The Digital Operational Resilience Act (DORA) is one of the most significant regulatory initiatives introduced by the European Union in the financial sector. Its objective is to strengthen the digital and operational resilience of financial entities against the continuously increasing risks arising from disruptions to information systems and cyber-attacks.

The Regulation entered into force on 16 January 2023 and became fully applicable as of 17 January 2025, requiring all in-scope entities to comply with the new digital operational resilience standards.

Why Is DORA Important?

DORA makes it mandatory for financial institutions to establish a comprehensive ICT risk management framework. This requirement stems from the growing dependence of financial services on information and communication technologies, which has increased exposure to cyber threats, system outages and operational disruptions.

For the first time, the EU financial sector operates under a single, horizontal regulatory framework for managing technology-related risks, harmonising resilience practices across the Union and significantly reducing regulatory fragmentation.

Scope of Application and Affected Entities

DORA applies to a very broad range of entities operating in the financial sector, including, among others:

• Banks and credit institutions
• Financial institutions and investment firms
• Insurance and reinsurance companies
• Crypto-asset service providers (CASPs)
• Alternative investment fund managers
• Payment institutions and electronic money institutions
• Data reporting service providers
• Crowdfunding service providers and ICT third-party providers
• Trading venues, central securities depositories (CSDs), central counterparties (CCPs) and credit rating agencies

In addition, the Regulation introduces a dedicated supervisory framework for critical ICT third-party service providers (such as cloud service providers), even where they are headquartered outside the EU. In certain cases, such providers may be required to establish subsidiaries within the EU to enable effective supervision.

The Five Pillars of DORA Compliance

Compliance with DORA is structured around five (5) core pillars that shape the regulatory framework:

1. ICT Risk Management

Adoption of comprehensive governance frameworks for the identification, assessment and monitoring of ICT risks.

2. ICT Incident Management, Classification and Reporting

Systematic monitoring, evaluation and timely reporting of major ICT-related incidents to the competent supervisory authorities.

3. Digital Operational Resilience Testing

Performance of extensive testing activities – including advanced scenario-based testing and penetration testing – to verify the resilience of ICT systems.

4. ICT Third-Party Risk Management

Enhanced oversight and assessment of risks arising from ICT service providers, supported by specific contractual and operational requirements.

5. Cyber Threat Information Sharing

Mechanisms for the exchange of threat intelligence and information on cyber vulnerabilities, aimed at strengthening collective resilience across the financial sector.

Current Developments and Challenges (2025–2026)

Since DORA became fully applicable on 17 January 2025, it has established a new regulatory benchmark for digital resilience in the financial sector. However, its full operational embedding remains an ongoing process.

A key development has been the designation of critical ICT third-party infrastructure providers by European supervisory authorities, including global technology firms offering cloud services and key support platforms. These providers are now subject to direct EU-level oversight, with a focus on governance, systemic concentration risk and operational resilience.

At the same time, during 2025–2026, initiatives have been launched to align DORA with other EU digital regulatory frameworks, such as the proposed Digital Omnibus, which aims to streamline and simplify rules relating to artificial intelligence, data protection and cybersecurity, and may lead to adjustments in incident reporting processes.

What DORA Means in Practice for Financial Institutions

For financial institutions, DORA compliance goes far beyond the implementation of technical security measures. It requires substantive organisational, technical and governance adjustments, including:

• Strengthening IT and cybersecurity governance structures
• Implementing systems for the prevention, detection and management of ICT incidents
• Continuous resilience testing and third-party risk assessment
• Training staff and management teams to ensure effective incident reporting and information sharing

Conclusion

DORA is not merely another regulatory obligation, but a strategic framework for enhancing operational resilience and corporate governance within the financial sector. Effective compliance requires active involvement of the Board of Directors, clear allocation of responsibilities, well-documented processes and continuous assessment of technological and operational risks.

In an environment of increasing digitalisation and interconnectedness, resilience is no longer optional—it is a fundamental prerequisite for sustainability, credibility and supervisory trust. Organisations that approach DORA as an opportunity for improvement rather than a simple compliance exercise will be best positioned to stand out in terms of resilience, governance and long-term value creation

The content of this article is intended solely for general information purposes and does not constitute, and should not be construed as, professional advice or a formal opinion.

© 2026 DKA FINANCIAL CONSULTANTS LTD. All rights reserved.