DORA (Digital Operational Resilience Act) is an EU regulation that came into force on 16 January 2023 and will apply from 17 January 2025.
The purpose of DORA is to ensure financial entities such as banks, insurance companies, and investment firms have robust IT security.
This enables them to remain resilient and operational during extreme events, providing continued financial protection for their customers.
As we become more reliant on digital systems, the frequency and sophistication of cyber attacks, hacking, and financial scams continue to rise.
According to IT Governance, over 2.2 billion records were breached across 457 incidents in Europe in 2024 alone.
The financial sector remains one of the most vulnerable industries to cyber attacks, with potentially devastating consequences.
In 2020, the EU Systemic Risk Board examined cyber risk across the EU financial sector.
It found that vulnerabilities often stem from how businesses utilise technology and networks.
Interconnected CRM, payment, and finance systems, reliance on third-party providers, and operations spanning multiple jurisdictions all contribute to the heightened risk.
To strengthen digital security, DORA introduces five core requirements - or “pillars” - for financial entities.
Organisations must establish internal governance to identify, manage, and mitigate ICT risks.
This includes frameworks for setting objectives and overseeing risk management activities.
Firms must assess third-party ICT providers and remain accountable for all regulatory obligations, even when outsourcing critical ICT services.
Any major incident affecting systems must be promptly reported to the appropriate supervisory authority.
Affected organisations must also submit interim and final reports outlining impact, root cause, and actions taken.
Entities must regularly test ICT systems at least annually.
Larger firms must also carry out threat-led penetration testing every three years.
Firms are encouraged to collaborate and share threat intelligence, provided it's done securely and in line with GDPR requirements.
Implementing DORA will be complex.
Many of the detailed requirements were not available at launch, making the two-year implementation window challenging for firms already transitioning to ISO 27001:2022.
Crucially, DORA is an EU regulation, meaning it automatically applies across all member states without separate national laws.
ICT providers designated as supporting a critical function must meet DORA’s standards and are subject to direct regulatory oversight.
This may pose difficulties for vendors without robust resilience monitoring processes.
Although the UK is no longer in the EU, DORA still applies to UK financial firms operating in the EU.
UK regulators have recognised similar risks, particularly with the increased use of cloud services and data analytics.
In 2021, the FCA, PRA, and Bank of England introduced rules to strengthen UK operational resilience.
However, DORA is more prescriptive on ICT and cyber resilience, and UK entities must determine whether their activities bring them into scope.
DORA sets a consistent EU-wide standard for ICT resilience in the financial sector.
It’s mandatory for financial institutions operating within EU jurisdictions and significantly raises the bar for cyber preparedness.
As with ISO 27001, DORA is not a one-off.
Ongoing monitoring, testing, and improvement are essential to remain compliant.
"Many firms will need to review their supply chains and resilience practices carefully. DORA places a clear spotlight on governance and long-term cyber maturity."
Sam Kendall, Digital Marketing Manager, Beyond Encryption
Digital Operational Resilience Act (DORA), EIOPA, 2024
Data Breaches and Cyber Attacks in 2024 in Europe, IT Governance, 2024
Sam Kendall, 07.06.24
Sabrina McClune, 08.05.25