What is DORA? What Banks Need to Know in January 2025
Learn how the E.U.'s Digital Operational Resilience Act (DORA) regulatory technical standards focus on an organization's ability to respond to digital attacks and business disruptions
UPDATE: This post, originally published on August 24, 2023, has been updated to reflect the most current information available about DORA regulations and the upcoming enforcement deadline this month.
The Digital Operational Resilience Act, or DORA, is a groundbreaking regulatory framework for the financial services industry that the European Union (E.U.) passed in 2022. While it took effect on January 16, 2023, it became fully enforceable on January 17, 2025.
DORA aims to enhance the resilience of financial institutions against risks such as ransomware, supply chain attacks, and other cybersecurity threats. The regulation mandates that financial sector entities and their information and communication technology (ICT) service providers improve their cybersecurity practices, particularly their incident response and resiliency plans.
This post covers everything you need to know about DORA. We’ll start by defining DORA and explaining how it differs from the General Data Protection Regulation (GDPR). Then, we’ll explore its benefits, key objectives, and the various industries it impacts, including the specific implications for ICT third-party service providers.
Lastly, we’ll provide high-level best practices for ensuring compliance with DORA. Let’s dive in and uncover DORA’s significance in enhancing digital resilience.
- What is DORA compliance?
- How does DORA compare to GDPR?
- What are the key objectives of DORA?
- What industries are affected by the DORA regulation?
- How does DORA impact ICT third-party service providers?
- How to comply with DORA
What is DORA compliance?
DORA compliance addresses deficiencies and prevents disruptions by establishing robust risk management frameworks and response plans for cyber threats. These standards are designed to ensure that E.U.’s financial institutions can effectively manage and mitigate the effects of cybersecurity events by maintaining operational resilience and compliance with the new regulatory requirements — or face serious repercussions.
[Read also: What is compliance management? Types and improvement tips]
Penalties for DORA violations can be steep. While fines or criminal sanctions are not included in the DORA regulation, individual E.U. nations can institute penalties and criminal sanctions in their national laws. These may include fines of up to 2% of an entity’s total annual worldwide revenues or up to 1 million euros and even steeper penalties of up to 5 million for critical third-party ICT providers.
Fortunately, complying with DORA has significant upside. “Compliance with DORA offers significant benefits to those who adhere to its explicit requirements and underlying principles,” says Rois Ni Thuama, head of cyber governance at security vendor Red Sift. “The economic advantages are substantial, leading to improved decision-making and avoiding the costs associated with neglecting known threats.”
Now that we’ve defined DORA, you might wonder, didn’t we already experience something like this recently with GDPR? Let’s quickly compare DORA and GDPR to understand their similarities and differences and see how each regulation uniquely enhances digital resilience and data protection.
Unpacking DORA: Ensuring digital operational resilience
How does DORA compare to GDPR?
Since DORA leverages existing cybersecurity frameworks and builds upon them to enhance the operational resilience of financial institutions, it incorporates many of the same principles from well-established standards like GDPR and the National Institute of Standards and Technology (NIST) Cybersecurity Framework to provide a solid foundation for its requirements.
However, while DORA and GDPR are significant E.U. regulations, they differ in focus and scope. GDPR is broader, focusing on data protection and privacy for all organizations handling personal data. DORA specifically targets the financial sector, concentrating on ICT risks and operational resilience, with objectives designed to ensure financial entities can withstand, respond to, and recover from all ICT-related disruptions and threats.
By focusing on these core goals, DORA aims to enhance the overall resilience and security of the financial sector.
What are the key objectives of DORA?
The ultimate goal of DORA is to ensure a more resilient risk posture by standardizing operational resilience requirements for financial institutions, creating a uniform regulatory landscape across the E.U.
To achieve this, DORA requirements are prescriptive, with a strong focus on how organizations implement effective risk management, incident management and reporting, and governance practices, including:
- Strengthen risk management: Financial institutions and all covered entities must establish comprehensive strategies to address and mitigate risks, including cyber threats and operational disruptions of information systems. They must also perform regular risk assessments to demonstrate how they effectively manage their risks.
- Improve incident management and reporting: Organizations must have robust incident management and reporting mechanisms to handle and report cybersecurity incidents and business continuity plans for their operations, including important functions outsourced or contracted through information and communication technology service providers.
DORA also requires financial entities to report major ICT-related incidents to competent authorities in three stages: initial notification within 24 hours, an intermediate report within 72 hours, and a final report within one month. These reports must include details such as the type of incident, affected areas, impact, and resolution actions. This ensures timely communication and effective incident management, enhancing overall operational resilience. - Promote digital operational resilience testing: Regular testing of digital operational resilience is mandated to ensure that systems and processes can withstand and recover from disruptions. Performing threat-led penetration testing (TLPT) is a key part of resilience testing in DORA, as it simulates real-world cyberattacks to identify vulnerabilities. Financial entities must conduct TLPT on high-value assets to test technical controls, organizational processes, and incident response capabilities annually using independent external entities.
- Establish governance and oversight: DORA requires financial entities to implement strong governance and oversight practices to ensure effective risk management and IT compliance with regulatory standards, policies, and controls. Under DORA, the management body of financial entities is responsible for defining, approving, overseeing, and implementing all arrangements related to the ICT risk management framework, including setting policies to maintain high standards of data security, establishing clear roles and responsibilities for ICT-related functions, and ensuring effective communication and coordination among these functions.
Firms should be prepared to share their framework and internal cybersecurity governance and control frameworks with regulators to show how they identify, assess, monitor, and manage ICT risks.
“It’s good to see a focus on resilience,” says Wim Remes, operations manager at security firm Spotit. “This set of regulations aims to move entities away from simply checking the boxes when it comes to regulatory mandates,” Remes says, to a more holistic (and more effective) compliance risk management strategy to protect financial systems.
Now that we’ve explored DORA’s key objectives, let’s shift our focus to the industries it impacts. By identifying the affected sectors, we can better appreciate DORA’s extensive influence and significance in enhancing digital resilience across various fields.
What industries are affected by the DORA regulation?
DORA is a wide-reaching E.U. regulation that impacts organizations worldwide. While it primarily targets the financial sector, its impact extends to a wide range of industries connected to financial services, including banks, payment providers, electronic money vendors, accounting information service providers, investment firms, management companies, trading companies, brokers, crypto-asset service providers, insurance companies, and other financial institutions.
“There is no DORA lite,” explains Ni Thuama. For businesses based inside or outside the E.U., “the impact is the same.”
Additionally, DORA’s requirements significantly affect third-party service providers that offer critical ICT services to financial entities. These requirements greatly influence their operations and responsibilities, as these providers play a vital role in supporting the financial sector.
How does DORA impact ICT third-party service providers?
DORA also covers providers of information and communication technology, or ICT, services, including digital and data services providers — cloud providers, data analytics and data center services providers, hardware services providers, and electronic communications services providers — as well as those providing analog telephone lines.
Under DORA, ICT providers can be designated as “critical” based on their systemic impact, financial entities’ dependencies with them, and other factors. The European Supervisory Authorities (ESAs), which include the European Insurance and Occupational Pensions Authority (EIOPA), the European Banking Authority (EBA), and the European Securities and Markets Authority (ESMA), are responsible for designating ICT providers as such.
Critical ICT third-party service providers must comply with an enhanced oversight framework, including regular assessments and audits, to effectively demonstrate their ability to manage risks and mitigate ICT-related incidents.
However, financial entities that rely on outsourcing ICT systems must also ensure the providers comply with DORA’s requirements by conducting thorough due diligence and continuously monitoring for third-party risks.
Understanding how DORA impacts ICT third-party service providers is crucial for grasping the full scope of the regulation. Let’s move on to high-level guidance on how these providers and other affected entities can work to ensure compliance with DORA’s requirements.
How to comply with DORA
Large technology providers, such as Google Cloud, have already made the necessary changes to become DORA-compliant. For example, they brought together subject matter experts from risk and compliance, security, legal, government affairs, and product teams to prepare compliance plans where needed.
The Google Cloud team also explained, “These plans build upon our strong foundation in areas like security, resilience, and third-party risk management that already enable our E.U. financial services customers to address their rigorous regulatory expectations.”
This set of regulations aims to move entities away from simply checking the boxes regarding regulatory mandates.
Google also prepared for its likely designation as a critical technology provider and the annual engagements required by providing oversight plans, inspections, recommendations, and customer advice on incident reporting. The Google playbook is an excellent one to follow: Firms should baseline where their capabilities exist against DORA’s requirements and close any identified gaps.
The great thing about DORA is that it does not require novel thinking. “In fact, it essentially requires that financial entities follow best practices,” Ni Thuama says.
Ni Thuama advises financial services firms and technology providers that must adhere to DORA to self-assess across these six areas:
- Governance
- Risk management
- Reporting
- Testing
- Third-party risk
- Information sharing
“They need to plot those key areas, determine where they are today with respect to each of those key areas, and fill those gaps, assuming there are gaps,” she advises.
So, where to start? Ni Thuama recommends that firms review the ICT Risk Management Framework and identify their testing requirements. She says businesses should “schedule periodic testing of tools and systems to assess preparedness and correct for any weaknesses, deficiencies, or gaps.”
Ultimately, DORA demands firms do what they should already be doing, notes Scott Crawford, information security research head at 451 Research. We should expect the same focus on cyber resilience from regulators everywhere. “You’re going to continue to see regulations that ensure companies can respond to significant cyber events, whether it’s denial-of-service attacks or ransomware — no matter what form those events take,” he says.
Tanium supports organizations complying with DORA regulations by providing comprehensive solutions that enhance digital resilience. Our latest enhancement, Tanium Autonomous Endpoint Management (AEM), streamlines many management processes using simplified, native AI and automation capabilities to reduce the need for skilled expertise to build, scale, and maintain an automation library in even the most challenging and dynamic environments.
Our integrated solutions are built with security in mind to help organizations navigate the growing complexity of today’s threat landscape. Our industry-leading, real-time features like integrating organization, community, and third-party threat intelligence with Tanium Incident Response and leveraging proactive risk scores in Tanium Risk & Compliance management solution tell the story about what’s happening in the environment right now so organizations can prioritize their efforts to safeguard digital operations and meet DORA’s stringent requirements.
With Tanium, you can confidently navigate the complexities of compliance while simplifying your efforts to strengthen your overall cybersecurity posture quickly. Schedule a free, customized demo of Tanium in your environment today.