Reflecting on the early days of the Digital Operational Resilience Act (DORA), I recall conversations with compliance officers who were grappling with the impending changes. One officer from a mid-sized European bank mentioned, “We knew DORA was coming, but the reality of its requirements didn’t hit until we started our gap analysis.” Now, with DORA fully applicable as of January 17, 2025, the financial industry faces a transformed regulatory environment.
DORA is more than a compliance mandate; it represents a fundamental shift in how financial institutions approach operational resilience, third-party risks, and ICT security. Let’s delve into what DORA entails for financial services and how compliance professionals can navigate this new landscape.
The core of DORA: A new standard for resilience
DORA establishes a unified framework for digital operational resilience across the EU’s financial sector. It applies not only to traditional banking institutions but also to a wide array of financial services providers and their ICT suppliers.
One of the key changes under DORA is that third-party ICT providers—such as cloud service providers, fintech firms, and cybersecurity vendors—are now directly subject to regulatory oversight. This is a game-changer, as financial firms must now ensure their entire digital ecosystem meets stringent resilience requirements.
Who is impacted by DORA?
DORA’s reach extends to nearly all financial entities operating within the EU, including:
Entities that fall under the scope of DORA
| Category | Examples of entities |
| Banks & credit institutions | Commercial banks, savings banks, credit unions, and investment banks |
| Insurance & reinsurance | Life insurers, non-life insurers, and reinsurance firms |
| Investment firms | Asset managers, hedge funds, private equity firms |
| Payment & e-money institutions | Payment processors, digital wallets, e-money providers |
| Trading & market infrastructure | Stock exchanges, central securities depositories, clearing houses |
| Crypto-asset service providers (CASPs) | Cryptocurrency exchanges, custodians, wallet providers |
| Third-party ICT service providers | Cloud computing firms, cybersecurity providers, data centers |
| Other financial entities | Credit rating agencies, auditors, and pension funds |
This broad scope means that even entities that do not directly offer financial services—such as cloud providers—must comply with DORA’s resilience requirements if they serve financial institutions.
Compliance challenges: More than just a paper exercise
For many organizations, the biggest challenge isn’t just understanding DORA—it’s implementing it effectively. Most financial firms already have cybersecurity policies, but DORA requires a holistic and integrated approach, ensuring board-level oversight and continuous risk assessments.
Organizations are struggling with:
- Governance & accountability – Executives must take an active role in resilience planning, making cybersecurity a business-level issue, not just an IT concern.
- Testing requirements – Threat-led penetration testing (TLPT) must be conducted every three years, requiring advanced cybersecurity capabilities.
- Third-party risk management – Financial institutions must audit their ICT vendors, ensuring they meet the same resilience standards.
- Incident reporting & response – Organizations must maintain real-time cyber incident monitoring and be prepared to report security breaches under tight deadlines.
Firms that still view compliance as a box-ticking exercise will find themselves falling behind. DORA requires a proactive, risk-based approach to ICT resilience, making compliance an ongoing process rather than a one-time obligation.
The role of technology: How organizations can adapt
Financial firms that embrace automation, AI, and regtech solutions will find compliance far more manageable.
- Regtech platforms can streamline incident reporting, compliance tracking, and third-party risk assessments.
- AI-powered security tools can provide real-time threat intelligence, helping firms detect cyber risks before they escalate.
- Cloud security frameworks—if properly assessed under DORA—can help financial firms scale resilience efforts efficiently.
Additionally, industry-wide collaboration initiatives—such as those promoted by the European Banking Authority (EBA)—are enabling financial firms to share cyber threat intelligence and best practices, strengthening collective resilience.
Preparing for 2025 and beyond
With the compliance deadline now passed, financial institutions must ensure they have implemented all required measures to avoid penalties and operational risks. Those that are still catching up need to act fast.
| Action item | Purpose |
| Conduct a gap analysis | Identify compliance shortfalls and create a roadmap for full DORA readiness. |
| Establish board-level oversight | Ensure executive teams actively engage in resilience planning. |
| Implement continuous monitoring | Adopt real-time cyber risk detection tools and automated compliance tracking. |
| Strengthen third-party risk management | Audit ICT providers and integrate compliance clauses into contracts. |
| Conduct TLPT and scenario testing | Ensure systems can withstand real-world cyber threats. |
For financial institutions, the shift to continuous compliance and operational resilience is no longer optional. Those that fail to adapt risk regulatory penalties, reputational damage, and financial instability.
Is your institution ready?
DORA represents a new era of financial regulation, one that places resilience at the heart of digital finance. Unlike past regulations, which largely focused on data protection and breach response, DORA requires financial institutions to proactively build digital resilience before an incident occurs.
As financial firms navigate this regulatory landscape, the real question isn’t whether they can comply—it’s whether they will use DORA as a catalyst for long-term cybersecurity transformation. Institutions that rise to the challenge will emerge stronger, more competitive, and better prepared for the digital threats of the future.
