Preparing for DORA: Europe's Digital Operational Resilience Act, effective January 17 2025

Europe's financial sector faced a critical deadline on 17 January 2025, when the Digital Operational Resilience Act (DORA) became fully enforceable. DORA is part of the European Union's strategy to strengthen the cybersecurity, risk management, and governance practices of banks, insurance firms, investment brokers, payment processors and other regulated entities. Formal adoption occurred in late 2022, and entities—including third-party ICT service providers—had until the start of 2025 to comply with the new requirements. In essence, DORA transforms operational resilience from a best practice into a legal require touches ICT risk management, incident reporting, resilience testing, and oversight of outsourced technology partners. Teams that fail to prepare face regulatory penalties and reputational damage, while those who align can build trust and operational stability.

Purpose and timeline

DORA fills a gap in the EU regulatory environment: before its adoption there was no unified framework for managing information and communication technology (ICT) risk across the entire European financial sector. Financial services teams had to navigate a patchwork of national laws and supervisory expectations, leading to inconsistent risk mitigation and reporting practices. By harmonising rules across member states, DORA ensures that every financial institution must meet the same high standard for ICT resilience.

The regulation was formally adopted by the Council of the European Union and the European Parliament in November 2022, entered into force on 16 January 2023, and became fully applicable on 17 January 2025—giving entities a two-year setup period to build compliant programs. Financial entities and third-party ICT service providers were required to implement the necessary policies, control frameworks, and reporting channels before enforcement started. DORA's objective is to simplify governance, eliminate overlaps between regulations, and strengthen the overall resilience of the EU financial system.

The regulation emphasizes that operational resilience is not solely an ICT issue but a board-level responsibility. Teams must establish clear lines of accountability for digital risk management, incorporate resilience objectives into enterprise strategy, and document roles and responsibilities.

Regulators expect senior management to oversee the design and effectiveness of ICT risk management frameworks and to embed resilience planning into product development and outsourcing decisions. By transforming resilience into a legal obligation, DORA compels institutions to invest in capabilities that were previously discretionary and to report on their effectiveness to competent authorities and, in some cases, the public.

Core requirements and obligations

DORA introduces a structured set of obligations that span ICT risk management, incident reporting, operational resilience testing, third-party risk, and information sharing. First, financial institutions must develop and maintain an ICT risk management framework tailored to their size, business model, and risk profile. The framework must cover policies for identifying, classifying and mitigating risks, establish performance metrics and key risk indicators, and define regular internal reporting to management bodies. Institutions must also map their ICT assets and processes end-to-end, including on-premises infrastructure, cloud services, networking components, and critical software dependencies. Visibility across the technology stack is crucial for identifying single points of failure and prioritizing remediation.

Second, DORA mandates a strong digital operational resilience testing regimen. Entities must test their ICT systems regularly to assess protections and identify vulnerabilities, with basic tests carried out annually and more advanced threat-led penetration testing (TLPT) performed at least every three years. These tests must be proportionate to the entity's size and risk profile and should simulate realistic cyberattacks and operational disruptions. Results must be documented and reported to competent authorities, and remediation plans must be tracked through completion. Independent third parties may be required to conduct or validate the tests to ensure objectivity.

Third, the regulation imposes strict incident reporting rules. Financial firms must classify incidents based on severity and notify their national competent authorities within tight timelines (often 24 hours) after detecting a major ICT-related event. Reports must include the root cause, impacted services, cross-border effects, immediate containment measures, and planned corrective actions. DORA encourages alignment with existing incident reporting regimes (for example, PSD2, NIS2) to avoid duplication and ensure coherent oversight.

Fourth, DORA sets up a rigorous framework for third-party risk management. Financial entities remain fully responsible and accountable for outsourced ICT services and must actively manage risk across their third-party ecosystem. This involves conducting due diligence on service providers, negotiating exit strategies, auditing performance against agreed-upon metrics, and ensuring that contractual clauses meet regulatory requirements. Institutions must maintain a registry of critical suppliers and notify authorities of any changes. Competent authorities, meanwhile, will oversee ICT service providers deemed critical to the financial system and may impose direct supervisory measures. The regulation also contemplates the development of standardized contractual clauses to simplify procurement across the EU.

Finally, DORA encourages information sharing and collaboration. Financial entities are urged to develop incident-learning processes that include voluntary sharing of threat intelligence, good practices, and lessons learned. Shared information must comply with confidentiality and data-protection regulations such as the General Data Protection Regulation (GDPR). The goal is to create a community-based defense, where timely sharing of indicators of compromise and modus operandi helps prevent cascading failures across the financial ecosystem.

Focus areas and strategic implications

The regulation identifies several focus areas that go beyond basic compliance and guide teams toward building complete operational resilience. These include:

• Service awareness and availability. Institutions must understand their entire IT environment—including third-party suppliers—and ensure that critical services remain available even during cyberattacks, hardware failures, or natural disasters. Business impact analyzes should rank services by criticality and define maximum tolerable downtimes, informing redundancy strategies and recovery objectives.
• Risk management. DORA emphasizes continuous risk assessment, prioritized remediation, and board-level governance. Institutions should integrate ICT risk into enterprise risk management frameworks, set risk appetites, and regularly review control effectiveness. Metrics should capture both leading indicators (for example, patch cadence, test coverage) and lagging indicators (for example, incident frequency, mean time to recover).
• Business continuity management. Resilience planning must cover processes, people, and technology. Teams should develop playbooks that coordinate crisis communications, alternative processing arrangements, and manual workarounds when digital systems fail. Cross-training and tabletop exercises help ensure that teams can execute these plans under pressure.
• Incident response and reporting. Rapid detection, triage, and escalation are critical. Firms should invest in monitoring and detection capabilities (for example, SIEM, SOAR, and endpoint detection tools) and define escalation paths that involve legal, compliance, and communications teams. Reporting processes must align with DORA's timelines and support coordination with other regulatory regimes (for example, GDPR, PSD2).
• Third-party oversight. Teams need to centralize information on service providers, map dependencies, and set criteria for what is a critical third party. Contracts should include requirements for incident reporting, resilience testing, data location transparency, and cooperation with supervisory authorities. Exit strategies should be rehearsed to ensure continuity if a provider fails to meet expectations.
• Information sharing. Beyond internal reporting, institutions should participate in sectoral or national sharing initiatives. For example, joining intelligence sharing programs or communities can provide early warning of emerging threats and help align responses across the market.

DORA's strategic implications extend to procurement, budgeting, and organizational culture. Procurement teams must incorporate resilience requirements into vendor selection and contract negotiation. Budgeting cycles need to account for increased spending on testing, monitoring, and contingency planning. Perhaps most More importantly, DORA elevates resilience to a strategic objective: boards must champion a culture where operational continuity and cyber preparedness are integrated into day-to-day decision-making rather than delegated solely to IT departments.

Implementation roadmap and recommendations

To stay compliant with DORA, financial institutions should adopt a phased roadmap. First, conduct a gap assessment against DORA requirements: inventory existing ICT risk management processes, incident reporting procedures, testing schedules, and third-party oversight practices. Identify areas where policies, controls, or documentation are missing or inconsistent. Second, prioritize remediation based on risk and resource availability. For example, establishing an incident response plan with clear roles and escalation paths may be more urgent than adopting advanced penetration testing if detection and reporting capabilities are immature. Third, develop a compliance program that includes training for senior management, board reporting templates, and workflows for ongoing monitoring and review. Fourth, engage critical third-party providers to ensure contracts include DORA-aligned clauses, such as mandatory resilience testing, incident notification timelines, and audit rights. Finally, participate in information-sharing initiatives and industry forums to stay informed about emerging threats and evolving supervisory expectations.

As the regulation is now in force, regulators continue publishing guidance and technical standards to clarify expectations. Institutions should monitor updates from the European Banking Authority, the European Securities and Markets Authority, and national competent authorities.

Engagement with regulators—through consultations, supervisory dialogs, or industry associations—can provide clarity on proportionality and good practices. Ultimately, teams that view DORA as an opportunity rather than a compliance burden will gain a competitive advantage, building resilient infrastructures that protect customers and teams and positioning themselves as trusted participants in the digital financial ecosystem.

Assessment

DORA represents a major shift in how European financial services teams approach digital operational resilience. The regulation's full scope—covering ICT risk management, incident reporting, resilience testing, third-party oversight, and information sharing—requires institutions to adopt a complete approach to operational resilience that extends beyond traditional cybersecurity practices.

Organizations that have invested in mature risk management frameworks and established strong relationships with their ICT providers will find the transition more manageable. However, those that have treated operational resilience as a discretionary best practice rather than a strategic priority will face significant challenges in meeting the regulation's requirements.

Recommended: that organizations use DORA compliance as a catalyst for broader operational improvements. The discipline required to meet DORA's requirements—full asset inventories, strong testing programs, clear escalation paths, and strong third-party oversight—will improve overall operational effectiveness and reduce the likelihood of service disruptions regardless of their cause.