What is DORA?
DORA, the Digital Operational Resilience Act, is a European regulation that came into application in January 2025. It starts from a simple observation: the financial sector now depends heavily on digital systems and third-party providers, and a technology failure can spread across the entire financial system as fast as a liquidity crisis.
DORA turns operational resilience, long treated as a technical matter, into a structured and supervised regulatory obligation.
Why it matters for your organization
For a financial entity, DORA is not optional: supervisory authorities can require evidence of compliance and sanction breaches. The regulation also holds the management body accountable, as it must approve and oversee the ICT risk-management framework.
An often underestimated point: DORA extends to the subcontracting chain. An organization remains responsible for the risk carried by its ICT providers, including its providers' providers.
The pillars of DORA
- ICT risk management: a documented framework, governed at the highest level.
- Incident reporting: harmonized classification and reporting of major incidents.
- Resilience testing: regular testing, including threat-led penetration testing (TLPT) for the most critical entities.
- Third-party risk management: a register of providers, mandatory contractual clauses, exit strategies.
- Information sharing: voluntary exchange of cyber-threat intelligence between entities.
Where organizations most often fall short
Common gaps involve the ICT provider register, often incomplete, and contractual clauses that fail to cover notification and the right to audit. Many entities test their systems, but without the formality and frequency DORA requires, and without linking those tests to a remediation plan governed by senior management.