Understanding DORA
If you're in financial services, DORA is already in force. Here's what it means in practice.
DORA, the Digital Operational Resilience Act, is an EU regulation that requires financial institutions to be able to withstand, respond to, and recover from IT disruptions. Whether that's a cyber attack, a system failure, or a critical supplier going offline.
Unlike a directive (which each EU country implements differently), DORA is a regulation. It applies directly and uniformly across the EU, and has been in force since 17 January 2025.
The financial sector runs on technology. If that technology fails, the consequences ripple through the entire economy. DORA ensures that financial organisations don't just hope their IT holds up. They prove it.
Who does DORA apply to?
Financial entities
- Banks and credit institutions
- Insurance and reinsurance companies
- Investment firms
- Payment service providers
- E-money institutions
- Pension funds
- Crypto-asset service providers
- Credit rating agencies
- Securities exchanges
ICT service providers
DORA doesn't stop at financial institutions. If you provide cloud, software, data, or infrastructure services to the financial sector, DORA affects you too. Either directly (if designated as "critical") or indirectly through contractual requirements your clients must impose.
Proportionality applies: requirements scale with your size, complexity, and risk profile.
DORA vs NIS2
If your organisation falls under DORA, it is exempt from NIS2 for cybersecurity. DORA is considered the more specific regulation. However, if you operate in both the financial sector and other sectors covered by NIS2, you may need to comply with both for different parts of your business.
The five pillars of DORA
DORA is built around five core requirements.
1. ICT risk management
You need a comprehensive framework for identifying, managing, and mitigating IT risks. That includes documented policies, defined roles and responsibilities, regular risk assessments, and business continuity planning. Your board must be actively involved, not just signing off but understanding and overseeing.
2. Incident reporting
Major IT-related incidents must be reported to your supervisory authority. DORA standardises what "major" means and how quickly you must report. You also need solid internal processes for detecting, classifying, and escalating incidents.
3. Resilience testing
You can't just claim your systems are resilient. You have to test it. DORA requires regular testing, including scenario-based drills. For significant financial institutions, this extends to threat-led penetration testing (TLPT): real-world attack simulations conducted by qualified teams.
4. Third-party risk management
If you rely on external IT providers (and almost everyone does), you need structured oversight. Maintain a register of all ICT service provider arrangements, conduct due diligence, include specific clauses in contracts (audit rights, exit strategies, incident notification), and continuously monitor provider performance.
5. Information sharing
Financial entities are encouraged to share cyber threat intelligence with peers and authorities. The regulation creates a framework for structured, trusted information exchange about threats and vulnerabilities across the sector.
Penalties
Regulators can impose:
- Fines up to 2% of annual global turnover or EUR 10 million for entities
- Fines up to EUR 1 million for individual senior managers
- Operational restrictions and public statements
For critical ICT service providers, the European Supervisory Authorities can impose additional oversight and remediation requirements.
What should you do now?
DORA is not a future obligation. It's already here. If you haven't started, the time is now.
- Assess your scope - Confirm which DORA requirements apply to your organisation and at what level.
- Review ICT risk management - Do you have a documented, board-approved framework covering all the areas DORA requires?
- Map your third parties - Build the register of ICT service provider arrangements and assess the risk each one represents.
- Check your contracts - Do your ICT provider agreements include audit rights, exit strategies, and incident notification?
- Plan your testing - Establish a resilience testing programme, including preparation for TLPT if applicable.
- Prepare your board - Ensure leadership understands their oversight role under DORA.
How EnableNext can help
We help financial organisations and their IT providers make DORA practical. Turning regulatory requirements into security measures that genuinely improve resilience.
- DORA readiness assessment - Understand where you stand and what needs attention first.
- ICT risk management - Build or strengthen your approach to IT risk with frameworks that work in practice.
- Third-party risk management - Set up registers, assess providers, and fix contracts to meet DORA requirements.
- Resilience testing strategy - Design and prepare for testing programmes including threat-led penetration testing.
Need help with DORA compliance?
Get in touch to discuss how DORA applies to your organisation.
Get in Touch