The Digital Operational Resilience Act (DORA), introduced by the European Union, represents a significant shift in how financial institutions manage and mitigate digital risks. Compliance with this legislation came into force in January 2025, bringing with it various practical implications for banks and other operators in the financial services space which are designed to benefit customers across the EU.
Key areas of focus under DORA
DORA aims to standardise a digital operational resilience framework across all EU member states, ensuring that financial institutions can withstand, respond to, and recover from ICT-related disruptions and threats.
The regulation focuses on five key areas which are:
- ICT Risk Management,
- Incident Reporting,
- Digital Operational Resilience Testing
- Third-Party Risk Management and
- Information Sharing.
As a result, financial entities must have established stringent requirements to identify, manage and mitigate ICT risks whilst ensuring timely reporting of major cyber incidents to the relevant national and EU authorities. Financial institutions are also required to conduct rigorous testing to assess their resilience against cyber threats and implement enhanced oversight and management of ICT third-party service providers, including cloud computing services. Finally, financial entities must have processes in place to share information about cyber threats, vulnerabilities and incidents with other entities and the competent authorities.
Adapting to meet DORA obligations
To comply with DORA, banks and financial services providers have had to undertake several critical steps. These include investing in more robust cybersecurity measures such as advanced threat detection and response systems which are designed to identify and mitigate risks before they can cause significant damage. They have also had to develop and implement comprehensive risk management strategies that cover all aspects of ICT risk.
Establishing a well-defined incident response plan that includes clear protocols for reporting and managing cyber incidents has also been crucial. This will ensure a swift and effective response to any threats that arise. Complying with the provisions around resilience testing and managing third-party risks has also necessitated significant investment in penetration testing and enhanced due diligence.
Benefits for customers
The implementation of DORA will bring several benefits to customers across the EU, not least of which will be increased trust and confidence. By ensuring that financial institutions are better prepared to handle cyber threats, customers can have greater trust and confidence in the security of their financial transactions and data.
DORA will also deliver enhanced protection for personal data which is better protected against breaches and cyberattacks and improved service continuity. Financial institutions that comply with DORA will be more resilient to disruptions, ensuring that customers experience fewer interruptions in their financial services.
Finally, the requirement for timely incident reporting and information sharing will lead to greater transparency and collaboration across the industry. Not only will this add a further layer to the collective resilience of the sector but also allow customers to be informed about potential risks and the measures being taken to address them.
In conclusion, DORA represents a significant step forward in enhancing the digital operational resilience of financial institutions across the EU. By adapting to meet these new obligations, banks and financial services providers are not only complying with regulatory requirements but also providing a safer and more reliable service to their customers.
