer together in office
4 min

What Is the Digital Operational Resilience Act (DORA)?

Posted by Picture of Huw Thomas Huw Thomas

DORA (Digital Operational Resilience Act) is an EU regulation that came into force on 16 January 2023 and applied from 17 January 2025.

The purpose of DORA is to make sure financial entities such as banks, insurance companies, and investment firms have effective IT security controls.

This enables them to remain resilient and operational during extreme events, providing continued financial protection for their customers.

DORA sets a consistent EU-wide standard for ICT resilience in financial services.

That standard covers governance, third-party oversight, incident reporting, testing, and information sharing across the sector.

Contents

 

Why Is DORA Needed?

As we become more reliant on digital systems, the frequency and sophistication of cyber attacks, hacking, and financial scams continue to rise.

According to IT Governance, over 2.2 billion records were breached across 457 incidents in Europe in 2024 alone.

The financial sector remains one of the most vulnerable industries to cyber attacks, with potentially devastating consequences.

In 2020, the EU Systemic Risk Board examined cyber risk across the EU financial sector.

It found that vulnerabilities often stem from how businesses utilise technology and networks.

Interconnected CRM, payment, and finance systems, reliance on third-party providers, and operations spanning multiple jurisdictions all contribute to the heightened risk.

What The Research Shows

European breach volumes remain high, with IT Governance reporting over 2.2 billion records exposed across 457 incidents in 2024 alone.

That scale of exposure is one reason regulators are tightening expectations around ICT resilience in financial services.

The Five Pillars of DORA

To strengthen digital security, DORA introduces five core requirements - or "pillars" - for financial entities.

1. ICT Risk Management

Organisations must establish internal governance to identify, manage, and mitigate ICT risks.

This includes frameworks for setting objectives and overseeing risk management activities.

2. Managing ICT Third-Party Risk

Firms must assess third-party ICT providers and remain accountable for all regulatory obligations, even when outsourcing critical ICT services.

3. Reporting ICT-Related Incidents

Any major incident affecting systems must be promptly reported to the appropriate supervisory authority.

Affected organisations must also submit interim and final reports outlining impact, root cause, and actions taken.

4. Testing Digital Operational Resilience

Entities must regularly test ICT systems at least annually.

Larger firms must also carry out threat-led penetration testing every three years.

5. Information Sharing

Firms are encouraged to collaborate and share threat intelligence, provided it's done securely and in line with GDPR requirements.

DORA Compliance for Financial Entities

Implementing DORA will be complex.

Many of the detailed requirements were not available at launch, making the two-year implementation window challenging for firms already transitioning to ISO 27001:2022.

Crucially, DORA is an EU regulation, meaning it automatically applies across all member states without separate national laws.

DORA and ICT Service Providers

ICT providers designated as supporting a critical function must meet DORA's standards and are subject to direct regulatory oversight.

This may pose difficulties for vendors without effective resilience monitoring processes.

"DORA raises the bar on how firms map ICT dependencies, test recovery, and evidence oversight of third-party services. The operational question is whether those controls hold up when systems fail under pressure."

Michael Wakefield, CTO, Beyond Encryption (Mailock)

That oversight expectation applies whether the ICT service supports internal operations or customer-facing channels.

UK Firms and DORA

Although the UK is no longer in the EU, DORA still applies to UK financial firms operating in the EU.

UK regulators have recognised similar risks, particularly with the increased use of cloud services and data analytics.

Need A Safer Way To Send Sensitive Email?

Mailock keeps email familiar while adding protected access, recipient checks, secure replies, message tracking, and sender controls.

Learn more about Mailock

In 2021, the FCA, PRA, and Bank of England introduced rules to strengthen UK operational resilience.

However, DORA is more prescriptive on ICT and cyber resilience, and UK entities must determine whether their activities bring them into scope.

UK firms with EU operations still need to assess whether DORA brings their activities into scope.

That scope review should cover subsidiaries, branches, outsourced ICT arrangements, and cross-border service delivery.

Summarising DORA

DORA sets a consistent EU-wide standard for ICT resilience in the financial sector.

It's mandatory for financial institutions operating within EU jurisdictions and significantly raises the bar for cyber preparedness.

As with ISO 27001, DORA is not a one-off.

Ongoing monitoring, testing, and improvement are essential to remain compliant.

"Many firms will need to review their supply chains and resilience practices carefully. DORA places a clear spotlight on governance and long-term cyber maturity."

Sam Kendall, Digital Marketing Manager, Beyond Encryption (Mailock)

 

FAQs

What Is DORA Designed to Improve?

It aims to strengthen digital operational resilience across financial entities and important ICT providers.

What Are the Five DORA Pillars?

The core areas are ICT risk management, third-party risk, incident reporting, resilience testing, and information sharing.

Why Does Communication Security Matter Under DORA?

Incident handling and operational resilience depend on controlled, evidenced communication with customers, suppliers, and internal teams.

 

References

Digital Operational Resilience Act (DORA), EIOPA, 2024

Data Breaches and Cyber Attacks in 2024 in Europe, IT Governance, 2024

Reviewed by

Sam Kendall, 02.06.26

This content is for general information only and is not legal advice.

 

Originally posted on 17 05 24
Last updated on June 5, 2026

Posted by:  Huw Thomas

Huw Thomas, Beyond Encryption's Data, Compliance and Operations Manager, plays a crucial role in shaping our information security decisions and procedures across both our products and daily operations.

Return to listing