DORA’s compliance deadline of 17 January 2025 has arrived. For financial entities operating under EU regulation — banks, insurers, investment firms, payment institutions, and a broad range of other financial services organisations — the Digital Operational Resilience Act is now enforceable. Among its requirements, DORA imposes specific and demanding obligations on business continuity and disaster recovery programmes that go significantly beyond what most organisations have in place.

DORA’s Core BCM Requirements

DORA Article 11 establishes the business continuity requirements for financial entities. The requirements are specific and operational — not principles-based guidance but enforceable mandates. Key requirements include:

Business continuity policy. Financial entities must have a dedicated business continuity policy, approved by management, covering their ICT systems and services. This policy must be reviewed and updated at least annually and following significant changes. A generic information security policy with a continuity section does not satisfy this requirement.

Business impact analysis. DORA requires a formal business impact analysis identifying critical functions and the IT systems and services that support them. The BIA must establish recovery time objectives (RTOs) and recovery point objectives (RPOs) for each critical function — and these must be realistic, achievable, and tested, not aspirational targets set in a document without operational validation.

Documented recovery procedures. Recovery procedures for ICT systems supporting critical functions must be documented, tested, and maintained. The documentation must be sufficient for the personnel responsible for execution to actually execute recovery without expert guidance. Plans that reference systems or contacts that no longer exist do not satisfy this requirement.

Testing requirements. DORA is explicit that BCM and DR plans must be tested. Article 25 requires that financial entities test their digital operational resilience plans annually — including business continuity plans and disaster recovery plans for ICT systems. The testing must be documented, findings must be recorded, and identified weaknesses must be addressed. Testing that produces no findings or that results in no remediation activity will not survive regulatory scrutiny.

Third-party and ICT service provider considerations. BCM plans must account for the scenarios where critical ICT service providers — cloud providers, managed service providers, core banking platform providers — are unavailable. DORA’s requirements for ICT third-party risk management (Chapters 5 and 6) intersect directly with BCM: entities must have exit strategies for critical providers and must understand how a provider failure would affect their ability to maintain critical functions.

What DORA Raises the Bar On

Most financial entities entering 2025 with existing BCM programmes will have some of these elements in place. What DORA specifically raises the bar on is testing rigour and documentation quality. Plans that have never been tested — or that were tested in a walkthrough exercise that found no gaps — do not meet DORA’s expectations. RTO and RPO targets that are documented but not validated through actual recovery testing do not meet DORA’s expectations.

Regulators examining DORA compliance will ask to see test records, test findings, and remediation evidence. Organisations that cannot produce these records are not demonstrating operational resilience — they are demonstrating compliance paperwork.

At Bitsecura, we help financial entities meet DORA’s BCM and DR requirements — conducting business impact analyses, designing compliant recovery procedures, running mandatory testing programmes, and producing the documentation that demonstrates genuine operational resilience. If you need to close BCM gaps for DORA compliance, talk to us here.


Bitsecura provides business continuity management and disaster recovery planning services. Learn more about our BCM and DR services.