What Is DORA?

The Digital Operational Resilience Act (DORA) is one of the newest mandates governing how European Union (EU) financial services organizations manage IT and cyber risks.

The Goal

The goal of DORA cybersecurity compliance is to strengthen the information and communication technology (ICT) security of those operating in the EU financial sector. It accomplishes this by streamlining and upgrading existing rules pertaining to digital operational resilience and introducing new requirements to address cybersecurity gaps. Notably, it requires companies to enhance risk management, incident reporting processes, testing, and compliance related to critical third-party partners.

Reliance on ICT Technologies

As EU financial entities (FEs) increase their reliance on ICT technologies, it has become necessary to increase security scrutiny on the ICT third-party service providers (ICT TPPs) that support them. As third parties, ICT vendors play a vital role in the prompt and secure delivery of financial services, which in turn impacts market forces across various industries and interdependent economies.

Addressing Supply Chain Risk

DORA seeks to reduce the risk of supply chain attacks and increase the cybersecurity of the EU’s financial sector by enhancing the security and operational resilience of ICT vendors through new and robust legislation.

Get the Guide

DORA's General Objectives

Objective One

Reduce the risk of financial disruption and instability within the EU's financial sector by increasing the digital operational resilience and cybersecurity of its information and communication service providers.

Objective Two

Reduce the administrative burden of EU financial service providers assuming ICT security risk and increase supervisory effectiveness.

Objective Three

Increase consumer and investor protection for those participating in financial affairs regulated by the European Union.

DORA Compliance

Is DORA Compliance Mandatory?

Yes, compliance with DORA is mandatory for all financial institutions operating within the European Union, and their critical third-party information and communication technology providers (CTTPs).

DORA Compliance Deadlines

All applicable entities must adhere to DORA legislation by January 17th, 2025. As noted in a public statement issued by the European Supervisory Authorities (ESAs) on December 4, 2024, “DORA does not provide for a transitional period” so “financial entities are expected to identify and address in a timely manner gaps between their internal setups and the DORA requirements.”

Below is a list of key dates for DORA compliance:

January 17, 2023

Article 64 states DORA is now in effect.

January 17, 2025

Article 64 states DORA requirements will be enforced.

April 30, 2025

The ESAs will collect from competent authorities the information necessary for the assessment of criticality criteria in relation to ICT services provided

January 17, 2026

Article 58 states the European Commission will review the appropriateness of the strengthened requirements.

Consequences and Penalties of DORA Non-Compliance

Each EU member state holds the authority to enforce DORA within its own jurisdiction. The penalties of DORA non-compliance include:

Fines of up to 2% of a company's total annual worldwide turnover
Individual fines up to 1 million euros
Up to 5 million euros in fines for ciritcal third-party providers (CTTPs)

Additional potential penalties include suspension of services, mandatory remedial measures, audits, and public notices.

Who Needs to Comply with DORA?

Financial Entities (FEs)

DORA applies to any organization that manages, transfers, holds, insures, invests, creates, protects, or raises money as well as those that grade investments. Examples include the following:

Banks

Insurance & Reinsurance Firms

Credit Institutions

Auditors & Audit Firms

Brokers

Trade Repositories

Management Firms

Credit Rating Agencies

Crypto-Asset Providers

Crowdfunding Services

Third Parties Are Now Subject to Regulation

With DORA in place, a financial organization’s previously unregulated supply chain partners may now expect to fall under the supervision of regulators. This includes third-party vendors that supply ICT software, but not hardware . These include:

Brokers
Providers of Digital & Data Services
Crowdfunding Services
Providers of Software & Data Analytics
Data Centers

DORA and Cybersecurity

Working toward DORA compliance gives financial institutions and members of their third-party networks an excellent opportunity to take a fresh look at security vulnerabilities and everyday risk management practices. Addressing weak points can present a strategic advantage in an ever-challenging digital landscape and help address similar elements of multiple regulations.

At its heart, DORA is designed to ensure that the EU’s financial services organizations can maintain business as usual in the event of a cyberattack. Standardized requirements for increasingly linked entities (and those in their extended supply chains) will help the EU financial community achieve stronger overall cyber protection through better assessment, reporting, and communication of information communication technologies risk. This, in turn, will reduce the risk of attacks which result in downtime, lost business, and financial loss.

Learn More About Cybersecurity Solutions

Download DORA Guide

DORA Requirements

DORA's five fundamental pillars address the following cybersecurity measures:

1. Information Communication Technologies (ICT) Risk Management

Under DORA, financial institutions in the EU are required to assess the risk of cyberattacks.

Focus on internal governance and control processes for effective ICT risk management.
Ensure management team keeps abreast of risk levels.
Implement an internationally recognized information security management system.

2. Classification and Reporting of ICT-related Incidents

Financial institutions are required to notify authorities of any significant cybersecurity incidents as soon as possible.

Detect, manage, and alert appropriate personnel of ICT-related incidents.
Classify incidents according to factors such as geogrpahic scope and duration.

3. Digital Operation Resilience Testing

ICT systems must regularly be tested by financial institutions to identify vulnerabilities and ensure readiness against a cyberattack.

Evaluate readiness for managing cybersecurity incidents; spot flaws, shortcomings, and gaps in digital operational resilience; and swiftly put corrective measures in place.
Test critical ICT systems and applications annually.

4. Information and Intelligence Sharing Between Financial Entities

Under DORA, financial organizations are encouraged to share threat intelligence and cybersecurity best practices among themselves to increase the individual and collective security resilience of EU member states.

Enhance reliance through timely exchange of cyberthreat intelligence.
Threat intelligence includes any indication of compromise; tactics, techniques, and procedures (TTP); or cybersecurity alerts.

5. Third-Party Risk Management

DORA requires EU financial services providers to assume and manage the risk incurred by their CTTPs.

Adopt and regularly review your ICT third-party risk strategy.
Maintain a Register of Information outlining all contractual arrangements with ICT third-party service providers.
Adhere to guidelines for adding or ending ICT third-party service agreements, including risk assessment.

Key DORA Deliverables for 2025

DORA requires the following from financial entities (FEs) by January 17, 2025:

1. An ICT risk management framework

This should identify all ICT supported business functions and their associated risks.

2. Continuous control and monitoring of ICT tools

This ensures that critical protections are ongoing and that entities receive early warning of threats.

3. Advanced testing of digital operational resilience

Entities are also required to create a threat-led approach to testing.

4. Provisions for third-party risk management

ICT third-party service provider (TPP) contracts must align with DORA.
FEs must maintain a "register of information" on all ICT TPPs.
Have a risk concentration management process in place.

5. A reporting and incident classification framework

This provides the vehicle for timely and accurate reporting of significant cybersecurity incidents to authorities.

6. A clearly defined governance structure

The ultimate responsibility for ICT risk management falls on top executives.

DORA Deliverables for Critical Third-Party ICT Providers (CTTPs)

Under DORA, ICT third-party service providers (TPPs) must be ready to support the following FE obligations by the January 17, 2025 deadline. The extent to which ICTs must adhere to the requirements below will vary depending on how critical or important the FE function they support — whether or not they qualify as CTTPs. Here are the ways in which DORA will place mandates on FEs that also place a burden on their ICTs:

Ensure all ICT TPP contracts are DORA compliant.
Maintain a “register of information.”
Establish a process for risk concentration management.
Annually test both business continuity plans and disaster recovery plans.
FEs will need to identify their overall ICT strategy and justify their procurement approach.
Adopt an ICT TPP risk management strategy.
Document all ICT TPP-dependent processes.
Perform a threat-led penetration test of key systems at least every three years.

In many cases, financial organizations will not have to start from square one to address the impact of DORA. They may already have a lot of the building blocks baked in due to operational requirements for NIS2, GDPR, PCI DSS, and other compliance standards. Consider a preliminary audit to see how many DORA-compliant measures your financial entity already has in place, then lean on our arsenal of strategic solutions to address the gaps.

How to Prepare for DORA in 5 Steps

It’s easy for non-technical people to underestimate the impact of a regulation like DORA. One key advantage of the regulation is that it helps to raise awareness at the leadership level about the need for investment in projects and teams that will ensure compliance. People, processes, and technology all play a role when it comes to implementing and enforcing an operational resilience strategy.

5 Steps for Financial Entities (FEs)

The EU’s financial services sector can prepare for DORA compliance in the following ways:

Identify which ICT TPPs provide critical and important functions.
Alter existing ICT TPP contracts to comply with DORA policies and ensure all contracts leverage DORA-compliant verbiage going forward.
Audit vendor onboarding policies to ensure all future partners adhere to DORA measures.
Align current incident response and business continuity playbooks to conform with DORA.
Train top-level executives in the awareness and seriousness of ICT risks.

5 Steps for Information and Technology Third-Party Service Providers (ICT TPPs)

ICTs providing services to financial entities within the EU can also prepare by doing the following:

Overhaul all current and future contracts to meet DORA provisions.
Ready data for FE’s forthcoming “register(s) of information.”
Ensure internal policies and procedures are altered to reflect DORA changes, including the areas of asset management, encryption, cryptographic controls, data security, patch management, and vulnerability management.
Put incident reporting mechanisms in place that facilitate adherence to DORA’s requirements for prompt notification in the event of a significant cyber incident.
Establish separate onboarding and offboarding strategies for working with a DORA-compliant FE.

3 Pillars of Preparation: People, Process, and Technology

It’s easy for non-technical people to underestimate the impact of a regulation like DORA. One key advantage of the regulation is that it helps to raise awareness at the leadership level about the need for investment in projects and teams that will ensure compliance. People, processes, and technology all play a role when it comes to implementing and enforcing an operational resilience strategy.  

People

Appoint a champion to oversee DORA compliance from the top.

Clearly define roles and responsibilities.

Educate employees on the new process.

Process

Define new DORA-consistent policies.

Solidify procedures and best practices for working with ICT TPPs.

Audit incident response, business continuity, and breach reporting processes with DORA regulations in mind.

Technology

Define any technical security requirements under DORA (asset management, encryption, cryptographic controls, data security, patch management, vulnerability management, etc.).

Identify gaps in your security stack.

Prioritize vendor consolidation for maximum efficiency and minimal management burden.

DORA FAQs

Is DORA a Directive or Regulation?

DORA is both an EU Directive and an EU Regulation, making it unique. An EU Directive legislates goals that all EU member states must achieve but leaves the specific implementation of such up to the member states. An EU Regulation is a binding legislative act that applies directly across the entire EU. DORA is considered both a Directive and a Regulation because while it establishes broad, EU-wide laws (Regulation), it also leaves much of the implementation up to the member states (Directive).

What Is a CTPP?

A CTPP, under DORA, is “Critical Third-Party Provider.” This is an ICT TPP that has been established to provide critical services to a financial entity within the EU and is therefore subject to DORA regulations. Not all ICT TPPs are CTPPs.

How Are CTPPs Determined?

The ESAs will collect information from FEs for the designation of which ICT TPPs qualify as CTPPs by April 30, 2025. As not by the European Banking Authority, FEs will leverage a set of Implementing Technical Standards in their submission of the “register(s) of information” due on April 30 to be used for determining CTTP status.

How Do DORA and GDPR Compare?

No doubt your organization already has documented security policies in place for GDPR, but these will need to be supplemented and updated for DORA. DORA requires a risk assessment for each major change in the network and information system infrastructure. That entails assessing the processes and procedures affecting their functions, supporting processes, or information assets. In certain cases, this will align with Data Protection Impact Assessments (DPIAs) under GDPR and can serve as the initial risk assessment to determine if the change will require a DPIA to be conducted.

How Do DORA and NIS2 Compare?

DORA is considered a “lex specialis” to the EU’s Network and Information Systems Directive 2 (NIS2). This means that in cases to which DORA applies — i.e., in cases pertaining to Europe’s financial sector and its critical ICTs, which are under DORA’s jurisdiction — DORA’s specific policies take precedence over NIS2’s more general ones.

DORA Security Solutions from Fortra

Complying with DORA’s requirements will take time and careful planning. Understanding the existing state of your infrastructure allows you to assess risks and prioritize your remediation efforts with Fortra technology and services.

Working toward DORA compliance gives EU financial entities, and their third-party ICTs, an excellent opportunity to take a fresh look at security vulnerabilities and everyday risk management practices. Fortra offers a strong suite of solutions designed to help financial entities and third-party ICTs maintain DORA cybersecurity compliance. They include:

Asset Management (including IAM, email protection, and phishing defense)
Encryption and Cryptographic Controls
Data Security
Patch Management
Vulnerability Management

Identifying security weak points can present a strategic advantage in an ever-challenging digital landscape and help address similar elements of multiple regulations. Not least of all, addressing these issues provides FEs and ICTs the opportunity to be DORA-compliant and continue operating under EU policy in the coming year and beyond.

Fortra Can Help with DORA Compliance

Contact the professionals at Fortra for a free 30-minute consultation on what solutions are best for your organization. We’ll help you determine what you need to do next to be in compliance with DORA.

Contact Us

Learn More About Cybersecurity Solutions from Fortra

More DORA Resources

On-Demand Webinar