DORA in force

Written By Roe Farrow-Grogan

DORA Is Now in Force: What EU Firms Need to Know About the New Digital Operational Resilience Regime

On January 17, 2025, the Digital Operational Resilience Act (DORA) officially came into effect across the European Union, ushering in a comprehensive regulatory framework designed to bolster the ICT resilience of financial entities. For financial institutions and ICT service providers operating in or serving the EU, DORA is not just another compliance obligation—it marks a paradigm shift in how firms are expected to manage digital risk.

As a regulatory consultant specializing in fintech and financial services, I’ve been helping clients prepare for DORA’s implementation. This article breaks down what DORA means now that it’s live, who is affected, and how firms can move from preparation to active compliance.

What Is DORA?

DORA is part of the EU’s Digital Finance Package, aimed at strengthening the financial sector’s resilience to cyber threats and operational disruptions. Unlike previous frameworks that approached operational resilience indirectly through fragmented national or sectoral rules, DORA introduces a uniform and binding EU-level regime.

It applies directly to over 20 categories of financial entities, including:

  • Banks

  • Payment institutions and e-money firms

  • Investment firms

  • Insurance and reinsurance companies

  • Crypto-asset service providers (once MiCA is in full effect)

  • Central counterparties and trading venues

  • ICT third-party service providers (critical ones will be directly supervised)

Key Requirements Now in Effect

With DORA in force, in-scope firms must now comply with the five main pillars of the regulation:

1. ICT Risk Management

Firms must implement comprehensive ICT risk frameworks covering governance, asset classification, risk assessment, protection, detection, response, recovery, and learning processes. This includes regular reviews and board-level oversight.

2. Incident Reporting

DORA imposes strict requirements for classifying, reporting, and managing ICT-related incidents. Firms must report major incidents to their competent authorities within tight timeframes, with a harmonized reporting format across the EU.

3. Digital Operational Resilience Testing

Entities must conduct regular testing of their ICT systems—ranging from basic vulnerability scans to advanced threat-led penetration testing (TLPT) for certain firms. The scope and frequency depend on the firm's size, risk profile, and services.

4. ICT Third-Party Risk Management

Firms must now formalize risk-based due diligence, contractual arrangements, monitoring, and exit strategies for all ICT third-party relationships. Critical third-party providers (CTPPs) will be designated and directly supervised by European Supervisory Authorities (ESAs).

5. Information Sharing

DORA encourages voluntary participation in cyber threat intelligence sharing among regulated firms, under secure and structured conditions, to promote collective resilience.

What This Means in Practice

Now that DORA is in effect, regulated firms must shift from planning to execution. Compliance is no longer theoretical—it’s supervisory reality. Here’s what firms should be doing right now:

  • Operationalize their ICT risk frameworks and embed them in governance structures

  • Establish reporting procedures and escalation paths for ICT incidents

  • Review existing ICT contracts to ensure they meet DORA’s stringent outsourcing and subcontracting standards

  • Map ICT third-party dependencies, especially for critical services

  • Engage with regulators and industry groups to stay informed on TLPT methodologies and supervisory expectations

For ICT service providers, especially cloud and data analytics firms serving multiple financial entities, DORA introduces new regulatory exposure and potential direct oversight. These providers must prepare for audits, data requests, and possibly designation as critical under the ESAs’ oversight.

Enforcement and Supervision

National competent authorities (NCAs), together with the European Banking Authority (EBA), European Securities and Markets Authority (ESMA), and European Insurance and Occupational Pensions Authority (EIOPA), are now fully empowered to:

  • Conduct on-site inspections

  • Issue administrative fines and remedial measures

  • Coordinate pan-European enforcement actions

  • Monitor critical ICT providers under a new supervisory framework

Supporting Your Compliance Journey

DORA is not a “one-and-done” compliance obligation—it’s an ongoing regulatory discipline that requires cross-functional collaboration between risk, IT, legal, procurement, and senior management. Whether you’re a financial institution still finalizing your implementation or an ICT provider looking to understand your new regulatory responsibilities, I provide:

  • DORA readiness assessments and gap analyses

  • Policy and control framework development

  • ICT contract remediation and vendor governance support

  • Incident response planning and regulatory reporting setup

Roe Farrow-Grogan
Previous

Draft RTS on CDD published

Next

Canadian RPAA / RPAR