In 2020, the EU introduced a new regulatory framework that would be centered on measures to increase the digitalization of the financial sector. It later would be called the Digital Operational Resilience Act (DORA), and is a part of the Digital Finance Package (DFP), which aims to support innovative financial products, and to set rules on crypto-assets and digital resilience.

While DORA is widely built on already existing reforms (GDPR, NIS2 Directive and MiFID II, for example), the novelty of this regulation is that it is the first regulation to harmonize ICT risk management standards in Europe. DORA was adopted on 16 January 2023, and will apply to all member states on 17 January 2025, leaving a period of two years for involved entities to adapt changes in order to comply with the regulation. In the meantime, what could financial institutions put in place to prepare for DORA?

Which firms are affected by DORA?

DORA has a rather large scope. It includes all financial institutions across the European Union (EU). By that, we mean all the traditional financial institutions, such as banks, insurance companies, investment firms and credit institutions.

Crypto Currency=
DORA also includes digital financial institutions, including virtual-asset service providers and crowdfunding platforms. In total, 21 different types of entities are included in the Act.

In brief, the regulation will affect any ICT providers of financial services, financial technology businesses and businesses designated as critical vendors operating in Europe, whether those suppliers are based in Europe or anywhere else in the world.

What about “Operational Resilience”?

Before we get deeper into what DORA is, we need to explain one of the terms the regulation focuses on. The term “Operational Resilience” implies that whatever the critical situation may face a company, the information system must be able to withstand the “shock” and continue its activity. IT resilience is the ability of an organization to ensure the continuity of its information system, even in the event of hardware failure, overload, hacking or other incidents.

What is DORA?

DORA aims to strengthen the IT security of financial entities previously cited and to comprehensively address ICT risk management in the financial services sector and to harmonize the ICT risk management regulations that already exist in individual EU member states.
The regulation is to ensure firms’ financial resilience and to maintain operation, even if any incidents were to occur. DORA has five main pillars:
Software Engineer

  • ICT risk management: This entails establishing a comprehensive framework for managing ICT risks, encompassing essential principles and requirements tailored to financial entities' risk management practices.

  • ICT incident management classification & reporting: The aim is to standardize and simplify reporting procedures, expanding reporting obligations to all financial entities, and broadening the spectrum of reportable incidents. Additionally, the framework allows for voluntary reporting of significant cyber threats alongside major ICT-related incidents.

  • Digital operational resilience testing: Financial entities undergo either basic or advanced testing to assess their digital operational resilience. Advanced testing, mandated by DORA, employs threat-led penetration tests (TLPT) for designated entities falling within its scope.

  • Managing ICT third-party risk:This involves implementing principle-based guidelines for monitoring third-party risk, outlining crucial contractual provisions, and establishing an oversight framework for critical ICT Third-Party Providers (TPPs).

  • Information sharing: Encourages voluntary exchange of information and intelligence concerning cyber threats among financial entities. The objective is to fortify the digital operational resilience of financial institutions through collaborative sharing of cyber threat information and intelligence.

In this regulation, the emphasis is put on enhancing risk management, managing IT incidents, conducting tests, overseeing critical IT service providers, and strengthening governance and organizational structures. Moreover, the DORA regulation requires financial entities to notify supervisory authorities and market participants promptly and in detail of major information and communication technology (ICT) incidents. The aim is to ensure that the EU financial system reacts quickly and appropriately to disruptions, thereby maintaining its resilience.

DORA Timeline EN


Why is DORA needed?

As of today, traditional, and especially digital financial institutions heavily rely on technology and tech services offered across borders. This in turn, can have an impact on other companies, sectors and even on the rest of the economy, which underlines the importance of the digital operational resilience of the financial sector. The financial sector is becoming more exposed to underlying issues with technology, like cyberattacks.
Hacking Threat=
The heightened sense of urgency arose following a report from the European Systemic Risk Board, pinpointing cyber risk as among the most significant threats. The report underscored that a solitary cyber event could precipitate a systemic crisis, posing a threat to financial stability throughout Europe.

The Covid-19 pandemic and the increase of remote access use for financial services created a growth in cyberattacks, as reported by the European Commission, which stated an increase of 38% since the beginning of the pandemic.

What actions could the financial institutions take to be compliant with DORA?

Financial institutions should conduct thorough risk assessments to identify potential vulnerabilities they may have in their digital systems and processes. The implementation of robust risk managements frameworks should be a top priority in hope to mitigate these risks effectively. The strengthening of cybersecurity measures and third-party vendor management should also play a crucial role in financial institutions’ operations.
Secure Login

Modern Tech=
Review the management of maintenance and IT administration (also involves third parties and the security of their own IT resources). The continuous investment in modern digital infrastructure to enhance resilience against evolving threats and technological challenges is also an important step for financial institutions to take in the future. Investing in artificial intelligence and machine learning could be an interesting matter as it will create proactive threat detection. For instance, insurance companies use AI to predict equipment failure, which ultimately prevents downtime and reduces maintenance costs.

Regular audits and assessments should be performed to monitor and ensure compliance with information security standards. Financial institutions need to stay informed about updates and changes to regulatory requirements to adapt accordingly. In addition, firms should establish regular training and awareness programs for staff to enhance their understanding and knowledge of operational resilience requirements and their role in maintaining resilience.
Stay Updated

Team Collab=
Develop a culture of resilience, proactive risk management, encourage open communication and collaboration across departments to identify resilience gaps and opportunities for improvement, risk-based approach, continuous compliance monitoring and continuous improvement of security measures. Engage in information sharing and collaboration initiatives with other financial institutions, regulatory bodies, and industry stakeholders to exchange best practices and insights on enhancing operational resilience initiatives, with clear accountability and reporting structures in place. Boards should actively oversee risk management efforts and ensure adequate resources are allocated to maintain resilience.


What happens in case of noncompliance?

The regulation does not mention penalties with a fixed amount. However, it is said that penalties and measures should be effective, proportionate, and dissuasive. Competent authorities will have supervisory, investigatory, and sanctioning powers necessary to fulfill their duties.
Warning Penalties

Each member state will lay down rules establishing appropriate administrative penalties and remedial measures for breaches of the regulation and will ensure effective implementation. Competent authorities, which will be assigned by the member states, will have the power to apply at least the following administrative penalties or remedial measures for breaches of this regulation:
  • Capacity to command individuals or entities to stop any behavior that violates the regulation and to abstain from repeating such behavior.

  • Enforce discontinuation of any practices conflicting with the regulation’s provisions, either temporarily or permanently, and ensure non-repetition.

  • Implement diverse measures, including financial penalties, to uphold compliance among financial entities.

  • Request access to existing data traffic records from telecommunication operators, within national legal constraints, when there's reasonable suspicion of breach of the regulation and relevance to investigations.

  • Publish public notices, including statements disclosing the identity of the individual or organization and the details of the violation.


It is also possible that member states chose to not lay down administrative penalties for breaches that are subject to criminal penalties under their national laws.

In conclusion, strict adherence to the Digital Operational Resilience Act is a mandatory duty essential for financial institutions as they confront the challenges of digital transformation and cybersecurity risks. Through proactive risk assessment, robust incident response planning, and investment in cybersecurity measures, institutions can fortify their operational resilience.
Furthermore, fostering a culture of compliance via training, encouraging collaboration, and strengthening already existing structures will further reinforce resilience efforts. Ultimately, by prioritizing operational resilience, financial institutions can not only meet regulatory mandates but also safeguard their operations, reputation, and customer confidence amidst the increasing digitalization of the industry. However, the cost of compliance might be at an all-time rise. Therefore, financial institutions must be strategic in their priorities in effort to comply with this new regulatory framework.
0 comments
Add your comment

Related articles

Conduct Risk has been the hot topic of the past years. From principles to outcomes, discover how to articulate your busi...

Financial Institutions Mon 28 May 2018

Transaction monitoring is a vital component of the internal control measures of obliged entities regarding the preventio...

Risk Based Approach Mon 16 December 2019

What does the future hold for AML professionals? Learn how AI, Internet of Things, invisible banking, and quantum comput...

Compliance Mon 29 November 2021

What is a top-down approach or a tone-at-the-top culture? Learn its definition and how behaviour on regulatory changes ...

MiFID2 Thu 18 April 2019
Experts in risk management and regulatory compliance

Pideeco is a consultancy firm providing legal services, business solutions, operational assistance and educational material for professionals in the financial industry.

We are based in Brussels and we specialize in regulatory risk compliance services covering the Eurozone.

Pideeco combines professional Regulatory knowledge and technical expertise to safeguard your business’ reputational and operational risk. Our unique customer-centric approach helps us build strategical and legitimate cost-efficient remedies.

Working with us means reaching out to complementary people, allowing for original thinking and innovative vision.

Our Network Learn more about us