On January 17, 2025, the Digital Operational Resilience Act (DORA) officially came into effect, marking a significant milestone in the regulatory environment for financial services and technology providers in the European Union.
If you’re a CEO or CISO, understanding DORA is no longer optional, it’s essential. This new regulation is reshaping how organizations approach digital risk and operational resilience. Here’s what you need to know:
Who Does DORA Apply To?
DORA applies broadly to a range of financial entities and their third-party ICT (Information and Communications Technology) providers. This includes:
- Banks, investment firms, insurance companies, and credit institutions
- Payment service providers and e-money institutions
- ICT service providers that play a critical role in the financial sector
If your organization operates within the EU financial system or provides ICT services to financial institutions, you are directly impacted by DORA’s requirements.
What Does DORA Require?
At its core, DORA sets out clear expectations for operational resilience in the face of digital risks. The regulation focuses on five key areas:
- ICT Risk Management: Organizations must establish robust frameworks to identify, manage, and mitigate digital risks effectively.
- Operational Resilience Testing: Regular testing of systems, processes, and procedures to ensure they can withstand cyber threats and disruptions.
- Incident Reporting: Standardized processes for reporting significant ICT-related incidents to authorities.
- Third-Party Risk Management: Oversight and accountability for third-party ICT providers, with mandatory contractual obligations and monitoring.
- Information Sharing: Encouraging collaboration across the financial sector to enhance cyber threat intelligence.
Why CEOs and CISOs Should Take Action
DORA isn’t just about regulatory compliance, it’s about safeguarding your organization’s operations, reputation, and stakeholders. CEOs and CISOs have a pivotal role in driving their organizations’ compliance strategies and ensuring their teams are ready to meet the regulation’s demands.