What is Dora Regulation? A Guide to Achieving Digital Operational Resilience
Blog Home
>
News and Industry Trends

What is Dora Regulation? A Guide to Achieving Digital Operational Resilience

Learn about DORA regulation, its 5 pillars, compliance deadlines, and how financial entities & ICT providers can achieve operational resilience by 2025.

Olivia Tanner
Olivia Tanner
Content & Communications Manager
December 10, 2024

Enforceable by January 2025, the EU's Digital Operational Resilience Act (DORA) introduces a landmark EU regulation framework, designed to help financial entities in the sector mitigate threats. This impacts both the financial industry and its IT suppliers. Depending on their current cyber security measures, some organisations may need to put in a lot of work to become compliant with this one.

Although this regulation comes into effect imminently, businesses in the EU financial sector remain largely uninformed about DORA, leaving them vulnerable to potential fines, operational disruptions, and general cybersecurity risks.

If you're feeling lost, fear not: this article aims to support entities by outlining DORA’s key principles, deadlines and expectations, helping IT professionals to navigate this new and complex regulatory framework through a breakdown of its 5 key pillars.

What is the Digital Operational Resilience Act (DORA?)

The Digital Operational Resilience Act (DORA) is a broader framework introduced by the EU to address pressing concerns about cybersecurity in the financial sector.

Recognising the sector's persistent vulnerability to disruptions caused by cyberattacks, global financial regulators have long stressed the need for robust safeguarding measures to protect businesses from ongoing threats.

Importantly, DORA is a legislation, not a standard like many regulatory practices IT professionals use. This means it is enforceable, and, if not met, sanctionable with hefty fines and reputational damages.

With this in mind, it’s absolutely crucial that those affected fully understand the deadlines and steps necessary to achieve compliance.

Who does DORA apply to?

The Digital Operational Resilience Act, otherwise known as DORA, applies to more than 22,000 financial entities in the EU, as well as any ICT third-party providers supporting them from outside of the EU.

Financial entities

DORA applies to thousands of financial entities within the EU. This term covers banks, investment firms, payment institutions, insurance firms, credit institutions and crowdfunding platforms. If they do not meet compliance post-deadline, they will face difficulty operating in the EU’s financial markets.

Regulated firms vs third-party suppliers

Under DORA, third-party IT suppliers will follow the same robust regulatory standards as the financial entities they provide for.

This means that cloud providers, SaaS platforms, market data firms, and network providers will all be expected to comply with the oversight framework.

Similarly to financial entities, third-party suppliers will be expected to implement robust risk management, supply chain transparency, and continual assessment to minimise the risk of exploitation.

Certain third-party service providers will also be determined as 'critical' by DORA and will face more direct audits from relevant European Supervisory Authorities (ESAs).

Who is considered a ‘critical’ ICT third-party provider?

Critical ICT third-party providers will be selected by European Supervisory Authorities, based on their importance for financial entities. This means it’s hard to say exactly who would be considered a critical ICT third-party service provider due to the regulation not yet being enforced.

However, it's possible to determine whether or not your third-party service provider may be considered 'critical' based on the criteria established by Article 31(8) of DORA, which, summarised, states that: entities will be decided by the criticality of the functions it supports, the systemic importance of the entities it serves, and the degree to which its services can be substituted. They must also have an office within the EU.

Organisations designated as critical ICT third-party providers will undergo audits by relevant ESAs. While this may initially seem daunting, such a designation can be highly advantageous. Direct oversight and digital operational resilience testing by regulators boost the credibility of critical third-party providers and demonstrate their reliability, positioning them as preferred partners for financial entities.

A graphic outlining the key milestones for the Financial Sector DORA preparation.

Preparing for DORA compliance

The DORA framework was created to ensure financial companies can continue to operate during cyber attacks. It acts as an intervention approach to security operations which is not considered a point in time resilience but an ongoing process that should happen over time.

Regulators will use DORA as a key factor to access and review businesses’ decisions and plans for the ongoing resilience against risk.

DORA’s compliance date is fast approaching, giving financial entities two years to become compliant.

  • On January 16th, 2023, DORA entered into force and offered financial entities two years to educate themselves and achieve compliance.
  • On January 17th, 2024, ESAs published the first set of rules under DORA for ICT third-party providers.

It is expected by January 17th, 2025 that financial entities have at the very least undertaken a gap analysis of their current ICT risk management framework against DORA, with evidence of realistic and robust response measures being enforced. It's important to collate evidence of all steps you take towards compliance to minimise complications or risk of failure.

DORA EU Timeline

Understanding DORA's five pillars

DORA’s complex oversight framework can be simplified by understanding its core “five pillars”. These five pillars represent key focuses determined by EU regulatory bodies to aid businesses in achieving operational resilience. The five pillars are as follows:

  • ICT Risk Management: financial entities must enforce risk management protocols with their technology. These protocols should facilitate entities to identify, assess, and mitigate ICT-related risks effectively, allowing for quicker remediation.
  • ICT-Related Incident Management: All issues should be identified and reported promptly. The legislature for DORA gives financial institutions four hours from identifying an incident to then completing incident reporting measures to a competent authority- an intense obligation that will require thorough incident management procedures.
  • Digital Operational Resilience Training: Financial entities and third-party providers must organise data protection to build employee awareness and assure cybersecurity resilience. These trainings- whether it be an online course or in-office workshop- must be provable to regulatory bodies.
  • Managing ICT Third-Party Risk: Third-party risks are an increasingly prevalent threat to financial entities, and therefore managing these risks is more important than ever. DORA expects that financial institutions will enforce management processes to identify any risks that accompany the use of third-party ICT service providers. These providers must also meet the necessary standards for resilience.
  • Information Sharing: DORA actively encourages the reporting and sharing of information regarding emerging risks and cyber threats within the financial sector, so that businesses can support one another in managing vulnerabilities and meeting DORA compliance.

How does the Digital Operational Resilience Act contribute to the European digital finance strategy?

DORA is not a standalone legislature. It exists as part of a broader venture to bridge a gap in EU legislation, to ensure that new technologies and services are covered by financial regulation and operational risk management.

By implementing these technical standards, consumer information will also be more stringently protected and those in the financial sector can operate knowing their data is protected.

While DORA may seem frustrating to financial entities grappling to meet compliance, its prioritisation of good cybersecurity practices will in turn prove your cybersecurity posture and protect your organisation from threats. The EU's regulatory body's steps towards a more protected financial sector represent a larger need for regulated cybersecurity measures for businesses.

It is hopeful that, in time, financial entities and relevant third-party service providers will no longer simply be compliant with DORA, but proactively seek to achieve operational resilience, protecting themselves and their organisation from cyber exploits.

How penetration testing can help achieve DORA compliance

To contribute to an organisation's risk management, financial organisations should conduct regular pentesting.

Penetration testing is a pivotal component of DORA compliance, offering valuable insights into the security posture of control systems. OnSecurity, is a leading pentesting provider, delivering high impact, high-intelligence testing to businesses of all sizes. Delivering seamless testing, OnSecurity helps simplify the delivery and management of pentesting for its clients.

Empowering businesses to protect their digital assets, safeguard customer data and maintain trust. By simplifying the management and delivery of pentesting, we make it easier for organisations to enhance their security posture and mitigate risks, contributing to a safer, more secure digital environment for everyone.

Penetration testing services and DORA compliance

Here's how OnSecurity's penetration testing services contribute to DORA compliance.

  1. Identifying Vulnerabilities: OnSecurity operates manual pentesting to simulate real-world cyber attacks, uncovering vulnerabilities that could compromise the operational resilience of financial systems.
  2. Assessing Security Controls: Through penetration testing, OnSecurity evaluates the efficacy of existing security controls and provides recommendations for strengthening defences against cyber threats.
  3. Mitigating Risks: By identifying and remediating vulnerabilities, financial institutions can mitigate risks and enhance their operational resilience, aligning with the objectives of DORA.
  4. Comprehensive Reporting: OnSecurity delivers detailed reports outlining findings, recommendations, and actionable insights, enabling organisations to prioritise remediation efforts and improve their security posture.

How can OnSecurity help?

Financial entities and third-party service providers shouldn't feel unsupported in reaching DORA compliance. At OnSecurity we alleviate the stress of achieving operational resilience through our bespoke cybersecurity services, saving your organisation critical time. Browse our services today to see how we can help.

More recommended articles

Learning to Self Code, Navigating Change, and Coding in the age of AI: Staff Spotlight
September 16, 2024
Your business needs regular penetration testing. Here’s why.
September 9, 2024
How to become a software engineer
August 29, 2024
Protect
Scan
Radar
Pricing
Penetration Test
Overview
External Infrastructure Testing
Physical Penetration Testing
Web Application
Internal Infrastructure Testing
Mobile Application
Phishing Simulation
Cloud Security Testing
Social Engineering
Resources
About
Blog
Contact
Careers

© 2025 ONSECURITY TECHNOLOGY LIMITED (company registered in England and Wales. Registered number: 14184026 Registered office: Runway East, 101 Victoria Street, Bristol, England, BS1 6PU). All rights reserved.

Terms and Conditions
Privacy