This year, the European Union introduced a special regulation designed to counter potential cyber threats that may affect companies operating in the financial sector.
The so-called DORA Regulation or Digital Operational Resilience Act (EU) 2022/2554, is a new EU regulation intended—by the legislator’s design—to ensure the digital operational resilience of the financial sector and its associated organizations. DORA was approved at the end of 2022, and throughout 2023 there was a preparatory phase for implementing its new requirements. Full entry into force of all provisions of the regulation took place on January 17, 2025.
Scope of the DORA Regulation
Its main goal is to establish uniform requirements and standards that enable financial institutions to better protect themselves against cyber threats, as well as respond and recover quickly in the event of cyber incidents.
The regulation applies to a wide range of organizations within or linked to the financial sector, namely: banks, insurance companies, investment funds, payment services, crypto exchanges, etc. It covers both large enterprises and small and medium-sized businesses in the financial sector.
Third parties may also fall under the scope of DORA. In other words, technology service providers (for example, cloud services) that offer critical services to financial organizations could be subject to DORA’s requirements.
Unlike approaches that focus primarily on financial risks and capital reserves, DORA requires a systemic strategy for digital resilience. Financial organizations must not only improve their cyber threat defenses, but also develop plans for detecting, controlling, and recovering from disruptions in their information and communication technologies (ICT).
Therefore, DORA prioritizes ICT risks, setting requirements for risk management, incident reporting, resilience testing, and monitoring of risks related to external IT-service providers. This approach underscores the critical role of technology in the financial sector and the potential systemic risks that may arise from ICT failures.
Sectors Covered by the DORA Regulation
DORA affects a wide range of sectors in the EU financial system. Its provisions cover different types of organizations:
- Financial institutions and banks: Companies engaged in accepting deposits, issuing loans, making investments, currency exchange, etc.
- Technology companies working with financial data: Organizations that process or store financial information (including payment processors and fintech startups).
- Large enterprises subject to EU legislation: Large corporations operating in the EU that are obliged to comply with comprehensive financial and regulatory norms, including DORA.
- Small and medium-sized enterprises in the financial sector: SMEs providing financial products and services are subject to the same DORA requirements as larger organizations.
Main Requirements of the DORA
The core requirements of the regulation include:
- Management of ICT risks: Organizations must implement and regularly update processes to identify, assess, and manage cyber risks. Such a system should cover the entire ICT lifecycle—from design and development to implementation and decommissioning.
- Mandatory monitoring and testing: This involves regular testing of IT infrastructure (including stress tests and cyber drills) to promptly identify vulnerabilities. The scope of testing should match the risk level of the specific business and can range from basic checks to specialized tests modeled on real cyberattacks.
- Resilience to incidents: Organizations must create and maintain continuity and recovery plans for cyber incidents, detailing internal procedures, roles, and responsibilities in emergency situations.
- Incident reporting: Unified rules for notifying regulatory authorities about information security incidents and cyberattacks aim to improve transparency and the effectiveness of response measures. This ensures that ICT-related issues are quickly detected, thoroughly documented, and addressed promptly to minimize potential damage. A detailed incident log must be maintained and made available to regulators on request.
- Interaction with suppliers: Organizations must control and monitor risks that may arise from dependencies on external technology partners (e.g., cloud providers). They are responsible for ensuring that these suppliers can maintain the necessary level of resilience and for verifying that suppliers’ activities comply with DORA requirements.
Objectives and Benefits
DORA seeks to unify and standardize the approach to information security and operational resilience in the financial sector across the EU. By setting a uniform standard, DORA aims to enhance protection against cyber threats, increasing resilience to cyberattacks and reducing risks associated with financial losses and reputational damage.
Stricter rules and greater transparency will, in turn, increase client trust in financial organizations. A single set of rules also simplifies the regulatory landscape, as companies will not need to navigate multiple national requirements simultaneously.
Thus, the DORA Regulation is intended to boost cyber resilience and ensure the reliability of financial services throughout the EU, protecting both organizations and their customers from contemporary cyber threats and technological risks.
Sanctions for Non-Compliance
The Digital Operational Resilience Act (DORA) provides for significant sanctions for non-compliance. These include: Administrative fines that can reach up to 1% of the average daily worldwide turnover. Furthermore, the fine can increase for each day of non-compliance until all violations are corrected. In addition to fines, non-compliance can harm a company’s reputation and result in loss of trust from clients, investors, and other stakeholders.
Violations of DORA may lead to intensified oversight by regulators. Failures to meet DORA requirements can also cause service and operational disruptions, negatively affecting customer satisfaction and reputation. In exceptional cases involving serious violations, those responsible for decision-making may face criminal liability.
It is crucial to understand that these sanctions are not mutually exclusive. A company may simultaneously face multiple consequences: fines, reputational damage, and potential criminal measures.
Contact Us
To avoid such penalties, financial institutions must proactively ensure compliance with DORA. This includes regular risk assessments, developing incident response plans, testing resilience, and monitoring third-party risks.
Eesti Firma is a company engaged in legal support and consulting for enterprises operating in the digital assets market. By taking into account the individual characteristics of each client, Eesti Firma is ready to provide consultation and clarification on how the DORA Regulation applies in practice.
