A brief recap of DORA: key insights and areas for future development

Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (DORA) has applied since 17 January 2025, after entering into force on 16 January 2023. The Regulation aims to enhance the ability of the financial sector to deal with ICT-related disruptions and cyber threats by creating a uniform framework for all the EU Member States. DORA applies to a broad range of financial entities and ICT third-party service providers, and it essentially mandates strong ICT risk management, ICT-related incident management, classification, reporting, digital operational resilience testing, ICT third-party risk management, oversight of critical ICT third-party service providers and information sharing.

In 2024 implementation of the Regulation was supported by the European Supervisory Authorities (ESAs) releasing two batches of key Technical Standards and Guidelines. These measures, among other things, clarify the requirements for ICT risk management, incident reporting, third-party governance and advanced testing protocols, thus ensuring harmonisation and compliance readiness across the financial sector.

The Regulation and its implementing measures, inter alia, stress the relevance of enhancing third-party risk management through stricter oversight of ICT critical service providers and fostering greater contractual and operational transparency. The importance given to standardisation of ICT incident reporting processes aims to improve coordination between financial entities and competent authorities, thus promoting rapid responses to emerging threats. Furthermore, mandatory resilience testing, including advanced threat-led penetration tests,[1] is intended to proactively uncover vulnerabilities and drive the sector towards stronger cybersecurity defences.

At the heart of DORA lies the aim to foster a culture of accountability and preparedness in the financial sector. However, it is fundamental to keep in mind that such high standards of operational resilience could potentially encounter practical challenges. In fact, DORA’s targets emphasise continual improvement, for instance by requiring institutions to maintain detailed records of ICT incidents and to conduct regular reviews of their risk management practices. On the other hand, however, in terms of implementation, especially for smaller entities, for example when it comes to cyber incident management the need to provide documentation in an extensively defined reporting framework could delay the reporting process itself when it is not supported by sufficient internal capability.

Furthermore, implementation of DORA is also likely to bolster strengthened collaboration between financial entities and competent authorities, enhanced cybersecurity awareness and integration of advanced risk management tools. This forward approach aligns with the broader objective of creating a resilient financial ecosystem that can effectively navigate both current and emerging threats. However, once again, it should be recognised that significant adjustments by financial entities will be required to meet compliance obligations, potentially exposing operational and technical gaps that take time and resources to address. On this note, in spite of the rules on the simplified ICT risk management framework and some targeted exclusions (e.g. ones related to microenterprises), smaller financial entities may indeed struggle to meet the costs and find the expertise required for compliance, potentially leading to disparities across the sector. Moreover, while DORA introduces strong oversight mechanisms, it cannot entirely eliminate systemic risks, particularly ones arising from dependencies on a concentrated number of critical ICT third-party service providers. Finally, the overarching challenge of regulating technologies and the overall digital world could also come into play when implementing DORA: ensuring regulatory compliance and oversight while being mindful to not stifle innovation.

Achieving a balance between robust supervision and operational flexibility could then be the key to long-term success for DORA, but it is likely to require a coordinated effort in terms of monitoring, collaboration and refinements as the regulatory landscape evolves.

[1] Threat-led penetration testing is a type of information security test in which a system is tested by simulating the approach of an attacker. It aims to identify vulnerabilities and the security measures necessary by mimicking the tactics of a potential attacker.