We’ve been getting a lot of questions about the Digital Operational Resilience Act (DORA). It’s the EU’s response to the growing risk of cyber threats, system outages and IT disruptions in the financial sector.

DORA came about after several high-profile cyber attacks and system failures exposed gaps in the industry’s resilience. The EU thought that financial institutions needed to ensure that they can handle and recover from technology-related incidents that could disrupt their operations. Stricter, more unified rules would be needed across the board.

Financial entities, and those who supply to them, have until 17 January 2025 to comply with DORA before enforcement begins. With time running out, many businesses still have questions about what DORA means for them. In this article, we’ll break down the top five questions people are asking, as well as provide straightforward answers to help companies prepare.

1. What is the Digital Operational Resilience Act (DORA)?

DORA is a set of rules that impacts over 22,000 financial entities and ICT (Information and Communication Technology) service providers across the EU. Whether they’re traditional banks, investment managers, credit institutions, crypto-asset providers, or even crowdfunding platforms, all must follow the rules to ensure they can withstand and recover from IT-related disruptions.

It’s a regulatory framework designed to make sure everyone has a solid plan in place to keep operations running smoothly no matter what tech challenges they face.

At its core, DORA aims to make sure businesses can bounce back quickly from any digital disruptions. It creates a universal framework to help companies manage ICT risks effectively, while also reducing conflicts between different national rules within the EU. The idea is to create one set of standards that applies across all member states, making it easier for businesses to comply and stay resilient.

DORA covers several key areas of risk. These include:

  • Cybersecurity: Protecting systems from hackers and other cyber threats.
  • Third-party risk: Managing the risks that come with relying on external vendors for IT services, like cloud providers or software platforms.
  • Operational continuity: Ensuring that firms have solid plans in place to keep their business running during disruptions and recover quickly after.
  • ICT Risk and Incident Management: Setting up clear processes for identifying, managing, and responding to ICT risks and incidents.
  • Classification & Reporting: Ensuring firms classify incidents by severity and report significant ones to regulators within tight deadlines.
  • Digital Operational Resilience Testing: Regular testing of systems and processes to ensure they can handle disruptions, including penetration testing and simulations.
  • Information Sharing Arrangements: Encouraging firms to share information about cyber threats and vulnerabilities with each other, promoting industry-wide resilience.

DORA essentially pushes financial companies to be proactive, rather than reactive, when it comes to ICT risks.

2. Which entities fall under the scope of DORA?

DORA is broad in its reach, impacting nearly every corner of the financial services sector. DORA is an EU law, so it does not affect UK businesses directly, but will do so if those companies operate in the EU, or have EU ICT providers. It applies to both traditional and newer players, covering institutions of all sizes. Here are some of the key sectors affected:

  • Banks: Traditional banks, whether large international institutions or smaller regional ones, fall directly under DORA’s regulatory scope.
  • Insurance firms: Insurers, which handle massive amounts of sensitive data, must comply with DORA to ensure their systems are resilient to ICT disruptions.
  • Asset managers: Given their reliance on real-time data and market access, asset managers are expected to have strong operational resilience plans.
  • Fintech and payment service providers: These include digital banks and payment platforms and are increasingly targeted by cyber threats, making them a key focus of DORA.
  • ICT third-party service providers: Any third-party provider that delivers IT services to financial institutions is also included, from cloud computing companies to data centres. These service providers must comply with DORA because their technology supports critical financial operations.

How does DORA impact different types of businesses?

DORA affects businesses of all sizes, but its impact varies depending on resources and existing risk management frameworks.

Larger institutions, like big banks and asset managers, may already have robust ICT risk management systems in place, so complying with DORA will likely involve refining existing processes. However, new requirements, such as mandatory resilience testing and stricter third-party oversight, will still require attention.

Smaller and mid-size firms may face greater challenges. Many of these companies lack the resources to easily implement DORA’s extensive requirements, such as continuous risk monitoring, incident reporting, and third-party management. Compliance may require significant investment in new systems and expertise, making it a heavier burden for them.

Though DORA allows some flexibility based on company size, with requirements increasing in proportion to the risk, smaller businesses will still need to meet the core requirements, which could be a substantial operational and financial strain.

In a recent industry roundtable, John Lehner, president of FundGuard, highlights this point well:

“Dora validates any CTO who has invested in new, more modern technology and cybersecurity in recent years and a large amount of time justifying that spend to boards.  The industry leaders are already multiples ahead of operational resilience rules. Dora and similar regulations simply call out the bottom quartile of firms who are creating the risk in the first place.”

3. What are the key compliance requirements under DORA?

In a recent DORA webinar, 61% of participants stated that understanding what DORA compliance entails was their greatest DORA challenge. DORA sets out several core areas of compliance that financial institutions must address to ensure they can handle ICT disruptions effectively:

  • ICT risk management frameworks: Businesses need to establish comprehensive ICT risk management frameworks. These frameworks should cover how they identify, assess, and mitigate ICT-related risks, from cyberattacks to system failures.
  • Incident reporting: Firms must have systems in place to classify and report significant ICT incidents. Major disruptions must be reported to the relevant authorities within strict deadlines, ensuring quick regulatory oversight and action.
  • Continuous monitoring of threats: Businesses are required to continuously monitor their ICT environments to detect emerging threats and vulnerabilities. This includes real-time monitoring of networks, data systems, and digital infrastructures.
  • Operational continuity planning: Firms must develop plans that ensure they can continue to operate, or quickly resume operations, during and after ICT disruptions. This includes having backups, disaster recovery plans, and contingency strategies in place.

DORA doesn’t just require you to set up these systems, it expects firms to regularly test them and make improvements over time. Consistent resilience testing, like penetration tests and simulations, is necessary to ensure businesses are prepared for real-world disruptions. All processes must be thoroughly documented, and companies are expected to continuously work on improving their ICT resilience.

Incorporating new regulation across your business is not always easy and some will already be further down the DORA road than others. Asset managers have tended to be more innovative compared to other financial businesses, largely due to relative lighter levels of regulation. Some are concerned that raising the regulatory burden could stifle innovation, but as Nick Dekker, senior partner & head of technology consulting at Alpha FMC states, technological innovation will continue with DORA’s impact limited.

“Dora is prescriptive but much of the work is in evidencing that the regulations are met.”

What happens if you don’t comply with the rules?

Failure to comply with DORA can lead to significant penalties imposed by the European Supervisory Authorities, including fines and sanctions from regulators. Fines:

  • Firms: up to 2% of annual turnover.
  • Individuals: Maximum fine of €1m.
  • Critical third-party providers: Up to €5m for firms and €0.5m for individuals.

Non-compliance could also damage a firm’s reputation, making it harder to attract clients or maintain trust with existing ones. Also, poor operational resilience could result in business disruptions, financial losses, and long-term damage to customer relationships. In extreme cases, firms may face restrictions on their ability to operate if they consistently fail to meet the regulatory requirements.

4. How will DORA affect third-party service providers?

DORA places significant emphasis on the risks associated with third-party service providers that financial institutions rely on for their ICT operations. These can include cloud providers, cybersecurity firms, and data centres. Under DORA, financial firms must closely oversee these vendors to ensure their services don’t expose the firm to unnecessary risks. So, if a third-party provider experiences a disruption or security breach, it could have severe consequences for the financial institution, meaning third-party resilience is a top priority.

The questions to ask your third-party providers.

Under DORA, financial institutions are required to scrutinise their third-party ICT vendors more thoroughly. Here are some critical questions to ask:

  1. Are they DORA-compliant? Financial institutions must verify whether their third-party providers are themselves compliant with DORA’s regulations. Institutions are responsible for ensuring these vendors meet similar resilience standards.
  2. What resilience measures do they have in place? Institutions must assess what resilience strategies their ICT providers use to mitigate risks, ensure operational continuity, and recover quickly from disruptions. This includes backup plans, incident response capabilities, and disaster recovery solutions.
  3. How is cyber risk managed within these partnerships? Institutions need to understand how third-party vendors manage cybersecurity risks. Are they regularly testing their systems for vulnerabilities? How do they detect and respond to cyber threats? Firms must also ensure that data security standards are in place, particularly when sensitive financial data is involved.

Impact on critical third-party service providers

DORA places particular attention on ‘critical’ third-party service providers – those whose services are deemed essential for financial institutions to maintain operational continuity. These include:

  • Cloud providers: As more financial firms move their systems and data to the cloud, DORA mandates that institutions ensure cloud providers have robust security, backup, and resilience measures in place. Cloud providers must be able to demonstrate how they will protect against data breaches, service outages and other disruptions.
  • Cybersecurity firms: Companies that provide cybersecurity solutions must show their ability to prevent, detect, and respond to cyber threats. They need to regularly test their systems and processes to ensure they’re capable of supporting their financial clients in the event of an attack. Indeed, in a recent DORA webinar, 54% of participants saw cyber threats/ attacks arising from ‘rogue’ individuals, organisations or states as the most critical risk that needs to be addressed.

    DORA will likely act as, at least in part, a barrier to entry for many firms, including those within the cybersecurity space. As Chris Mills, managing director at consultancy Citisoft, states:

“Dora is a barrier to entry for some players who perhaps should not be here in the first place. People will put their money in reputable firms only. Cybersecurity is a critical issue for boards because asset management is a data business and if you’re not cybersecure, you’re risking people’s money.”

  • Data centres: Data centres that store critical financial information are also under increased scrutiny. Being able to recover quickly from power outages, natural disasters or cyber incidents is essential, minimising any downtime for their clients.

Ultimately, ‘critical’ third-party providers must meet the same high standards for operational resilience as the institutions themselves. Financial firms must formalise and monitor these relationships to ensure that ICT risks are consistently managed across their supply chain.

5. When will DORA come into effect and how can companies prepare?

DORA is set to come into full force on 17th January 2025. With the date fast approaching, companies that haven’t yet started preparing need to move quickly.

If businesses haven’t already begun incorporating DORA’s requirements, now is the time to act. Here are some key steps companies should follow to ensure they’re ready by the deadline:

Conduct a gap analysis: The first step is to assess where your business currently stands in terms of ICT risk management. A gap analysis will help identify areas where your existing systems and processes fall short of DORA’s standards.

Implement or update risk management frameworks: Companies need to either set up or strengthen their ICT risk management frameworks. This involves formalising processes for identifying, mitigating, and managing ICT risks across the organisation.

Regular resilience testing and incident simulations: Regular testing is crucial to DORA compliance. Companies should perform resilience tests, such as penetration testing and incident simulations, to evaluate how well their systems can withstand and recover from disruptions. Testing should be ongoing to ensure continuous improvement in operational resilience.

 DORA is set to transform how financial services approach ICT risk. By establishing a unified regulatory framework, it ensures that companies across the EU will follow the same standards for resilience, cybersecurity, and third-party oversight. Over time, this should lead to greater consistency, making the entire financial ecosystem more robust and less vulnerable to ICT disruptions.

In the long term, DORA will drive continuous improvements in operational resilience. Businesses will need to stay vigilant and adaptive as new threats emerge, and regular testing will become a standard part of operations. The act will likely shape a future where financial institutions – and their third-party providers – are better prepared to manage ever evolving risks to the financial system.