The EU’s Digital Operational Resilience Act (DORA) requires financial institutions and technology providers to meet stringent standards from 2025.
In January 2025, the EU’s Digital Operational Resilience Act (DORA) will take effect, bringing transformative changes to how financial institutions manage their digital infrastructure.
Designed to safeguard the financial sector from digital disruptions, DORA sets out stringent obligations for EU-based firms and their global technology providers.
This is part of a raft of EU legislations to strengthen, and harmonise, their cyber posture.
As a result, the regulation’s broad scope includes not only banks and insurers but also the technology companies underpinning modern financial systems, such as cloud computing providers, data centres, and software vendors.
Examining the scope and impact
The introduction of DORA comes at a time of heightened vulnerability in the financial sector.
As digital dependencies grow, so do the risks. High-profile incidents, such as a global IT outage experienced by cybersecurity provider CrowdStrike in July 2024, have underscored the potential for cascading disruptions.
Against this backdrop, DORA aims to bolster the sector’s resilience by addressing systemic risks tied to critical third-party service providers.
“DORA is a regulatory framework designed to strengthen the resilience of the financial sector against digital disruptions, says Jonathan Armstrong, Partner at Punter Southall Law. “It applies to banks, insurers, investment firms, and other financial institutions, as well as to key third-party service providers.”
The regulation’s timing is deliberate, acknowledging the interconnectedness of financial systems across the EU.
“At its core is the recognition that financial systems across the EU are part of each country’s critical national infrastructure,” says Jonathan. “Many financial services organisations rely on a few key services providers, meaning that an incident compromising one of those providers could have a significant effect on financial services across the EU.”
Technical and regulatory requirements
DORA mandates rigorous Information Communication Technologies (ICT) risk protocols, requiring financial institutions to implement digital risk management systems, establish incident reporting mechanisms, and conduct regular resilience testing.
Additionally, it introduces an oversight framework for critical ICT providers, particularly cloud services. While DORA regulations are directly applicable in Member States, an accompanying directive will require implementation into national law, including the determination of penalties that may encompass criminal sanctions.
Although DORA is an EU initiative, its influence extends to cross-border financial institutions operating in European markets.
“Whilst DORA is an EU measure, operational resilience is high on the agenda for UK financial firms too, with operational resilience requirements introduced in 2022 coming into full effect in March 2025,” says Jonathan.
Meanwhile, the UK has developed its own operational resilience framework, led by the Financial Conduct Authority and the Prudential Regulation Authority. The UK’s regulations, effective since March 2022, will reach full enforcement by March 2025.
This framework has already demonstrated its teeth: TSB Bank was fined £48.65m (US$62.2m) in December 2022 following operational risk management failures during an IT upgrade that disrupted services for thousands of customers.
“Many financial services organisations rely on a few key services providers, meaning that an incident compromising one of those providers could have a significant effect on financial services across the EU”. – Jonathan Armstrong, Partner, Punter Southall Law.
Securing cross border interactions
For institutions navigating both DORA and the UK’s operational resilience framework, compliance will require significant adjustments to technology procurement, risk management processes, and incident response protocols.
Firms must map critical services, implement testing protocols, and maintain detailed documentation of their digital infrastructure.
“DORA has caused concern in the financial services, tech, and cybersecurity communities, so it’s important for businesses to understand fully their responsibilities,” says Jonathan.
The coming regulatory landscape signals a shift towards enhanced accountability and systemic risk management, marking a new era for digital resilience in the financial sector.
