The EU’s Digital Operational Resilience Act (DORA) is a landmark piece of legislation aimed at bolstering cyber resilience practices for financial services institutions and IT providers.
Under the terms of the legislation, financial entities – which the European Union defines as banks, investment firms, insurance companies, and other assorted financial providers – must implement safeguards to “withstand, respond to, and recover from” IT-related disruptions. This includes cyberattacks, or system failures, and outages.
“DORA brings harmonization to rules relating to operational resilience for the financial sector, applicable to 20 different types of financial entities and ICT third-party service providers,” according to the European Insurance and Occupational Pensions Authority, an agency of the EU.
While DORA came into force in January 2023, it wasn’t until January of this year (2025) that compliance became applicable. This buffer period was implemented to allow organizations affected by the legislation to take the necessary steps to ensure compliance.
Notably, the legislation is based on five key principles spanning a range of areas related to cybersecurity and broader operational resilience. These include:
- IT risk management
- Incident reporting
- Digital operational resilience testing
- Third-party risk management
- Information sharing
So what exactly do these requirements mean for financial institutions and IT providers?
IT risk management and incident reporting
First and foremost, the IT risk management pillar of the legislation requires organizations to ensure that tools and systems are both adequately set up and maintained.
Continuous monitoring of IT risk is also a core facet of this aspect of the legislation, while organizations are also obliged to implement practices or procedures aimed at rapidly detecting “anomalous activities” on systems or networks.
Similarly, business continuity is a key focus, with relevant organizations required to implement both plans to mitigate the impact of an outage or cyberattack on their systems and recovery procedures in the aftermath.
Elsewhere, applicable entities are also obliged to monitor and log IT incidents, details of which should be shared with both relevant authorities as well as customers and clients, or partners.
Resilience testing and third-party risk
Rules pertaining to operational resilience play a crucial role in supporting broader industry safety, as organizations are required to regularly test for potential weaknesses or gaps in digital infrastructure and tooling.
In the event that flaws are identified, financial entities must resolve any issues.
The legislation notes that testing requirements must be proportional to the size of the organization in question, as well as its risk profile. Larger entities, therefore, will need to conduct far more extensive resilience testing than some counterparts.
Third-party risks are a growing issue faced by financial services organizations globally, and the legislation aims to minimize the impact of breaches in this regard.
Under the terms of DORA, organizations should conduct risk assessments to establish potential third-party dangers and are required to engage closely with partners to ensure security practices are robust and compliant.
A recent study from SecurityScorecard found European financial institutions recorded a concerning volume of third- and fourth-party breaches over the last year, with 92% of respondents admitting to having suffered a third-party breach.
The study specifically highlighted a trend of ‘vendor reliance’ as a major risk for financial entities across the region, underlining the importance of this area of the legislation.
Information sharing
Cyberthreat sharing forms a core aspect of DORA, with financial entities urged to exchange threat intelligence to improve broader industry responsiveness.
According to the wording of the legislation, this element “aims to enhance the digital operational resilience of financial entities, in particular through raising awareness in relation to cyberthreats, limiting or impeding the cyberthreats’ ability to spread”.
The scope of the information shared by organizations is vast, and can include indicators of compromise, tactics, techniques and procedures (TTPs) employed by threat actors, cybersecurity alters, and configuration tools.
DORA compliance challenges
While the two-year transition period was intended to give financial entities and IT providers ample time to prepare for the legislation, there have been significant challenges reported by organizations.
Research published ahead of the January 17 deadline this year found more than four-in-ten financial institutions in the UK risked missing compliance. This was despite the fact that 84% of respondents had purposely allocated funds to accommodate compliance activities.
Key challenges highlighted by respondents include a lack of prioritization, tight compliance deadlines, and their inability to improve supply chain visibility and management.
Notably, internal skills were also highlighted as a common recurring issue by around a quarter of respondents.
Training plays a vital role in compliance
This is where training can be vital in both ensuring compliance while driving a broader company-wide understanding of what’s expected from the regulations themselves.
Official EU training materials are also available to help steer this process, as well as the option for training to appoint what’s known as a ‘Digital Operational Resilience Act Trained Professional’ (DORATPro).
This includes a series of online training programs, exams, and a certification upon completion of the course.
The program itself has been specifically designed to give participants the skills required to understand DORA and ensure compliance at their respective organizations.
According to EU documents, the target audience for this course is broad, but is particularly beneficial for risk and compliance managers, auditors, and consultants, as well as relevant suppliers and service providers engaging with those that must comply with the legislation.
The program is beneficial to risk and compliance managers and professionals, auditors, consultants, suppliers, and service providers who work for companies and organizations that have to comply with the Digital Operational Resilience Act (DORA).
Third-party vendors and consultants do offer training and toolkits aimed at bolstering organizational preparedness in this regard.
Choosing trusted partners and technologies
Faced with the risk of serious penalties for breaches, relevant entities and IT providers should consider working with partners on this front. However, it’s critical that they choose a trusted partner above all.
Consultancies such as KPMG, for example, have learning materials and training schemes aimed specifically at helping facilitate DORA compliance, as do an array of other major industry stakeholders.
From a technology standpoint, industry vendors such as Veeam have a range of solutions catered specifically toward addressing the five core compliance pillars detailed in the legislation.
For more information on Veeam solutions and how they can help support compliance, please visit the website.
-
Gen Z workers are keen on AI in the workplace – but they’re still skeptical about the hypeNews Younger workers could lead the shift to AI, but only think it can can manage some tasks
-
The Scattered Spider hacker group has a new industry in its crosshairsNews The notorious Scattered Spider threat group is now turning its attention to the airline industry, with attacks on operators intensifying.
-
A CSO’s perspective on DORA compliance and where to go from hereAnalysis With DORA coming into force, here’s what security leaders should know about pain points and planning
-
UK financial services firms are scrambling to comply with DORA regulationsNews Lack of prioritization and tight implementation schedules mean many aren’t compliant
