DORA: What you need to know

New regulation can be hard to get your head around—especially when it’s as wide-ranging as DORA. Here’s everything you need to know about the new regulation. 

What is DORA?  

The EU’s Digital Operational Resilience Act (DORA) is the world's most expansive digital risk regulation for financial services firms and their supply chains. It ensures financial institutions can withstand, respond to, and recover from all types of ICT-related disruptions and threats. It takes a forward-looking approach to the increasing risks in ICT and cyber, so financial stability is upheld, and consumers protected. 

Why is DORA important? 

Complying with DORA is imperative for every financial institution with the EU. 

Its heightened and deeper focus on digital risks enshrines targeted, qualitative requirements to strengthen control capabilities. In response, firms must enhance their technology and cyber resilience, improve their risk and control framework, and put ICT risks high on the agenda of boards and executive committees.  

DORA also has complex and wide-ranging implications—far beyond the usual regulations that stretch into different jurisdictions. It aims to harmonise digital operational resilience for firms operating across multiple EU jurisdictions and simplify compliance efforts. 

It also impacts businesses typically outside the scope of financial regulations, for example, third-party ICT service providers such as cloud service providers and data centres. And even though it’s an EU regulation, it impacts and includes those who might not be established in but provide services to financial firms within the EU. These third-party businesses face indirect exposure due to the obligations on financial entities to manage their third-party risk, and direct exposure where they’re designated as critical third parties (CTPs).  

What does DORA mean for your firm?  

DORA uplifts many existing rules and guidelines across the regulatory landscape to Europe’s financial market. It aims to ensure a consistency across the financial sector and defines specific guidelines across ICT risk management, resilience testing capabilities, and third-party risk management.  

It focuses on five key areas:  

1. ICT risk management: DORA sets out clear guidelines for internal governance and ICT risk management. Financial entities are required to create internal structures that limit ICT risks.  
2. ICT third-party risk management: DORA also focuses on the management of risks stemming from services provided by ICT third parties. It includes monitoring third-party risk providers, key contractual provisions, and critical oversight.  
3. Digital operational resilience testing: The regulation includes provisions for basic and advanced resilience testing, ensuring a comprehensive approach to digital operational resilience.  
4. ICT-related incident management and reporting: There are general requirements for reporting major ICT-related incidents to competent authorities. 
5. Information sharing: DORA encourages the appropriate exchange of information and intelligence on cyber threats between entities to strengthen overall resilience for the financial sector.  

When is DORA live?  

DORA was enacted on 16 January 2023 and will apply as of 17 January 2025 with the oversight activities for European Supervision Authorities (ESAs).  

How we see DORA  

 At Baringa, we see DORA as an opportunity; it’s a chance to master how you manage digital risk. 

There’s no avoiding the fact that digital and cyber incidents are increasing in severity and frequency each year, but it’s how you adopt regulation like DORA that will make the difference to your organisation’s resilience. Adopting DORA enables you to map your critical business functions, control their associated risks and the services they underpin, and gives you the visibility needed to truly embed resilience. It’s only by understanding the risks and controls in your digital infrastructure that you can successfully accelerate the safe deployment of new technologies that’ll drive revenue, improve services, and provide better customer outcomes. 

DORA is also just the beginning. Globally, regulators are placing increasing focus on operational resilience and cyber risk, and we expect to see a tidal wave of new regulation across the UK, US, and APAC in the next few years. But with DORA as your foundation, focusing on cyber risk and resilience now will set you up to seamlessly manage future regulatory interventions.  

Need help with your DORA implementation? 

We can help you define the proper scope and priorities for your DORA execution to get you fit for January and lay the foundation for beyond.  

We don’t believe in one-size-fits-all solutions.  We help you focus on the right details—whether that’s simplifying your network of third-party dependencies, fine-tuning your ICT risk frameworks, or developing your testing capability. We act as an extension to your team embedding resilience at the core of your organisation to protect your biggest assets. And when we leave our capabilities stay because we upskill your people to build sustainable solutions faster, keeping you ready for the next wave of risk and regulation.   

Get in touch to see how we can turn DORA compliance into your firm’s competitive advantage