CG
Compliance

DORA Compliance: Impact on the Financial Sector

SV
Sophie Vandenberghe
Compliance Director
October 20, 2025
8 min read
#DORA#Financial Sector#Compliance#ICT Risk#Operational Resilience#EU Regulation
Share:
ComplianceOct 20, 2025

DORA Compliance: Impact on the Financial Sector

The Digital Operational Resilience Act (DORA) - Regulation (EU) 2022/2554 - represents the most comprehensive regulatory framework for ICT risk management in the European financial sector. Applicable since January 17, 2025, DORA establishes uniform requirements for the security of network and information systems supporting the business processes of financial entities.

Understanding DORA's Scope

Who Is Affected?

DORA applies to virtually all regulated financial entities in the EU:

  • Credit institutions (banks)
  • Payment institutions and electronic money institutions
  • Investment firms and fund managers
  • Insurance and reinsurance companies
  • Crypto-asset service providers
  • Central securities depositories
  • Trading venues and trade repositories
  • Credit rating agencies
  • Crowdfunding service providers
  • ICT third-party service providers designated as critical

Key Point: Third-Party Providers

DORA extends its reach beyond financial entities to critical ICT third-party providers (CTPPs). Cloud service providers, data analytics firms, and other technology vendors serving the financial sector may be subject to direct oversight by European Supervisory Authorities.

The Five Pillars of DORA

Pillar 1: ICT Risk Management (Articles 5-16)

Financial entities must establish a comprehensive ICT risk management framework:

Governance Requirements:

  • Management body bears ultimate responsibility for ICT risk management
  • Dedicated ICT risk management function with sufficient authority, independence, and resources
  • ICT risk management framework reviewed at least annually
  • Mandatory ICT security awareness programs for all staff and management

Technical Requirements:

  • Identification and classification of all ICT assets and dependencies
  • Continuous monitoring and detection of anomalous activities
  • Comprehensive business continuity and disaster recovery policies
  • Backup and restoration procedures with regular testing
  • Learning and evolving from ICT-related incidents and industry developments

Key Implementation Actions:

  1. Establish ICT risk management governance structure with clear roles
  2. Create and maintain an ICT asset inventory with dependency mapping
  3. Implement continuous monitoring capabilities across all ICT systems
  4. Develop and test business continuity plans specific to ICT scenarios
  5. Document and regularly update ICT security policies and procedures

Pillar 2: ICT-Related Incident Management (Articles 17-23)

DORA requires a structured approach to managing ICT-related incidents:

Incident Classification Criteria:

  • Number of clients and counterparties affected
  • Duration of the incident
  • Geographic spread
  • Data losses (availability, authenticity, integrity, confidentiality)
  • Criticality of the services affected
  • Economic impact

Notification Requirements:

| Report Type | Deadline | Recipient | |---|---|---| | Initial notification | Within 4 hours of classification as major / 24 hours of detection | Competent authority | | Intermediate report | Within 72 hours of initial notification | Competent authority | | Final report | Within 1 month of initial notification | Competent authority |

Voluntary Notification: Financial entities may voluntarily notify significant cyber threats to competent authorities, enabling information sharing across the sector.

Pillar 3: Digital Operational Resilience Testing (Articles 24-27)

DORA mandates regular testing of ICT systems and capabilities:

Basic Testing (All entities):

  • Vulnerability assessments and network security assessments
  • Open-source software analysis
  • Gap analyses and physical security reviews
  • Scenario-based testing and compatibility testing
  • Performance and end-to-end testing

Advanced Testing (Significant entities):

  • Threat-Led Penetration Testing (TLPT) at least every three years
  • Based on the TIBER-EU framework
  • Performed by qualified and independent testers
  • Covers critical functions and ICT services supporting them
  • Results reported to competent authorities

Pillar 4: ICT Third-Party Risk Management (Articles 28-44)

This pillar addresses the systemic risk posed by concentration in ICT service providers:

Contractual Requirements: All contracts with ICT third-party providers must include:

  • Clear description of services and quality standards
  • Data processing locations (and conditions for changes)
  • Service level agreements with quantitative targets
  • Assistance obligations during ICT incidents
  • Audit and access rights for the financial entity and regulators
  • Exit strategies and transition periods
  • Mandatory notification of material changes

Register of Information: Financial entities must maintain a detailed register of all ICT third-party arrangements, including:

  • Service provider identification and classification
  • Services provided and criticality assessment
  • Contractual details and service level agreements
  • Subcontracting chains and concentration risks

Critical Third-Party Provider Oversight: The European Supervisory Authorities (EBA, ESMA, EIOPA) can designate ICT providers as critical, subjecting them to:

  • Direct oversight through a Lead Overseer
  • Annual oversight plans and examinations
  • Recommendations and, if necessary, requests to supervisory authorities to restrict business

Pillar 5: Information Sharing (Articles 45)

DORA encourages voluntary cyber threat information sharing among financial entities:

  • Participation in threat intelligence sharing arrangements
  • Notification to competent authorities of such arrangements
  • Protection of shared information (personal data, business secrets)
  • Exchange of indicators of compromise, tactics, techniques, and procedures

DORA Implementation Roadmap

Phase 1: Assessment (Months 1-3)

  1. Gap Analysis: Assess current ICT risk management against DORA requirements
  2. Scope Definition: Identify all ICT systems, services, and third-party providers in scope
  3. Governance Review: Evaluate management body involvement in ICT risk management
  4. Third-Party Inventory: Build the register of information on ICT third-party arrangements

Phase 2: Framework Development (Months 4-6)

  1. ICT Risk Management Framework: Develop or update the framework to meet DORA requirements
  2. Incident Management: Establish classification criteria and notification procedures
  3. Testing Program: Design the digital operational resilience testing program
  4. Third-Party Policies: Update procurement and vendor management policies
  5. Information Sharing: Evaluate and join relevant sharing arrangements

Phase 3: Implementation (Months 7-12)

  1. Technical Controls: Deploy monitoring, detection, and response capabilities
  2. Contractual Updates: Renegotiate ICT contracts to include DORA requirements
  3. Training: Train management and staff on DORA obligations
  4. Testing: Conduct initial testing cycle
  5. Documentation: Complete all required documentation and registers

Phase 4: Validation (Months 13-15)

  1. Internal Audit: Conduct comprehensive review of DORA compliance
  2. Remediation: Address identified gaps and nonconformities
  3. Regulatory Engagement: Proactively engage with competent authorities
  4. Continuous Improvement: Establish ongoing monitoring and improvement processes

DORA vs NIS2: Understanding the Overlap

Financial entities subject to DORA benefit from a carve-out from NIS2 for ICT risk management requirements. However:

  • DORA is lex specialis (takes precedence over NIS2 for financial entities)
  • NIS2 incident reporting requirements are replaced by DORA's for in-scope entities
  • Some NIS2 requirements may still apply for non-ICT security matters
  • Organizations must carefully assess which regulation applies to each aspect of their operations

Penalties for Non-Compliance

While DORA does not specify maximum fine amounts (unlike GDPR), competent authorities can:

  • Issue administrative sanctions and remedial measures
  • Require cessation of specific activities or practices
  • Impose periodic penalty payments
  • Restrict or suspend business activities
  • Issue public notices identifying the entity and the nature of the infringement

For critical ICT third-party providers, the Lead Overseer can impose fines of up to 1% of average daily worldwide turnover for each day of non-compliance, for up to six months.

Conclusion

DORA represents a paradigm shift in how the European financial sector manages ICT risk. Its comprehensive approach covering risk management, incident handling, testing, third-party oversight, and information sharing creates a resilient financial ecosystem. Financial entities that embrace DORA as an opportunity to strengthen their operational resilience will be better positioned to withstand the increasingly sophisticated cyber threat landscape.

Need help with DORA compliance? Contact our financial sector specialists for a tailored compliance assessment.

ADVISORY // REQUEST EXPERT CONSULTATION

Need operational assistance?

Our analysts are available to help you implement best practices and secure your organization against emerging threats.

Contact TeamFree Resources
[ RELATED BRIEFINGS ]
COMMS // INTELLIGENCE FEED SUBSCRIPTION

Briefing received. Subscribe for more.

Receive classified briefings and threat analyses delivered directly to your secure inbox.

Subscribe to Newsletter