I still remember the buzz when DORA’s second batch of Regulatory Technical Standards (RTS) was released in July 2024—the regulatory countdown had officially begun. That moment felt like a race had started, and now, with DORA fully in force as of January 17, 2025, it’s time to put preparation into action.
Financial institutions in the EU can no longer afford to wait—compliance is now the name of the game. In this article, let’s dive into the 2025 technical standards, break down the key updates, and explore how organizations can seamlessly integrate these requirements into their everyday operations to achieve long-term success.
Understanding DORA’s 2025 technical standards
DORA is designed to strengthen financial institutions’ resilience against cyber threats and operational disruptions. Its requirements aren’t just theoretical; they come wrapped in two sets of finalized DORA regulatory technical standards:
| Regulatory Technical Standards (RTS) | Finalized | Core focus |
| First batch | January 2024 | Expanded guidelines on ICT risk management, encryption, and operations security |
| Second batch | July 2024 | Reinforced incident reporting deadlines, mandatory threat-led penetration testing (TLPT), and financial impact estimation models |
Both batches work together to form the backbone of DORA’s enforceable obligations. While the act itself laid out the legislative vision, DORA technical standards offer the fine-grained details that institutions must now translate into practice.
Strengthened ICT risk management frameworks
A key part of DORA’s vision lies in establishing robust ICT risk management protocols. Under Article 6, every financial institution—large or small—must implement governance structures, risk assessment procedures, and comprehensive security controls. Rather than waiting to respond to crises, organizations are encouraged to adopt continuous risk monitoring and regular reviews of their processes.
The first RTS (January 2024) built upon these principles by detailing additional safeguards around encryption, network segmentation, and identity management. What feels new here is the emphasis on making security a living, breathing part of the organization. For instance, SMEs can leverage a simplified version of the framework, ensuring that smaller players aren’t crushed by administrative overhead while still meeting the regulation’s core resilience standards.
Stricter ICT incident classification and reporting
When a cyber incident hits, every second counts. That’s why DORA’s Article 17 sets out a detailed structure for classifying incidents based on severity and impact. From how many clients are affected to the scale of reputational harm, institutions must now follow uniform criteria to determine the gravity of an event.
The second RTS (July 2024) dialed up the accountability factor by imposing specific timelines on reporting. Take a look at the requirements:
| Reporting requirement | Deadline |
| Initial notification | Within 4 hours of incident classification |
| Final report submission | Within 1 month, including impact analysis and remediation plans |
These strict timelines underscore just how critical real-time monitoring and automated alert systems are. Delayed or incomplete reporting doesn’t just bring regulatory fines; it can erode client trust in an instant.
Managing ICT third-party risk: increased oversight
Outsourcing essential IT tasks can save money or accelerate innovation, but it also introduces additional vulnerabilities. Under DORA’s Article 28, financial entities must maintain a meticulous record of their third-party relationships. This register includes the nature of each service provided, the duration of the contract, and a criticality rating that indicates how severely a failure would affect core operations.
The July 2024 RTS further mandated:
• Precontractual risk assessments to vet potential suppliers.
• Continuous oversight to verify ongoing resilience.
• Mandatory incident response plans that detail how both parties will act during a security breach.
All of this boils down to a simple truth: third-party risk isn’t just the provider’s problem. It’s the financial institution’s responsibility to ensure that partners meet or exceed DORA’s resilience thresholds.
Advanced threat-led penetration testing (TLPT)
Gone are the days when an annual security audit would suffice. Under Article 26, the second RTS (July 2024) introduced mandatory threat-led penetration testing (TLPT) for what it deems “critical” institutions. This framework goes beyond generic scans, requiring realistic attack simulations aligned with the TIBER-EU methodology.
Key TLPT requirements
| TLPT Requirement | Implementation details |
| Mandatory for critical institutions | Entities must undergo rigorous penetration testing |
| Aligned with TIBER-EU framework | Standardized approach to testing methodologies |
| Purple teaming exercises required | Collaboration between offensive (red team) and defensive (blue team) specialists |
Threat-led penetration testing brings offensive (red) and defensive (blue) specialists together in so-called purple teaming exercises. This approach reveals hidden vulnerabilities that standard reviews might miss. Whether institutions build these capabilities in-house or hire certified external teams, TLPT signals a shift toward more proactive cybersecurity practices.
Financial impact estimation for ICT incidents
Cyber incidents don’t just cause reputational harm; they can carry hefty price tags. Recognizing this, the July 2024 RTS introduced guidelines for quantifying the financial losses associated with ICT disruptions. By assessing everything from direct revenue hits to the operational fallout, institutions can create more accurate budgets for cybersecurity investments.
This financial lens also allows regulators to gauge whether an institution can withstand the economic shock of a major incident. In practice, that means compliance teams must collaborate with finance departments to adopt clear cost-estimation models, which then feed into DORA’s overall resilience framework.
How financial institutions can stay compliant
For institutions that have been preparing for DORA, the 2025 enforcement date marks a new phase: full-scale implementation. To manage the shift from preparation to full-scale DORA compliance, institutions should focus on several critical measures. These actions not only fulfill regulatory mandates but also enhance overall operational resilience.
| Action | Key considerations |
| Conduct comprehensive ICT risk assessments | Map existing controls to DORA’s enhanced requirements; focus on continuous monitoring and governance structures. |
| Ensure real-time incident detection and reporting mechanisms | Implement automated alerts and workflows to meet strict four-hour notification deadlines under DORA. |
| Evaluate all ICT third-party contracts | Perform thorough due diligence, embed DORA-aligned clauses, and maintain oversight of vendors’ security measures. |
| Set up or expand TLPT capabilities | Conduct regular penetration tests, incorporate purple teaming, and align with TIBER-EU methodologies for realism. |
| Establish financial loss estimation methods | Calculate the potential costs of ICT incidents to ensure adequate recovery funds and budgeting for cyber resilience. |
While this might sound like a lot, the payoff is a cybersecurity posture that not only passes regulatory muster but also helps preserve trust in an increasingly digital marketplace.
Stepping into a new era of digital resilience
DORA is more than another compliance checkbox; it’s a statement that operational resilience is now a cornerstone of financial services. By intertwining risk management, incident reporting, third-party governance, and proactive testing, the regulation compels institutions to think about cybersecurity holistically. And this is only the beginning—new threats will keep emerging, and future updates may broaden DORA’s scope to reflect a rapidly evolving digital reality.
For organizations that step up to the plate, the reward is more than regulatory peace of mind. It’s the opportunity to build enduring trust with clients, innovate with confidence, and stand firm against the cyber onslaughts that will shape tomorrow’s financial landscape. With DORA’s technical standards fully in effect, the question for every institution is simple: are you ready to embrace digital resilience as a defining feature of financial operations? The future of finance depends on the answer.
