The Digital Operational Resilience Act (DORA) officially came into force on 17 January 2025, setting a new benchmark for cybersecurity and ICT resilience in Europe’s financial sector.
If you’re a financial institution – or a critical third-party ICT provider working with one – the most pressing question is no longer ‘What is DORA?’ but rather: ‘Am I compliant with DORA?’
In this guide, we’ll break down what compliance means in practice, the key requirements you must meet, and the steps to ensure your organisation is DORA-ready.
Topics we will discuss include:
- What is the Digital Operational Resilience Act (DORA)?
- The purpose of the DORA regulation
- The scope of DORA
- The cost of non-compliance with DORA
- How will DORA impact financial institutions?
- DORA and the EU
- Enhanced cybersecurity and resilience
- Harmonised regulations
- Regulatory compliance costs
- Third-party risk management
- Increased market confidence
- DORA and the UK
- Regulatory divergence
- Alignment with DORA principles
- Competitive advantage
- Third-party relationships
- Potential regulatory updates
- DORA and the EU
- How to stay ahead of DORA
What is the Digital Operational Resilience Act (DORA)?
On 24 September 2020, the European Commission published the first draft of the Digital Operational Resilience Act (DORA); a regulatory framework aimed at strengthening the European financial sector’s resilience to ICT-related incidents.
Key provisions of DORA include:
- ICT risk management: Financial entities must establish and maintain robust ICT risk management frameworks. These include strategies, policies, procedures, and governance.
- Incident reporting: Under DORA, entities are required to promptly report significant ICT-related incidents to relevant authorities, as well as provide regular updates.
- Digital operational resilience testing: Regular testing must be conducted to ensure that ICT systems, policies, and processes can handle operational disruptions. This includes penetration testing and scenario-based testing.
- Third-party risk management: Financial entities must meet resilience requirements by managing risks associated with third-party ICT service providers. This includes monitoring service providers and conducting due diligence.
- Information sharing: Financial entities are encouraged to share cyber threat information to improve collective cybersecurity resilience.
- Governance: Clear governance requirements are established, ensuring that the management body of a financial entity is accountable for the oversight of ICT risk management.
DORA was adopted by the EU on 24 November 2022. The main provisions of DORA will apply from 17 January 2025. By this date, relevant financial entities and their critical third-party technology providers must implement the technical standards established by DORA.
The purpose of the DORA regulation
The primary objectives of the DORA regulation are to:
- Enhance cybersecurity: By establishing specific requirements for managing cyber risks, DORA seeks to improve the cybersecurity posture of financial entities within Europe.
- Ensure operational resilience: DORA aims to ensure that financial entities can withstand, respond to, and recover from all types of ICT-related threats and disruptions.
- Harmonise regulations: DORA seeks to create a consistent and harmonised regulatory framework across Europe.
Before DORA, in the absence of EU-level ICT risk management rules, EU member states issued their own requirements. This, however, resulted in a patchwork of regulations difficult for financial entities to navigate.
With DORA, the EU aims to establish a universal framework for managing and mitigating ICT risks in the financial sector. A shared set of rules across EU member states makes it easier for financial entities to comply and simultaneously improves resilience across the EU financial sector.
The scope of DORA
The Digital Operational Resilience Act applies to all financial institutions in the EU. These include a wide range of financial entities, such as:
- Payment service providers
- Banks and credit institutions
- Cryptocurrency service providers
- Investment firms and trading venues
- Insurance and reinsurance companies
Notably, DORA also applies to certain entities typically excluded from financial regulations, such as third-party service providers which supply financial entities with ICT systems and services. DORA also covers firms that provide critical third-party information services, including data analytics providers and credit rating services.
The cost of non-compliance with DORA
Non-compliance with DORA carries serious consequences that extend well beyond regulatory penalties.
At the most immediate level, national regulators across the EU now have the authority to impose fines and sanctions on financial institutions that fail to meet the requirements. In severe cases, they may even restrict or suspend parts of an institution’s operations until adequate resilience measures are in place.
The risks, however, are not purely regulatory. Failure to comply also exposes firms to legal and contractual consequences, particularly if an ICT-related incident results in financial loss for clients or breaches agreements with partners. Furthermore, weak digital resilience increases the likelihood of costly service disruptions, data breaches, or fraud – events that can quickly escalate into significant financial losses due to downtime, remediation, and compensation.
Perhaps the greatest cost, though, is reputational. In a sector built on trust, customers and investors expect institutions to demonstrate robust operational resilience. A high-profile failure, especially one linked to shortcomings in DORA compliance, can damage credibility for years and push clients toward competitors who can provide stronger protections.
In this sense, compliance is not just about avoiding fines; it’s about safeguarding business continuity, protecting customer trust, and preserving long-term competitiveness.
How will DORA impact financial institutions?
DORA will significantly impact the financial sector—and not just within the EU. UK financial entities with EU operations will also need to navigate the DORA regulations.
DORA and the EU
The unified framework of DORA enhances the overall integrity and operational resilience of the EU financial sector.
The DORA regulation will impact EU financial institutions in the following ways:
Enhanced cybersecurity and resilience
DORA sets out to create a safer, more resilient financial sector within the EU. This means that financial entities will need to invest in better ICT infrastructures and practices to help prevent and mitigate the impact of ICT incidents.
Harmonised regulations
By providing a unified regulatory framework, DORA helps eliminate discrepancies in how different EU member states handle digital operational resilience. This uniformity makes it easier for financial institutions operating in multiple countries to comply with regulations and improve overall regulatory coherence within the EU.
Regulatory compliance costs
Financial institutions within the EU will incur costs related to DORA compliance. Examples of such costs include investments in new technology, staff training, and adjustments to existing processes to ensure they meet the new regulatory requirements.
Third-party risk management
With its emphasis on managing risks associated with third-party ICT service providers, DORA will compel financial entities to conduct thorough due diligence and continuous monitoring of their service providers. This will enhance the overall security of the supply chain.
Increased market confidence
The strengthening of security and resilience within the financial sector is expected to boost confidence among consumers and investors. This can potentially lead to a more stable financial market.
In short, the DORA regulation enhances the cybersecurity and operational resilience of the EU financial sector. It harmonises regulations across member states, reducing discrepancies and compliance complexities for multinational entities.
DORA may impose compliance costs, but it also boosts market confidence by creating a safer, more stable financial environment. This way, the unified framework strengthens the overall integrity and resilience of the EU financial system.
DORA and the UK
UK financial institutions operating in the EU must adhere to both UK and EU regulations.
This means that the DORA regulation will impact UK financial institutions in the following ways:
Regulatory divergence
Post-Brexit, the UK is no longer bound by EU regulations, including DORA. However, UK financial institutions that operate within the EU or have EU customers will still need to comply with the DORA regulations for their EU-based operations.
This situation creates a dual regulatory burden for such entities, as they’re required to comply with both UK and EU regulations.
Alignment with DORA principles
With the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA), the UK has its own regulatory framework for operational resilience. It’s not identical to the DORA regulation, but there are a number of shared principles, including robust ICT risk management and incident reporting. The UK may consider aligning its regulations further with DORA to reduce compliance complexity and facilitate smoother cross-border operations for firms operating in both jurisdictions.
Competitive advantage
When dealing with EU clients, UK financial institutions that comply with DORA may leverage their compliance as a competitive advantage, showcasing their adherence to stringent security and resilience standards.
Third-party relationships
Similar to the EU, UK financial entities will need to ensure that their third-party service providers meet the necessary resilience standards. To do so, UK firms may be required to adopt practices and standards closely aligned with DORA – particularly if their service providers are based in the EU.
Potential regulatory updates
In response to DORA, the UK might update its own operational resilience standards to ensure that its financial sector remains competitive and to facilitate regulatory equivalence arrangements with the EU, which could simplify cross-border financial services.
In short, DORA impacts UK financial institutions in a number of ways. It imposes dual regulatory compliance and may prompt the UK to align its resilience standards with DORA to simplify cross-border operations.
As compliance with DORA can be a competitive advantage, the UK might update its regulations to ensure competitiveness and regulatory equivalence with the EU.
How to stay ahead of DORA
For financial institutions, DORA is not a one-off compliance project. It’s about embedding digital resilience into the DNA of your organisation. That means:
- Continuously improving ICT management
- Building strong third-party monitoring processes
- Investing in ongoing resilience testing
- Staying informed about regulatory updates and sector-wide best practices
Staying ahead of DORA means treating compliance as an ongoing process – not a one-time project. By embedding resilience into everyday operations, strengthening oversight of ICT risks, and keeping pace with regulatory updates, financial institutions can not only remain compliant but also turn operational resilience into a strategic advantage.
Stay compliant – stay resilient
At Brite Payments, we understand that compliance is more than a regulatory requirement – it’s the foundation of trust and long-term stability in the financial services industry. If you’d like to learn more about the regulatory landscape, visit our resource pages for additional related materials, including our PSD3 Explainer.
