The Digital Operational Resilience Act (DORA) is a European Union regulation that took effect on January 17, 2025. DORA aims to enhance the cyber resilience of financial institutions and strengthen operational continuity by ensuring banks, insurers, and investment firms can withstand, respond to, and recover from cyber threats. Introduced in response to the growing threat of cyber attacks, the Act mandates a unified approach, requiring financial services to implement consistent digital risk management mechanisms.
DORA aims to create a shared set of rules addressing digital operational resilience across the EU financial sector. By doing so, it seeks to reduce fragmentation and inconsistencies arising when multiple regulations are applied across different member states (a concept known as harmonization). This uniformity aims to protect European financial markets against disruptions.
You can find the official text of the DORA legislation here.
This is part of a series of articles about DevOps.
Purpose of DORA
The Digital Operational Resilience Act (DORA) establishes a standardized approach to managing information and communication technology (ICT) risk in the financial sector across the European Union.
Before DORA, the regulations governing digital risk management varied from one EU member state to another, leading to inconsistencies and complexity for financial institutions operating in multiple jurisdictions. DORA aims to remove these inconsistencies by harmonizing the ICT risk management rules, making compliance easier across the EU.
DORA ensures that financial entities—such as banks, insurance companies, and even non-traditional financial entities like crypto-asset providers—are held to the same standard in managing digital risks.
Current status of DORA
DORA was introduced by the European Commission in September 2020 as part of a broader to strengthen the EU’s digital financial infrastructure. After undergoing legislative procedures, it was formally adopted by the European Parliament and the Council of the European Union in November 2022. The regulation provides a deadline for financial entities and third-party ICT service providers to comply with its requirements by January 17, 2025.
In 2024, the official “policy products” of the DORA regulation were delivered (see details about the first set and second set of policy documents), prepared by the European Supervisory Authorities (ESAs), which include regulatory bodies like the European Banking Authority and the European Securities and Markets Authority. These documents include regulatory technical standards (RTS) and implementing technical standards (ITS) that covered entities must follow. The European Commission has also created an oversight framework for critical ICT providers.
Which organizations does DORA apply to?
The Digital Operational Resilience Act (DORA) has an extensive scope, covering both financial institutions and their key ICT service providers. DORA applies to 21 specific categories of organizations, including a wide range of financial entities and third-party service providers critical to their operations.
Financial institutions under DORA’s regulation include:
- Traditional entities like credit institutions (banks), investment firms, insurance and reinsurance companies, and payment institutions.
- Non-traditional financial services, such as crypto-asset service providers, issuers of asset-referenced tokens, and electronic money institutions.
- Other financial entities, including investment fund managers, central counterparties, central securities depositories, trade repositories, and trading venues.
- Third-party ICT service providers, including those delivering essential technology services like cloud computing and data reporting.
Under the DORA regulation, ICT providers operating outside the EU but servicing EU financial entities must establish a local subsidiary within the EU to ensure compliance.
Tony Kelly is a DevOps marketing leader who drives innovation and awareness of the latest trends in Continuous Delivery.
DORA penalties for noncompliance
The Digital Operational Resilience Act (DORA) establishes a strict penalty regime to enforce compliance and uphold digital resilience in the financial sector. Noncompliance can result in significant financial and operational consequences.
DORA imposes steep financial penalties on organizations that fail to meet its requirements. Institutions found in breach of the Act may face fines of up to 2% of their total annual worldwide turnover or up to 1% of their average daily global turnover. In cases where individual fines apply, penalties can reach as high as €1 million.
Critical third-party ICT service providers, which play a role in maintaining the digital operations of financial entities, can face even higher fines. For companies, the penalties can be up to €5 million, while individuals within these providers may face fines of up to €500,000.
While these penalties are severe, they are generally lower than those imposed under the General Data Protection Regulation (GDPR), where violations can result in fines of up to €20 million or 4% of a company’s global turnover, whichever is higher.
The enforcement of these penalties falls under the jurisdiction of the European Supervisory Authorities (ESAs), including bodies like the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA). These authorities are granted extensive supervisory powers, allowing them to investigate breaches and impose sanctions. They are also responsible for ensuring transparency by publishing notices of administrative penalties.
DORA Pillars and Security Requirements [QG3]
The Digital Operational Resilience Act (DORA) outlines requirements across five key pillars to ensure that financial institutions and their critical ICT service providers can manage and withstand digital disruptions. These requirements cover:
- ICT risk management: Financial entities must establish frameworks for identifying, assessing, and mitigating technology-related risks. This includes continuously monitoring systems, implementing security measures, and developing strategies to address existing and emerging threats. Proper documentation and communication of these risks across the organization are also required to ensure effective mitigation.
- Incident reporting: DORA mandates a structured approach to classifying and reporting significant ICT incidents. Financial institutions must quickly identify and address these incidents, using standardized formats for reporting to regulatory authorities.
- Digital operational resilience testing: Institutions must regularly test their systems through threat-led penetration testing and scenario-based drills to assess their ability to withstand cyber attacks. The results of these tests should be documented, and any vulnerabilities must be addressed promptly.
- Third-party risk management: DORA requires financial institutions to ensure their third-party ICT service providers comply with the Act’s regulatory standards. This includes conducting due diligence, continuously monitoring the provider’s compliance, and setting clear contractual obligations related to security and incident reporting. Institutions must also have exit strategies in place to handle the termination of third-party contracts without compromising their operational continuity.
- Information-sharing arrangements: DORA encourages the financial sector to collaborate by sharing information about cyber threats and vulnerabilities. This fosters a coordinated approach to threat management, enabling financial institutions to benefit from collective intelligence and better protect against cyber threats.
Best practices to stay compliant with DORA
Assess your current compliance status
Start with a thorough assessment of your organization’s current digital resilience practices. Conduct a gap analysis to measure alignment with DORA’s requirements, focusing on ICT risk management, incident reporting, third-party risk management, and resilience testing. Evaluate whether existing policies, tools, and procedures meet the standards outlined in DORA and identify areas requiring enhancement.
To ensure a comprehensive review, engage all relevant stakeholders, including IT, compliance, risk management, and legal teams. Use established assessment frameworks and regulatory checklists to track compliance readiness. This process helps prioritize actions, such as strengthening security tools or updating contracts with service providers, to bridge identified gaps.
Implement controls and safeguards
Deploy a wide range of controls to enhance your organization’s ability to mitigate ICT risks and ensure operational continuity. To reduce vulnerabilities, focus on implementing tools like advanced endpoint protection, identity and access management (IAM) systems, and real-time threat detection technologies.
Ensure that ICT risk management frameworks include documented risk identification, mitigation, and reporting procedures. Conduct regular vulnerability scans and maintain detailed records of actions taken to address identified weaknesses. Enhance your incident response capabilities by establishing clear playbooks tailored to likely scenarios, such as ransomware attacks or data breaches, ensuring compliance with DORA’s reporting and recovery timelines.
Implement a third-party risk management program
Develop a robust program to manage and monitor risks associated with third-party ICT providers. This includes conducting due diligence before onboarding new vendors to assess their compliance with DORA’s security and resilience standards. Require vendors to provide evidence of compliance, such as certifications, audit reports, and adherence to service-level agreements (SLAs) that address security and resilience measures.
Once a provider is onboarded, use continuous monitoring to ensure ongoing compliance. Automate risk assessment processes where possible and schedule regular independent audits to identify vulnerabilities. Establish detailed exit strategies to handle the termination of third-party contracts without causing operational disruptions, as required under DORA.
Commit to continuous monitoring and improvement
Adopt technologies and frameworks to ensure your organization can monitor compliance in real-time. Implement security information and event management (SIEM) systems that provide centralized visibility into ICT assets, threat activity, and incident response effectiveness. Use these tools to identify trends, track anomalies, and proactively address emerging risks.
In addition to automated monitoring, regularly update your risk management framework and incident response strategies to reflect lessons learned from audits, resilience testing, and real-world events. Use metrics such as key performance indicators (KPIs) and key risk indicators (KRIs) to measure progress and adapt to changes in the threat landscape or regulatory updates.
Create a culture of cyber resilience
Foster an organizational mindset that prioritizes resilience as a continuous, shared responsibility. Conduct tailored training sessions that educate employees at all levels about their roles in maintaining digital resilience and adhering to DORA’s requirements. Ensure staff are well-versed in recognizing threats like phishing attacks and responding effectively to incidents.
Encourage cross-functional collaboration to ensure a unified, organization-wide approach to resilience. For example, IT teams can work closely with risk management and compliance teams to integrate DORA’s requirements into day-to-day operations. Leadership should visibly support these initiatives, providing resources and setting accountability measures to ensure success. Recognize and reward proactive compliance efforts to reinforce their importance and sustain momentum.
Security and compliance for CD with Octopus
Octopus helps ensure security and compliance by adhering to robust standards, performing regular assessments, and embedding security into its practices. It maintains certifications such as ISO 27001:2013 and SOC 2 Type II, undergoes annual third-party audits, and conducts vulnerability scans, penetration testing, and bug bounty programs. Compliance with legal frameworks like GDPR and CCPA and features like encrypted data, secure communications, and detailed audit logs ensure data protection and regulatory alignment. The platform provides real-time security issue updates and comprehensive reporting through its trust center.
To further support secure operations, Octopus offers advanced access control with single sign-on (SSO), role-based access control (RBAC), and integration with authentication providers like Active Directory and Okta. Its proactive security design includes transport encryption, tamper-proofing, and auditable environments to promote accountability. These measures, combined with a strong privacy policy and clear legal agreements, make Octopus a trusted solution for scaling organizations while meeting stringent security and compliance requirements.
Find out more or start a trial to see how it works.
Help us continuously improve
Please let us know if you have any feedback about this page.
