The EU’s Digital Operational Resilience Act — DORA — was published in the Official Journal of the European Union on 27 December 2022. It entered into force on 16 January 2023 and, with a two-year compliance window, creates a mandatory compliance deadline of 17 January 2025 for the financial entities and ICT third-party service providers it covers.
DORA is the most significant new compliance requirement for the EU financial sector in the digital risk space since GDPR. It consolidates and significantly raises the bar for ICT risk management, incident reporting, operational resilience testing, and ICT third-party risk management — creating a single, harmonised framework that replaces a patchwork of national-level guidance and sector-specific regulatory expectations.
Who DORA Applies To
DORA’s scope is deliberately broad within the financial sector. It applies to credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, insurance undertakings, reinsurance undertakings, pension funds, central securities depositories, and a range of other regulated financial entities operating in the EU. It also applies to ICT third-party service providers — including cloud computing service providers, software providers, and data analytics providers — that provide services to these financial entities.
For non-EU financial entities with EU operations, the principle is straightforward: if you operate in the EU and fall within the scope categories, DORA applies. The regulation applies to the financial entity, not just to EU-incorporated entities.
The Five Pillars of DORA Compliance
DORA organises its requirements across five core areas:
ICT risk management (Chapters 2 and 3). Financial entities must establish, implement, and maintain a sound ICT risk management framework with clearly defined roles and responsibilities. The framework must identify ICT risks across the organisation’s technology estate, classify and document ICT systems, and implement appropriate controls. Management bodies are explicitly responsible for this framework — DORA creates personal accountability for senior management, not just organisational accountability.
ICT-related incident management and reporting (Chapter 4). Financial entities must have processes to detect, manage, and classify ICT incidents and cyber threats. Major ICT incidents must be reported to relevant competent authorities within defined timeframes — initial notification within 4 hours of classification, intermediate reports, and final reports. DORA harmonises what was previously a fragmented national reporting landscape.
Digital operational resilience testing (Chapter 5). Financial entities must conduct resilience testing to identify weaknesses in their ICT systems. Basic testing (vulnerability assessments, scenario-based testing) applies to all entities. Advanced testing — Threat-Led Penetration Testing (TLPT) aligned with the TIBER-EU framework — applies to significant financial entities identified by their competent authority.
ICT third-party risk management (Chapters 5 and 6). Financial entities must manage risks arising from third-party ICT providers — maintaining a register of all ICT third-party arrangements, conducting due diligence on new providers, ensuring contracts include mandatory provisions, and managing concentration risks where critical functions depend on a small number of providers.
Information sharing (Chapter 6). DORA encourages financial entities to share cyber threat intelligence and information voluntarily — creating a framework for trusted information sharing that is currently ad hoc across the sector.
The Two-Year Compliance Window
Seventeen January 2025 seems distant from December 2022. It is not, for organisations that have not yet invested in the ICT risk management and third-party risk management infrastructure that DORA requires. Building a compliant ICT risk management framework, implementing incident classification and reporting processes, establishing a comprehensive register of ICT third-party arrangements, and preparing for digital operational resilience testing is a programme of work that typically takes 12 to 18 months for organisations starting from a modest baseline.
Organisations that begin planning now, and begin implementation in Q1 2023, have a realistic path to DORA compliance by January 2025. Organisations that wait until 2024 will be in difficulty.
At Bitsecura, we are working with financial entities now to assess their readiness against DORA’s requirements and build compliance programmes that are achievable within the January 2025 timeline. If you want to understand what DORA requires of your organisation and where your programme gaps are, start a conversation with us here.
Bitsecura provides DORA compliance consulting and ICT risk management services for financial entities. Learn more about our DORA services.