6 min read

With the Digital Operational Resilience Act, or DORA for short, which came into force in January 2023 and became legally binding two years later, the EU has created a regulation aimed at strengthening the digital resilience of financial and insurance companies.

What is Cyber resilience?

Cyber resilience is a concrete priority for companies in 2025 because it directly shapes scalable data center capacity, energy efficiency and compliance. This article uses synaforce as an example to show which requirements, figures and operational steps matter in practice.

The Most Important in Brief

• DORA has been legally binding in the EU since January 17, 2025, obligating financial institutions and their IT service providers to achieve comprehensive digital resilience.
• Affected entities include banks, insurance companies, trading venues, credit rating agencies, ICT service providers, and crypto service providers-approximately 22,000 companies in Germany alone.
• The regulation covers five key areas: ICT risk management, incident reporting, resilience testing, third-party governance, and a supervisory framework for critical infrastructure service providers.
• Overall responsibility rests with the executive management of financial institutions; it cannot be delegated to IT departments or service providers.
• Violations may result in substantial fines imposed by BaFin (Federal Financial Supervisory Authority) and BSI (Federal Office for Information Security).

DORA, the Digital Operational Resilience Act, marks a pivotal step toward greater IT and legal certainty in the financial and insurance sectors, on trading platforms, at credit rating agencies, among ICT service providers, and among providers of cryptocurrency-related services.

The European Commission, which initiated this regulation, aims primarily to strengthen digital resilience across organizations and has established a unified framework outlining how these entities should respond to cyber threats and IT disruptions. Affected organizations must demonstrate technical, organizational, and procedural measures that go well beyond previous recommendations.

TL;DR: DORA – What You Need to Know

What is DORA and why was it introduced?

DORA, the Digital Operational Resilience Act, is a European Union regulation designed to enhance digital resilience across various sectors, including finance, insurance, trading platforms, and cryptocurrency services. It was introduced to address growing cybersecurity threats and ensure that organizations have robust mechanisms in place to respond to IT disruptions and cyberattacks. The regulation establishes a standardized framework for managing ICT risks, reporting incidents, conducting resilience tests, overseeing third-party providers, and monitoring critical infrastructure service providers.

Which organizations are affected by DORA?

DORA applies to a wide range of entities, including banks, insurance companies, stock exchanges, credit rating agencies, IT service providers, and crypto service providers. In Germany, approximately 22,000 companies fall under its scope. These organizations must comply with DORA’s requirements to maintain operational continuity and protect sensitive data from cyber threats.

What are the key requirements of DORA?

DORA outlines five main areas of focus:
1. **ICT Risk Management**: Organizations must identify, assess, and mitigate ICT risks.
2. **Incident Reporting**: They are required to report significant ICT incidents to relevant authorities within specified timeframes.
3. **Resilience Testing**: Regular stress tests and simulations must be conducted to ensure systems can withstand disruptions.
4. **Third-Party Governance**: Strict oversight is mandated over third-party service providers to prevent vulnerabilities.
5. **Supervisory Framework**: A dedicated framework is in place to monitor critical infrastructure service providers and ensure compliance.

These requirements are more stringent than previous guidelines, emphasizing proactive measures rather than reactive responses.

Who is responsible for ensuring compliance with DORA?

The ultimate responsibility for complying with DORA lies with the executive management of each organization. While IT departments and external service providers play crucial roles in implementing technical solutions, they cannot assume primary accountability. Leadership must ensure that all necessary policies, procedures, and resources are in place to meet DORA’s standards.

What happens if an organization fails to comply with DORA?

Non-compliance with DORA can lead to severe consequences. Regulatory bodies such as BaFin and BSI have the authority to impose significant fines on organizations that fail to adhere to the regulation. Additionally, repeated violations may result in reputational damage and loss of customer trust, further impacting business operations.

Good Things Take Time

Like other EU regulations and laws, DORA-part of the Commission’s Digital Finance Package-officially entered into force on January 16, 2023, following its publication at the end of 2022. Member states were given two years to implement it nationally. Accordingly, affected companies and financial authorities are required to comply with DORA’s requirements by January 17, 2025.

The full title, “Digital Operational Resilience for the Financial Sector and Amending Regulations,” indicates that the primary focus is on strengthening digital resilience within the financial sector. However, ICT third-party service providers also fall under this responsibility. The European Commission aims to reduce vulnerability to cyber threats and disruptions across the entire financial sector value chain and to ensure that affected organizations can respond appropriately.

What the Regulation Includes

According to Security Insider, the 79-page regulation also incorporates national requirements such as those set by BaFin and BSI. However, it introduces several new elements as well. Broadly speaking, the Digital Operational Resilience Act covers five key areas:

• Establishing a framework for ICT risk management
• Handling, classifying, and reporting ICT incidents
• Testing operational resilience
• Managing risks posed by third-party providers
• Creating a supervisory framework for critical infrastructure service providers

ICT risk management is now enshrined in law, rather than remaining merely an administrative guideline. Ultimately, the executive management of the financial or insurance company bears overall responsibility. These entities are required to continuously monitor, control, and update their IT systems. Additionally, companies must define and implement backup and recovery strategies and maintain risk documentation for both internal and external audits.

“ICT risk management has been elevated to a legal level under DORA and is no longer just an administrative guideline. The executive management ultimately holds overall responsibility.”
– Core principle of the DORA regulatory framework

Responsibility Remains with Financial Institutions

Furthermore, DORA also mandates procedures for classifying certain ITK incidents that are subject to reporting requirements, as well as the review of IT systems through appropriate testing methods. Higher standards apply to systemically important organizations in this regard.

A key component of the regulation is that financial institutions are obligated to oversee risk management at their ITK service providers. This includes a comprehensive oversight framework for critical third-party ITK service providers, which comes with extensive powers.

Regarding the aforementioned scope of application for affected companies, DORA allows national exceptions for development banks, for example. Otherwise, the regulation is binding for companies in the financial and insurance sectors.

Concrete Implementation Steps for Financial Institutions

In operational implementation, affected organizations face several key task areas. First: a comprehensive inventory of their own IT landscape, including all external service providers, cloud services, and software dependencies. Many companies discover during this analysis that their service provider ecosystem is far more complex than initially assumed. Second: the introduction or adaptation of an ICT risk management system that is documented in compliance with DORA and regularly reviewed.

Third: defining and implementing incident response processes with clear reporting obligations, escalation levels, and communication channels. The fourth pillar is the regular execution of resilience tests, the scope and frequency of which depend on the criticality of each organization. Fifth: contractually integrating and managing third-party ICT service providers, including audit rights, exit strategies, and defined SLAs.

Each of these points represents a significant effort for most financial institutions. Medium-sized institutions in particular-those falling within the scope of the regulation but lacking dedicated security operations centers or large IT compliance teams-are reliant on external support. This is precisely where specialized IT security and data protection consulting firms come into play.

What threatens in case of non-compliance

National supervisory authorities, in Germany primarily BaFin in cooperation with the BSI, can impose substantial fines for violations. In addition, reputational risks, reporting obligations to business partners, and, in extreme cases, the revocation of licenses or approvals may occur. For managing directors and board members, personal liability risks may also arise, as DORA explicitly assigns overall responsibility to company management.

The timeframes for making improvements are tight. Anyone who is not compliant with DORA by January 17, 2025, will not benefit from a transitional period but will be legally in default. Supervisory authorities indicate that they will exercise discretion in the case of companies demonstrably working on implementation; however, a fundamental lack of the required structures will not be tolerated.

Who Can Help With Implementation

In light of the mandatory measures and the past implementation deadline, organizations need a competent partner to translate DORA’s regulatory requirements into concrete technical and organizational actions. Specialized IT security and data protection consultancies provide analyses of existing infrastructure, implementation roadmaps, and support with documentation for regulatory authorities.

For questions regarding the implementation of DORA requirements, msecure’s IT security and data protection experts are happy to offer advice and assistance.

DORA in the International Context

DORA does not exist in isolation; rather, it is part of a network of other EU regulations. The NIS2 Directive addresses cybersecurity in critical sectors, the Cyber Resilience Act governs requirements for digital products, and the GDPR regulates data protection. For financial institutions, this creates overlaps that require active mapping: Which requirements are covered by which regulation? Where are there gaps or contradictions? And which measures simultaneously fulfill multiple compliance obligations?

In international comparison, DORA follows a similar direction to regulatory initiatives in the United States, the United Kingdom, and Japan, but it relies on a uniform EU-wide regulation instead of national individual laws. For internationally operating financial companies, this simplifies compliance within the EU, yet increases the integration requirements with locations outside the EU. In particular, globally active banks and insurers must structure their governance frameworks so that DORA requirements can be harmonized with comparable regulatory frameworks in other jurisdictions.

Preparing for the First Audits

After the deadline of January 17, 2025, many financial institutions will face their first DORA audits conducted by national supervisory authorities. Regulators have indicated that, during the transitional phase, they will focus primarily on the quality of implemented structures rather than merely checking off formal checklists. The effectiveness of processes will be assessed: Do incident reports function within the defined timeframes? Are backup and recovery strategies documented and tested? Are third-party risks actually monitored?

To prepare for these audits, it is advisable to conduct structured simulations of key scenarios. This includes tabletop exercises with management, red-team testing of critical IT systems, and regular reviews of ICT service provider contracts. The documentation generated from these activities serves both as evidence of DORA compliance and as a foundation for continuous improvement. Companies that lack the internal capacity to undertake such exercises can benefit from specialized consulting partners who bring methodologies developed under comparable regulations like BAIT or VAIT.

What to Expect Specifically in 2025 and 2026

The first months following the DORA deadline are already revealing initial consolidation trends in the market. Smaller financial service providers that cannot economically implement the requirements are seeking partnerships with larger institutions or specialized ICT service providers. At the same time, platform offerings are emerging that provide DORA-compliant compliance as a managed service. This represents a relevant option for medium-sized banks, insurers, and regulated financial service providers.

In the medium term, supervisory practice will become more important than the statutory text alone. The extent to which BaFin and BSI focus on specific requirements will determine the actual implementation path over the coming months. For IT decision-makers in affected organizations, it is therefore advisable not only to ensure formal DORA compliance but also to actively maintain communication channels with the supervisory authorities and participate in industry working groups in order to gain early access to best practices.

DORA Interfaces with Existing Frameworks

A frequently overlooked aspect is the integration of DORA into existing compliance frameworks. Organizations already operating under ISO 27001 have a significant advantage: many of the required controls can be demonstrated through their Information Security Management System (ISMS). Similarly, BAIT (Banking Supervisory Requirements for IT) and VAIT (Insurance Supervisory Requirements for IT) share substantial overlap with DORA. A well-defined mapping matrix between these frameworks prevents redundant efforts and demonstrates to regulators that compliance structures are thoughtfully designed.

For companies without an established ISMS, however, the DORA deadline presents a particularly challenging scenario. They must simultaneously establish fundamental risk management processes and implement the specific DORA requirements. In such cases, a pragmatic phased approach is recommended: first address the most critical gaps, then progressively achieve full DORA maturity through iterative improvements. Engaging external consultants can shorten this process by several months-provided they follow a methodical, evidence-based approach rather than merely submitting standard documentation.

Conclusion

DORA marks a regulatory turning point for the financial sector in Europe. The regulation elevates IT security and operational resilience to a legally binding level, compelling organizations to critically review their existing structures. Those who take DORA seriously and implement it consistently will not only strengthen their formal compliance but also enhance their actual resilience against cyberattacks and operational disruptions. The coming months will reveal how supervisory practices and concrete business implementation converge in day-to-day operations.

Frequently Asked Questions

Who exactly does DORA apply to?

DORA applies to banks, insurance companies, trading venues, credit rating agencies, central counterparties, trade repositories, crypto-asset service providers, and critical ICT third-party service providers. In Germany, the Federal Financial Supervisory Authority (BaFin) estimates that around 22,000 companies fall under this regulation.

When did DORA become legally binding?

DORA entered into force on January 16, 2023. After a two-year transition period, it became legally binding on January 17, 2025. From that date onward, all affected organizations must have fully implemented its requirements.

Who is liable for violations of DORA?

Ultimate responsibility lies explicitly with the management of the affected organizations. This includes personal liability risks for board members and managing directors and cannot be delegated to IT departments or external service providers.

What sanctions are threatened in case of non-compliance?

National supervisory authorities such as BaFin and the Federal Office for Information Security (BSI) can impose fines. Additionally, there are reporting obligations to business partners, potential reputational damage, and, in extreme cases, the revocation of licenses.

What do financial institutions need to consider when working with their IT service providers?

DORA requires documented risk management for third-party providers. This includes audit rights, exit strategies, clearly defined SLAs, and consideration of cyber risks throughout the entire service provider chain. Critical ICT third-party service providers are subject to a separate EU-level oversight framework.

Image source: iStock / sdecoret