Operational Resilience
DORA
What is DORA?
Digital Operational Resilience (DORA) in the financial sector is the name of EU regulation to enhance operational resilience of the provision of financial services in the EU in face of a potentially broad range of ICT risk related disruptions. DORA prescribes to banks, insurance undertakings, investment firms and other financial institutions to: To define and manage e robust governance and ICT risk management framework, To report significant incidents to the authorities, Test their resilience against various ICT risk scenarios, Govern ICT risk of third parties, and participate in the development of the cyber resilience report. The regulation also applies to the most critical ICT third-parties in terms of ICT services provided to the financial sector (e.g. cloud providers). The European Parliament and Council authorities and the European Banking Authority (EBA) have the official resources on DORA.
DOWNLOAD DORA GUIDELINE
Get your free copy of DORA Guideline
DORA Enforcement and Applicability: Key Dates for Financial Sector Resilience
DORA came into effect on 16 January 2023 and will be effective from 17 January 2025 onwards. The key aim is to strengthen the cyber resilience of financial institutions to protect the financial system against severe disruptions.
This regulation is expected to “align operational resilience requirements for the financial sector, while expanding their scope to cover 20 different types of financial institutions and ICT third-party service providers.”
What are ICTs?
ICTs broadly refer to the technologies, systems, and processes that enable the creation, processing, storage, transmission, and exchange of information. This includes:
- Algorithmic Trading Platforms: Systems executing trades based on pre-defined algorithms and high-frequency strategies.
- Anti-Money Laundering (AML) Solutions: Systems to screen customers, identify high-risk clients, and flag potential money laundering activities.
- Enterprise Resource Planning (ERP): Integrated systems managing supply chain, HR, finance, and other back-office functions.
- Data: The raw information, structured databases, and the analytics tools to extract insights from data.
Why are ICTs Important?
ICTs have revolutionized virtually every aspect of modern life and business, leading to:
- Enhanced Productivity: Automation, streamlining workflows, and enabling real-time collaboration.
- Innovation: Fueling new products, services, and business models across industries.
- Global Connectivity: Facilitating communication, commerce, and knowledge sharing beyond geographic borders.
- Improved Decision-Making: Providing access to vast amounts of data and analytical tools.
- Social Change: Empowering individuals and fostering new forms of community and social action.
DORA establishes a binding, comprehensive ICT risk management framework specifically for the EU financial sector. This framework is aimed at creating a single regulatory environment at the European level to manage risks stemming from ICT and suppliers.
It’s designed to improve cybersecurity and operational resiliency in the financial services sector, complementing existing laws like the Network and Information Security Directive (NISD) and the General Data Protection Regulation (GDPR).
The regulation also seeks to harmonize existing rules on managing ICT governance, risks, and incident reporting for all financial institutions, ensuring operational resilience against cyber-attacks. This applies to all EU and non-EU companies operating in mainland Europe.
Why do you need to comply with DORA?
There are several compelling reasons why financial institutions need to comply with DORA:
Regulatory Mandate and Penalties: The most immediate reason is that DORA is a legally binding EU regulation. Failure to comply by the implementation deadlines can result in significant fines, reputational damage, and potential restrictions on operating within the EU.
Strengthening Operational Resilience: DORA’s core aim is to build a more robust financial sector capable of withstanding ICT-related disruptions. By implementing the required frameworks, testing, and risk management, you reduce the likelihood and impact of outages or cyberattacks compromising your services.
Improved Cybersecurity Posture: DORA includes specific requirements around ICT security. Complying builds stronger defenses against cyber threats, protecting sensitive customer data and financial assets.
Harmonization of ICT Risk Management: Previously, ICT risk rules varied across EU member states. DORA provides a unified framework, streamlining compliance for institutions operating in multiple countries and creating a level playing field across the sector.
Building Customer & Stakeholder Trust: Demonstrating DORA compliance signals to clients, investors, and regulators that you take operational resilience and the security of their assets seriously. This can be a competitive advantage, foster stronger relationships, and reduce reputational risk.
Aligning with Evolving Risks: The threat landscape is constantly changing. DORA helps you stay ahead of the curve by requiring regular testing and reassessment of your resilience posture against new and emerging threats.
Beyond Compliance: Benefits of Proactive DORA Adoption
Enhanced decision-making: Data and insights gained through DORA compliance inform better risk management and investment decisions in ICT infrastructure and security.
Reduced operational costs: Proactive risk mitigation and prevention can reduce the cost of incidents and outages in the long run.
Innovation: A strong operational foundation enables confident exploration of new technologies and services, knowing you have the resilience to protect them.
WHO DOES IT IMPACT?
DORA is a comprehensive EU regulation aimed at enhancing IT security and operational resilience for a wide range of financial institutions, including banks and investment firms. It extends its scope to include Information and Communication Technology (ICT) third-party service providers, establishing a unified regulatory framework to mitigate risks related to ICT and improve cybersecurity
How to comply with DORA?
1. Inventory and Mapping
Review your current:
- Inventory of ICT third-party service providers (TPPs).
- Contractual arrangements with TPPs.
- Map these details to the standardized templates provided by the Implementing Technical Standard (ITS)
2. Systems and Processes
Establish or improve systems and processes for:
- Collecting, validating, and updating information required for the register of information on TPPs.
- Reporting this information regularly.
- Monitoring changes in the risk profile and performance of TPPs
3. Collaboration with TPPs
Communicate with your TPPs about:
- Their reporting obligations and expectations.
- The need for their cooperation in providing information.
- The need for their cooperation in providing information.
- Consider amending contracts with TPPs to require their compliance with reporting requirements.
4. Policy and Procedures
Develop or update policies and procedures to govern the management of the register of information, including:
- Roles and responsibilities of personnel involved.
- Escalation and reporting mechanisms for identified issues.
- Audit and review activities to ensure ongoing compliance.
1
Gap Analysis and Assessment
Perform the first gap analysis to evaluate level of IT security and operational resilience in a financial institution under the scope of DORA regulation against DORA regulation requirementsIdentify gaps and non-compliance points, proposing solutions.
2
Strategic Advisory
Advise on how best to map out operational resilience strategies to the DORA standards assist with the prioritisation of resourcing to meet the deadlines for compliance and ongoing compliance.
3
Policy Development and Review
Contribute to the development, review and update of policies, procedures, and controls to ensure compliance with DORA requirements. Assist in the development of a comprehensive Information and Communication Technology (ICT) risk management framework.
4
Training and Awareness
Develop and provide training courses in order to raise awareness and knowledge about DORA obligations for employees and stakeholders alike; Continue providing knowledge of the changing DORA and other relevant EU Regulations;
5
Implementation Support
Provide hands-on assistance to make required changes to become DORA-compliant. Provide technical and operational support in establishing ICT governance frameworks, incident reporting and other necessary systems and processes.
6
Third-Party Vendor Assessment:
Assess third-party ICT service providers for compliance with DORA requirements.
Assist in managing relationships and contracts with third-party ICT service providers for continuous compliance.
7
Technology Advisory and Implementation
Recommendation and deployment of technology to enable monitoring and management of ICT risks in-line with DORA guidance.Support implementation of Artificial Intelligence (AI) and Machine Learning (ML) technology in accordance with DORA.
8
Monitoring and Reporting
Contribute to the establishment of systems to monitor and report to verify ongoing compliance with DORA requirements Prepare for (regulatory) authority audits and inspections.
9
Incident Response Planning
Assist in the development and testing of incident response plans to confirm that they are effective and meet DORA obligations.
10
Liaison with Regulatory Authorities
Serve as intermediary between financial entities and regulators for reporting and overseeing all regulatory-based communication to assure accurate, timely, and legally compliant information is disseminated.
11
Customized Solutions
Customize solutions based on individual requirements and difficulties of various financial institutions for fulfilling DORA.
DORA Readiness - How do you compare?
Organizations estimated completion rate for key milestones DORA
ICT Risk Management: Though IT risk management frameworks of most companies (about 65%) have been revised in recent times, continuous updating will be necessary.
Third-Party Risk Management: About 70% of firms actively monitor third parties for risk, however, ongoing, dynamic assessment is difficult.
Operational Resilience Testing: 60% already have a test framework in place, yet, only 40% are performing advanced testing at the right frequencies.
Information Sharing: Only 50% of firms utilize established mechanisms effectively to enhance collective defense.
Reporting Requirements: High readiness (around 75%) for meeting reporting requirements, though the detail and accuracy of incident reports can be improved.
Frequently Asked Questions
The DORA Operational Resilience Policy is part of the Digital Operational Resilience Act (DORA), an EU-wide regulatory framework designed to enhance the cyber resilience and operational stability of financial institutions. Enforced by the European Supervisory Authorities (ESAs), DORA mandates that firms establish robust mechanisms to detect, prevent, and respond to ICT-related disruptions. This includes strict guidelines on risk management, incident reporting, third-party oversight, and regular stress testing. The policy’s primary objective is to ensure that critical financial services remain resilient during cyber incidents, safeguarding market stability and consumer trust.
The five key pillars of operational resilience are:
Governance and Accountability – Clear roles and responsibilities for overseeing resilience planning.
Business Continuity Planning – Preparing for disruptions with structured response plans.
Third-Party Risk Management – Ensuring service providers maintain resilience.
Incident Management – Effective response and recovery mechanisms.
Testing and Assurance – Regular testing of resilience measures to identify gaps.
T3’s expert team helps financial institutions strengthen each of these pillars, aligning with both regulatory expectations and industry best practices.
The seven principles of operational resilience are:
Preparation and Planning: Establishing risk tolerance and identifying critical services.
Risk Identification: Understanding internal and external threats to operations.
Incident Response and Recovery: Ensuring rapid and effective responses to disruptions.
Communication: Clear, timely communication during incidents.
Governance: Maintaining accountability for resilience measures.
Third-Party Management: Assessing the resilience of third-party partners.
Continuous Improvement: Regularly updating strategies to reflect evolving risks.
T3 consultants work closely with clients to embed these principles within their operational frameworks, enhancing resilience and compliance with CPS230.
While both operational resilience and business continuity focus on minimizing disruption, they are distinct in scope and approach. Operational resilience is a broader strategy that prepares organizations to adapt and continue critical operations during unexpected events, ensuring long-term sustainability. In contrast, business continuity is more focused on maintaining specific business functions during short-term disruptions. Operational resilience includes business continuity planning as a component but extends to crisis management, third-party risk, and overall organizational adaptability.
The primary ISO standard relevant to operational resilience is ISO 22316:2017 – Security and Resilience – Organizational Resilience, which provides guidance on building organizational resilience. It complements ISO 22301:2019 for business continuity management. Together, these standards help organizations develop robust frameworks to withstand disruptions, protect stakeholders, and recover swiftly. T3 can help your firm align with these standards to meet regulatory expectations and enhance resilience capabilities.
Crisis management and operational resilience serve different purposes in risk preparedness. Crisis management focuses on the immediate response to unexpected events to protect people, assets, and reputation. It is reactive by nature, dealing with communication, decision-making, and containment during a crisis. Operational resilience, however, is proactive and strategic, emphasizing the design of systems and processes that can absorb shocks and continue critical operations. Essentially, crisis management is a response mechanism within the broader framework of operational resilience.
Yes, Business Continuity Planning (BCP) is an integral part of operational resilience. BCP focuses on maintaining business operations during short-term disruptions, while operational resilience extends this by ensuring the firm can adapt and thrive despite long-term shocks. T3’s operational resilience solutions incorporate BCP as a key element, alongside risk assessments, scenario testing, and recovery strategies to ensure end-to-end continuity and regulatory compliance.
The 5 Pillars of DORA provide a structured framework for building digital operational resilience in financial institutions:
ICT Risk Management: Firms must implement robust risk assessment and mitigation strategies for information and communication technologies.
ICT Incident Reporting: Mandatory reporting of major ICT-related incidents to regulatory authorities for prompt action and transparency.
Digital Operational Resilience Testing: Regular stress testing and scenario analysis to identify vulnerabilities and improve response strategies.
Third-Party Risk Management: Enhanced due diligence and monitoring of third-party ICT service providers to mitigate outsourcing risks.
Information Sharing and Learning: Secure mechanisms for information sharing among financial entities to bolster collective resilience.
These pillars form the backbone of DORA’s regulatory approach, ensuring end-to-end resilience across digital operations.
The DORA Regulation (Digital Operational Resilience Act) is an EU regulation introduced to strengthen the digital resilience of financial institutions against cyber threats and IT disruptions. Enforced as part of the EU’s Digital Finance Strategy, DORA focuses on ensuring that all players in the financial ecosystem—banks, insurance companies, fintech firms, and ICT providers—are equipped to detect, withstand, and recover from operational disruptions.
In essence, DORA sets out stringent requirements for:
Risk management of ICT systems
Incident detection and reporting
Digital resilience testing
Third-party risk governance
Operational transparency and communication
By standardizing these requirements across the EU, DORA aims to harmonize digital resilience standards, protect consumers, and secure market stability.
Want to hire
Regulation Expert?
Book a call with our experts