DORA Enhances IT and Legal Security in the Financial Sector
2 min read
With the Digital Operational Resilience Act, or DORA for short, which came into force in January 2023 and became legally binding two years later, the EU has created a regulation designed to strengthen the digital resilience of financial and insurance companies.
Key Takeaways
- DORA since January 2023: Digital Operational Resilience Act – an EU regulation for digital resilience in the financial sector.
- Legally binding since January 2025: All affected companies must now comply with the requirements.
- Affected entities: Banks, insurance companies, trading venues, credit rating agencies, and their ICT service providers.
- Core obligations: IT risk management, incident reporting, resilience testing, and third-party monitoring.
- Personal liability: Managing directors are responsible for implementation.
What is Digital Resilience?
Digital Resilience is a concrete priority for companies in 2024 because it directly shapes scalable data center capacity, energy efficiency and compliance. This article uses synaforce as an example to show which requirements, figures and operational steps matter in practice.
DORA, the Digital Operational Resilience Act, represents a crucial step toward greater IT and legal certainty in the banking and insurance industries, on trading platforms, and among credit rating agencies, as well as among ICT service providers and crypto-related service vendors.
The European Commission, which initiated this regulation, aims primarily to strengthen digital resilience across organizations and has established a standardized framework for how these entities should respond to cyber threats and IT disruptions.
Good Law Takes Time
Like other EU regulations and laws, DORA-part of the Commission’s Digital Finance Package-officially entered into force on January 16, 2023, following its publication at the end of 2022. However, member states have two years to implement it nationally. Accordingly, affected companies and financial authorities are required to comply with DORA’s requirements by January 17, 2025.
DORA is approaching-companies and authorities must now strengthen digital resilience! Image source: Adobe Stock/ yakub
The full title, “Digital Operational Resilience for the Financial Sector and Amending Regulations,” reveals that the primary focus is on bolstering digital resilience within the financial sector. However, ITK third-party service providers also bear responsibility. The European Commission aims to reduce vulnerability to cyber threats and disruptions across the entire financial sector value chain and to ensure that affected organizations can respond appropriately.
What the Regulation Entails
According to Security Insider, the 79-page regulation also incorporates national requirements, such as those issued by BaFin (Federal Financial Supervisory Authority) and the BSI (Federal Office for Information Security). However, it introduces new elements as well. Broadly speaking, the Digital Operational Resilience Act (DORA) covers five core areas:
- Establishing a framework for ICT risk management
- Handling, classification, and reporting of ICT incidents
- Testing operational resilience
- Managing third-party risks
- Creating an oversight framework for critical ICT third-party service providers
ICT risk management is now anchored in law, rather than being merely an administrative guideline. Overall responsibility generally lies with the executive management of the financial or insurance institution. These entities are obligated to continuously monitor, control, and update their own IT systems. Furthermore, companies must define and implement strategies for backup and recovery, as well as maintain risk documentation for internal and external audits.
Responsibility remains with financial institutions
DORA requires: Financial institutions are responsible – even for their IT service providers! Image source: Adobe Stock/ lovelyday12
DORA also mandates procedures for the classification of some reportable IT incidents and a review of IT systems using appropriate testing methods. For system-relevant organizations, there are higher requirements in this regard.
A key component of the regulation is that financial institutions are required to pay attention to risk management at their IT service providers, with the supervisory framework for critical IT third-party service providers including extensive powers.
Regarding the scope of application of the affected companies mentioned above, DORA allows for national exceptions for development banks. Otherwise, the regulation is binding for companies in the financial and insurance sectors.
Given the mandatory measures and the ever-shortening timeframe, it is essential to have a strong and competent partner on your side.
Key Facts at a Glance
In Force: January 2023, legally binding since January 2025
Affected: Banks, insurance companies, securities firms, rating agencies, IT service providers
Main Areas: IT Risk Management, Incident Reporting, Resilience Testing, Third-Party Oversight
Mandatory Reporting: Severe ICT incidents within 4 hours
Penalties: Revenue-dependent fines, personal liability of the management
Fact: According to the BKA, cybercrime caused damages of over 206 billion euros for German companies in 2024.
Fact: The number of newly discovered malware variants per day is over 450,000, according to AV-TEST.
Frequently Asked Questions
What is DORA?
The Digital Operational Resilience Act is an EU regulation that strengthens the digital resilience of financial institutions. Unlike a directive, DORA applies directly in all EU member states without the need for national implementation.
Who is affected by DORA?
All regulated financial institutions: banks, insurance companies, securities firms, trading venues, credit rating agencies, payment service providers, and their critical IT service providers. Cloud providers and data centers that serve financial services providers are also subject to the regulation.
How does DORA differ from NIS2?
DORA is sector-specific for the financial industry, while NIS2 applies across sectors. In many areas, DORA goes beyond NIS2 – for example, in requirements for resilience tests and third-party monitoring. For financial institutions, DORA takes precedence as a more specific law.
What do companies have to do specifically?
Establish a comprehensive ICT risk management framework, implement incident response processes with a 4-hour reporting obligation, conduct regular resilience tests (including penetration tests), and monitor and contractually secure all critical ICT service providers.
What role do ICT service providers play under DORA?
Critical ICT service providers will be directly monitored by EU supervisory authorities for the first time. Financial institutions must maintain a register of all ICT third parties, assess concentration risks, and have exit strategies in place.
Further Reading in the Network
NIS2 – the cross-industry perspective: NIS2: Act now (Security Today)
Cloud compliance for financial institutions: cloudmagazin.com
Digital resilience as a management responsibility: digital-chiefs.de
Related Articles
More from the MBF Media Network
cloudmagazin | MyBusinessFuture | Digital Chiefs
Source of cover image: Adobe Stock / Maxim
More on this synaforce topic
Additional service details, use cases and background are available from synaforce for data center and infrastructure services.
