DORA marks a crucial turning point for IT security in the financial sector. Designed to strengthen operational resilience against growing cyber threats, this new European legislation imposes strict requirements on ICT risk management, third-party provider oversight and resilience testing. In this article we explore its evolution, the key changes it brings and the impact on company compliance. Learn how to prepare now for these new obligations.
Understanding DORA’s evolution
DORA origins: context and initial objectives
The Digital Operational Resilience Act (DORA), introduced by the European Commission, aims to strengthen digital operational resilience for financial-sector companies in the European Union. This regulation comes against a backdrop of growing ICT dependency that exposes these entities to significant risks — notably cyber threats and operational disruption.
The need to strengthen IT system security and business continuity for financial companies became crucial as digital threats evolved. The regulation creates a harmonised European framework, guaranteeing that every financial entity has the capabilities to withstand and quickly recover from major operational incidents.
Main stages of DORA’s development since 2020
DORA’s development started in 2020 in response to the fast-evolving digital landscape and the weaknesses observed in IT risk management at financial institutions. Key stages:
- 2020: initial proposal by the European Commission.
- 2022: adoption by the European Parliament and the Council of the European Union.
- 2024: official entry into force, with measures progressively rolled out.
- 2025: every financial entity must comply with DORA requirements.
These stages reflect the European Union’s clear will to strengthen financial stability by creating common rules for ICT risk management in the financial sector.
Comparison with previous regulations (NIS, GDPR, etc.)
Before DORA, other frameworks had been established to protect critical infrastructure and personal data. The most notable are the NIS directive (Network and Information Security) and GDPR.
- NIS directive: focused on network and information-system security for critical infrastructure, but with a more general focus, without specifically addressing financial-sector requirements.
- GDPR: focuses on personal-data protection, with data-management obligations, but doesn’t deeply address operational resilience.
DORA stands out by specifically targeting ICT risks in financial services, strengthening digital operational resilience. This regulation introduces clear obligations on risk management, third-party provider oversight and resilience testing, going beyond previous regulations.
Key changes brought by DORA
Strengthened ICT risk management requirements
DORA requires financial entities to strengthen their ICT risk management:
- Continuous risk evaluation: companies must proactively identify, evaluate and manage ICT risks, embedding these processes in their existing risk-management policies.
- Corrective action planning: in case of an incident, clear action plans must be in place to quickly restore operations.
- Follow-up and reporting: companies must deploy regular monitoring and reporting processes on ICT-system status and associated risk management.
These requirements ensure financial companies are better prepared to face cyber threats and other risks tied to digital transformation.
New incident-management and resilience-testing obligations
One of DORA’s major contributions is the introduction of strict obligations on incident management and operational resilience testing:
- Major incident notification: entities must quickly notify major ICT incidents to competent authorities — cyberattacks, system failures or any other disruption with significant operational impact.
- Operational resilience testing: DORA requires companies to run regular resilience tests, such as incident simulation exercises, to evaluate their ability to withstand and recover from disruptions.
- Business continuity plans: companies must have robust plans to guarantee business continuity during incidents, minimising service interruptions.
These new obligations strengthen companies’ ability to anticipate and respond effectively to ICT incidents, reducing potential operational impact.
Enhanced oversight of critical subcontractors and providers
DORA places particular emphasis on third-party provider management, especially critical ICT-service providers such as cloud services. Financial companies must now:
- Evaluate and monitor providers: critical providers must be regularly assessed to ensure they meet DORA security and resilience standards.
- Contracts with specific clauses: supplier contracts must include precise clauses on risk management, service continuity and incident notification.
- Regular audits: companies must run regular provider audits to ensure DORA compliance.
This enhanced oversight reduces outsourcing risks and ensures critical providers don’t compromise operational resilience.
How DORA evolved to adapt to cyber risks
Accounting for evolving threats and technologies
The cyber-threat landscape evolves constantly, and DORA was designed to adapt:
- Evolving cyber threats: DORA integrates the latest threats — ransomware, DDoS attacks, digital espionage — and imposes measures to counter them.
- Emerging technologies: the framework encourages using cutting-edge technologies such as artificial intelligence to strengthen threat detection and resilience.
- Continuous innovation: companies are encouraged to adopt innovations to stay ahead of new threats and improve security.
DORA therefore ensures financial companies are equipped to face current and future digital threats.
Integration of cybersecurity best practices and standards
To guarantee optimal security, DORA integrates several international cybersecurity best practices and standards:
- Adoption of recognised standards: the regulation encourages adoption of ISO 27001, NIST and other cybersecurity standards.
- Implementation of best practices: DORA recommends data encryption, multi-factor authentication and identity-and-access management.
- Continuous training: companies must regularly train staff on security best practices to strengthen defences against cyberattacks.
By integrating these standards, DORA aims to raise the IT security level of financial-sector companies.
Flexibility to adapt to future changes
DORA was designed with flexibility that allows adaptation to future technology evolutions and threats:
- Adjustment clauses: the regulation includes clauses to adjust requirements based on digital-landscape changes.
- Periodic evaluations: competent authorities will run periodic evaluations to ensure DORA stays relevant.
- Revisions and updates: the regulation can be revised to include new measures based on technology advances or new threats.
This flexibility ensures DORA continues to effectively protect financial companies against emerging risks.
DORA’s impact on compliance
Continuous adaptation of compliance programmes
With DORA in force, financial companies must adapt their compliance programmes to new requirements:
- Internal policy updates: ICT risk-management policies must be revised to include new obligations.
- Stronger controls: companies must strengthen internal controls to ensure continuous DORA compliance.
- Team training: compliance teams must be trained on new requirements for effective implementation.
Adapting compliance programmes is essential to avoid penalties and guarantee continuous compliance.
Role of supervisory authorities in DORA application
Supervisory authorities such as EBA, ESMA and EIOPA play a crucial role:
- Monitoring and audits: these authorities are in charge of monitoring DORA implementation and running regular audits.
- Advice and assistance: they provide advice and help companies comply.
- Penalties for non-compliance: authorities can impose penalties, from fines to operational restrictions.
Penalties and consequences of non-compliance
Penalties for non-compliance can be severe:
- Financial fines: companies can be subject to significant fines for non-compliance.
- Operational restrictions: for serious non-compliance, authorities can restrict certain operations or activities.
- Reputation damage: non-compliance can lead to loss of customer and partner trust.
These penalties highlight the importance of proactive compliance with DORA.
Preparing the future with DORA
DORA medium and long-term evolution
DORA is designed to evolve, with several medium and long-term developments:
- Strengthened requirements: ICT risk-management requirements will likely be strengthened to face evolving threats.
- New resilience tests: new forms of resilience testing may be introduced.
- Framework extension: DORA could be extended to new technologies or sectors, increasing its scope.
Opportunities offered by future DORA versions
Future versions will offer opportunities:
- Technology innovation: DORA encourages new technology adoption to improve security and resilience.
- Enhanced collaboration: companies will be encouraged to collaborate more with providers and partners.
- Strategic positioning: companies that quickly comply with new DORA versions can position themselves as cybersecurity leaders.
Tips to stay proactive against regulatory evolution
To stay proactive:
- Monitor evolutions: set up watch mechanisms to track regulatory updates.
- Continuously train staff: ensure continuous team training on new DORA requirements.
- Collaborate with experts: work with consultants or specialised services.
DORA represents a major change in how financial-sector companies manage ICT risks. By complying, companies not only strengthen operational resilience but also improve IT security against growing cyber threats. Proactive DORA implementation is essential to guarantee business continuity and information-system protection in an ever-evolving digital environment.
