The European DORA Regulation (Digital Operational Resilience Act) is a key regulatory framework for the financial sector. It has been in force since 2023 and applies as of January 17, 2025, meaning financial institutions are now required to comply with its provisions.
DORA introduces a new approach to digital resilience: it is no longer just about preventing incidents, but about an organization’s ability to respond quickly, limit the impact, and maintain operations without disruption.
Compliance with DORA is not simply a matter of technology or security settings. It requires comprehensive governance of information, procedures, documentation, records, and decisions – all of which an organization must be able to demonstrate to the supervisory authority at any time in a verifiable manner.
This topic was discussed in the DigiChat podcast by Uroš Žust, an expert in cybersecurity and regulatory compliance. In the following sections, we summarize the key takeaways from the conversation and the broader context of the regulation.
What is DORA and why was it necessary?
DORA establishes a unified European framework to ensure the operational resilience of the financial sector. Its premise is clear: digital incidents are inevitable; the critical question is how prepared an organization is to respond, mitigate the consequences, and ensure business continuity.
The regulation was introduced in response to the growing number of cyber incidents, the increasing complexity of digital ecosystems, and the financial sector’s strong dependence on information infrastructure and external ICT service providers.
Who does DORA apply to?
DORA applies to more than 20 types of financial entities.
Financial institutions directly bound by DORA
Banks and savings institutions,
insurance and reinsurance companies,
investment firms and payment institutions,
crypto-asset service providers,
operators of market and clearing infrastructures.
Indirectly, DORA also has a significant impact on third-party ICT service providers that support the critical functions of these institutions. Financial organizations must be able to demonstrate effective oversight and control over these providers.
The Interconnection Between DORA, GDPR, NIS2, and the AI Act
DORA is not an isolated regulation. It forms part of a broader and increasingly interconnected European regulatory landscape.
How these regulations complement each other
GDPR focuses on the protection of personal data, while DORA strengthens operational resilience. In many cases, the same incident may trigger reporting obligations under both regimes.
NIS2 establishes a wider cybersecurity baseline across sectors, but for financial institutions, DORA generally takes precedence as the lex specialis framework.
The AI Act regulates the development and use of artificial intelligence systems, whereas DORA approaches such technologies through the lens of ICT risk management and resilience.
This regulatory interdependence requires organizations to manage information, documentation, and systems in an integrated way, as compliance obligations are increasingly mutually reinforcing.
ICT Risk Management as the Foundation of DORA
Under DORA, ICT risk management is not a one-time project or a static document; it is a continuous process that requires full transparency, traceability, and demonstrable evidence for every decision. Organizations face the greatest challenges when they lack a structured system for recording risks, mitigation measures, and related documentation.
Key Elements of ICT Risk Management
DORA requires organizations to systematically establish:
an inventory of ICT assets,
business impact analysis,
business continuity plans,
regular risk assessments and updates,
supply chain and third-party risk management,
consistent documentation of decisions and actions.
Why Documentation, Records, and Audit Trails are Critical
An institution must demonstrate to the regulator not only the outcome but the entire process:
who made the decision,
why it was made,
which information it was based on,
when the measure was implemented,
and how the documentation is stored and monitored.
Without a properly established audit trail, risk management cannot be evidenced or verified.
DORA and Incident Reporting: Strict Deadlines
Incident reporting under DORA is not merely an administrative obligation. It requires clearly defined processes, assigned responsibilities, and access to accurate, up-to-date information in advance.
Incident Reporting Timelines
Initial notification: as soon as possible, no later than 4 hours after classifying the incident as major, and within 24 hours of detection
Intermediate report: within 72 hours
Final report: within 30 days
A robust digital infrastructure for information management is essential, as organizations must be able to provide evidence, decision records, and traceability of actions within very short timeframes.
Digital Operational Resilience Testing and TLPT
Under DORA, financial institutions must conduct regular technical and organizational resilience testing to ensure their systems remain robust, secure, and operational under stress.
Types of Testing Required Under DORA
Testing requirements under DORA include:
penetration testing,
security assessments,
compliance evaluations,
Threat-Led Penetration Testing (TLPT), which must be performed every three years for selected entities.
TLPT requires a high level of preparedness, comprehensive evidence, and full traceability of results, decisions, and remediation measures.
Managing Third-Party ICT Providers - One of the Greatest Challenges
For the first time, DORA places third-party ICT service providers at the center of regulatory oversight. Financial institutions must demonstrate active and ongoing control over critical suppliers, not merely rely on contractual language.
Key requirements for third-party risk management include:
criticality classification of providers and services,
DORA-aligned contractual provisions,
defined obligations for security, availability, and incident reporting,
the right to audit providers and their operations,
robust exit strategies to ensure continuity in case of disruption.
A structured documentation and governance infrastructure is essential: contracts, SLAs, oversight controls, and incident records must be centralized, accessible, and fully auditable.
The Role of Employees in Digital Resilience
Technology can close many attack vectors, but it cannot eliminate the human factor.
Areas Where Training Is Essential
Recognizing phishing and social engineering attempts,
secure handling of information,
effective use of digital tools,
incident response procedures,
roles and responsibilities in business continuity.
Institutions that build a strong security culture will achieve DORA compliance faster and with lower risk exposure.
Is DORA Just the Beginning?
Europe is developing a broader digital resilience ecosystem, which includes:
oversight of artificial intelligence,
certification of security technologies,
further regulation of supply chains,
standardized reporting and response frameworks.
DORA is a foundation, not the final stage. Organizations that establish robust information and risk management frameworks today will be better positioned to meet future regulatory demands.
Next Steps: What Should Be Done Now?
Compliance with DORA is not a one-time project but an ongoing process of managing digital operational resilience. Financial institutions can begin, if they have not already, by taking the following steps:
assessing ICT risks and creating an inventory of assets,
updating internal policies and procedures,
conducting incident response exercises and simulations,
reviewing contracts with third-party providers,
performing resilience testing,
training employees,
implementing a sustainable system for managing documentation and records.
You can listen to the full conversation with Uroš Žust (in Slovenian) HERE.