A major financial institution is hit by a cyber-attack that cripples its online services for days. Customers are locked out of their accounts and transactions grind to a halt, the impact starts spreading to the supply chain, other financial institutions, shareholders and government agencies become interested in the drama unfolding ; trust and reputation is beginning to slip away… Unfortunately, this isn’t just hypothetical, it’s a growing reality in today’s financial world.
Enter DORA, the Digital Operational Resilience Act – a landmark regulation from the European Union designed to ensure that financial entities can not only withstand cyber threats but also recover quickly and continue operating. DORA became operational on the 17th January 2025 and is set to reshape how financial institutions across the EU approach digital risk.
In this article, we’ll break down what DORA is, why it was introduced, and what it means for your organisation. Whether you’re a compliance officer, executive, or just curious about the future of cyber security in finance, this article will help readers to understand how to prepare for, and benefit from, DORA.
So what Is DORA?
The Digital Operational Resilience Act (DORA) is an EU regulation designed to enhance the digital operational resilience of financial entities (Digital Operational Resilience Act (DORA) – EIOPA). Its primary goal is to ensure that financial institutions can withstand, respond to, and recover from various ICT-related disruptions and threats. DORA applies to a broad range of financial entities, including banks, insurance companies, investment firms, and their critical third-party service providers. By implementing robust risk management frameworks, these entities will be better equipped to identify, protect against, detect, and respond to risks. Additionally, DORA mandates regular testing of digital operational resilience to demonstrate that potential disruptions can be managed.
DORA also requires financial entities to report major incidents to competent authorities and share information on cyber threats. This regulation also imposes stringent requirements for managing risks associated with third-party service providers. DORA came into force on January 16, 2023, and was fully applicable from January 17, 2025. By adhering to these requirements, financial institutions can safeguard their operations and contribute to a more resilient cyber security environment across the EU.
Key components of DORA
Robust risk management framework
Reporting incidents to competent authorities
Sharing information on threat intelligence and incidents
Regular testing of digital operational resilience
Comprehensive supply chain management
So what Is DORA?
Whilst traditional cyber security frameworks such as ISO 27001 and NIST CSF laid solid foundations for cyber security, the financial industry’s growing dependence on digital systems created operational vulnerabilities that could not be effectively managed; DORA was created to address these critical gaps and develop unified, enforceable standards across the EU.
Five key areas were identified for improvement by The European Commission’s DORA Directive:
• ICT risk management
• Operational resilience during disruptions
• Enhanced oversight of third-party providers
• Consistent resilience standards across EU markets
• Structured incident reporting for knowledge sharing
With a theme of “stronger together” and a collaborative and knowledge sharing approach to cyber security, especially around operational resilience, DORA aims to lift the industry cyber security posture standard.
The Five Pillars of DORA
Out of the key areas for improvement, DORA aims to improve cyber resiliency by strengthening five areas. Let’s take a look at each one in more depth:
Risk Management
DORA outlines the core requirements for financial entities to establish a comprehensive ICT risk management framework. Financial entities must:
- Implement a well-documented risk management framework as part of their overall risk management system.
- Include strategies, policies, procedures, protocols and tools to protect information assets, hardware assets, and physical infrastructure.
- Have a control function to oversee risk management that is independent and has authority to challenge decisions and escalate issues.
- Be proportionate to the size, complexity and risk profile of the financial entity (as defined in Article 4).
- Must have a mechanism to continually improve their risk management practices.
Moving forward board members will need to be involved in the risk management frameworks of their organisations. As stated in the DORA framework, the Board of Directors are personally liable for cyber security governance and risk management. This means each board director will require an understanding of cyber threats to inform their decision-making.
They will also need to define and approve their organisations risk management framework, including third-party supplier strategy, showing the importance of informed decision-making to address emerging cyber threats effectively. But with board-level responsibility for cyber security steadily declining among businesses since 2021 (only 27% of businesses have a board member fully responsible for Cyber Security in 2025 vs 38% in 2021) now is the time for financial services firms to take action and ensure board members are taking responsibility for aligning cyber security alongside business objectives.
So where should Financial Services organisations start with improving risk management and ensuring it is part of the board agenda?
Many financial services organisations have not undertaken a formal cyber security risk assessment in the past 12 months. It is estimated that only 48% of UK organisations have undertaken a formal cyber security risk assessment in the past year. This means board members of financial services firms and their cyber security teams could be making plans or reviewing their cyber security risk strategy with data that is not relevant, up to date or based on the latest NCSC guidance. Clearly this could not only be a business risk but could also be preventing wider business initiatives from being successfully undertaken in a secure, compliant and resilient manner.
Additionally, it should be noted that not all cyber risk assessments are the same. Unfortunately, many cyber security risk assessments are simply being seen as ‘tick box’ exercises without providing adequate detail or direction for how to improve. At Cyberfort we believe the starting point for building a cyber risk strategy is to undertake an NCSC assured Cyber Resilience Audit and Review. The review based on NCSC best practices and guidance provides Cyber Security professionals and board members with a clear picture on their resilience posture vs industry benchmarks and highlights where improvements can be made. Furthermore, board members can use the cyber resilience audit and review to demonstrate back to regulatory bodies that they have undertaken due diligence and understand their responsibilities in relation to cyber security in the wider business context.
Incident Reporting
The incident management requirements under DORA aims to ensure that financial entities can detect, assess, and respond to incidents in a structured and effective manner. It also requires organisations to maintain detailed internal logs, conduct thorough post-incident reviews, and integrate lessons learned into their risk management practices. DORA highlights that Financial Services organisations should have the following in relation to Incident Management and Reporting:
Timely Detection and Classification
Have mechanisms to detect, classify, and prioritise incidents. Incidents must be assessed based on their impact on operations, data, and service continuity.
Structured Incident Reporting
Reported to the relevant national competent authority using standardised templates. Reporting must follow a strict timeline with the initial notification happening as soon as possible (having an expectation of within the same day), an intermediate report within 3 days, and a final report within a month. The final report should include root cause analysis and mitigation.
Internal Logging and Documentation
Maintain detailed internal logs of all incidents, including minor ones. Logs should support trend analysis and continuous improvement.
Post-Incident Review and Lessons Learned
A post-mortem analysis is required to identify root causes and improve controls. Findings must be documented and used to update risk management and response plans.
Communication and Stakeholder Management
Ensure clear internal and external communication during incidents. This includes informing customers, partners, and regulators as appropriate.
Integration with Business Continuity and Disaster Recovery
Plans should be tested regularly to ensure effectiveness under real-world conditions.
So what does this mean in reality?
From our experience at Cyberfort it means Financial Services firms must have tailored incident response plans in place to be able to detect and respond to cyber security incidents, while mitigating the impact on operations and reputation.
This is an area all UK businesses need to improve on. In the latest UK Government Cyber Security breaches survey 2025 it is estimated 53% of medium sized businesses and 75% of large businesses have formal tested Incident Response plans in place. These plans should include technical, communication, and legal playbooks. But those responsible for cyber security in their organisation should be asking themselves:
- When was the last time the company incident response plan was truly tested?
- Are cyber security teams and members of the board aware of gaps that may exist and potential impact if not addressed?
- If gaps do exist in terms of knowledge, process or people skills how are these being addressed in a timely manner before a live incident occurs?
If the right expertise does not exist in house, then a specialist third party cyber security supplier who has knowledge of DORA and best practices in relation to Incident Response should be consulted so best practices can be adopted into the organisation.
Digital Operational Resilience Testing
A crucial part of DORA that extends past traditional cyber security is an organisations ability to operate despite an adverse cyber event, requiring a set of detailed and tested response plans that relate to the risks and prevalent threats, that will prove to be effective. This requires a:
- Risk led comprehensive testing schedule and a range of testing methods
- Independence and objectivity of the testing
- Mandatory annual testing of critical systems
- Remediation mechanism to classify, prioritise, and remediate any issues
- Proportionality principle to determine the scope of the testing, based on size, complexity, and risk profile
Recognising the above steps is only the beginning. A proactive approach to cyber resilience needs to be implemented. By being proactive with Cyber Resilience financial services organisations can minimise disruptions to their operations and strengthen their ability to maintain operational continuity and protect sensitive data. By making cyber resilience a high priority, financial services organisations can ensure their defence against potential breaches and a culture of preparedness and responsiveness can succeed in a reactive cyber security world. This proactive approach will help to mitigate risks and position a financial services organisation as a trusted digital partner in their customers and suppliers minds.
Third-Party Risk Management
DORA absorbs the supply chain into the regulation by giving financial entities the responsibility to ascertain, assess, and monitor their third-party providers. DORA expects entities to identify all third-party service providers and classify them based on the criticality of the services they provide and maintain a comprehensive register of information. Then, for each, conduct risk assessments before entering into contracts, to understand their security posture, resilience capabilities, and compliance with DORA standards.
The contracts themselves must meet minimum contractual standards, for example, include specific clauses covering topics such as Service Level Agreements (SLAs), audit and inspection rights, ongoing monitoring and oversight, and termination and exit strategies.
The financial entity must continuously monitor the performance and risk exposure of their third parties, including regular reviews, audits, and updates to risk assessments, and ensure that third-party risk management is integrated into their overall risk governance framework, with clear roles and responsibilities at the management level.
In addition, in certain situations, DORA introduces EU-level oversight for critical third-party providers (e.g., major cloud service providers), ensuring they meet stringent operational and security standards.
This may sound simple in theory but the practical reality from our experience at Cyberfort is Supply Chain Cyber Security is complex and can be difficult to manage. This is demonstrated by the fact that only 14% of UK organisations have undertaken formal risk reviews of their supply chain security in the past 12 months. At Cyberfort we recommend all financial services firms to take action with the following 8 steps to improve their supply chain security:
- Validate your own supply chain, often suppliers and sub suppliers go down in size and hence in cyber maturity.
- Ensure your security controls are appropriate for the level of business risk you’re dealing with.
- Migrate to SaaS where possible, utilise the security packages for an efficient and effective minimal effort approach to security management.
- Validate and evidence the controls that your suppliers have in place, it’s not your effort but hold the supplier to account.
- Make sure you have cyber essentials plus.
- Keep on top of pen testing and Vulnerability Management and keep track of evidence.
- Understand what your customer expects of you in security and compliance, and price this into your solution.
- Ask your customer about their controls, likely targets and defences, find a trusted advisor/partner to help you extrapolate this to the threats you are likely to face.
Information Sharing
Financial entities are encouraged to voluntarily exchange cyber threat intelligence including indicators of compromise (IOCs), tactics, techniques, procedures (TTPs), cybersecurity alerts, and configuration tools. The goal is to enhance collective digital operational resilience by improving awareness, detection, and response capabilities.
These exchanges must occur within secure and structured environments to ensure that shared information is handled responsibly. Entities are required to uphold strict confidentiality and data protection standards, ensuring that sensitive business or personal data is not exposed or misused. Additionally, any formal participation in information-sharing arrangements must be reported to the relevant competent authorities, promoting transparency and regulatory oversight. The ultimate aim is to support proactive threat detection and coordinated responses across the financial sector.
Those who are responsible for cyber security in their financial services organisation should start by asking themselves if they are participating in information sharing schemes (e.g. ISACs), and have the tools in place to effectively process threat information which is shared with the organisation so knowledge can be shared and disseminated in a timely and appropriate manner.
The Strategic Business View of DORA
The Digital Operational Resilience Act (DORA) marks a significant shift in how financial institutions must approach digital risk. Rather than treating cyber security and ICT risk as isolated compliance tasks, DORA requires organisations to embed resilience into their core operations. This means preparing not just to prevent disruptions, but to detect, respond to, and recover from them swiftly and effectively. For many firms, this represents a move from reactive IT support to a proactive, strategic resilience posture.
One of the most notable changes is the increased accountability placed on senior leadership. DORA mandates that boards and executive teams take ownership of risk management, integrating it into the broader enterprise risk strategy. This shift demands greater visibility, governance, and cross-functional collaboration particularly between IT, compliance, legal, and business units. It also means that digital resilience is no longer just a technical issue; it’s a boardroom priority.
Implementing DORA may also require significant investment in technology and infrastructure. Legacy systems may need to be upgraded or replaced to meet the regulation’s requirements for monitoring, testing, and recovery. Additionally, organisations must reassess their relationships with third-party providers. DORA introduces strict oversight and contractual obligations for these vendors, especially those deemed critical, making third-party risk management a strategic concern.
Finally, DORA has global implications. While it is an EU regulation, its reach extends to any non-EU firm offering financial services within the EU. This is likely to drive broader alignment with DORA’s standards across international markets. For organisations that embrace this shift early, DORA offers an opportunity to build trust, enhance operational resilience, and gain a competitive edge in an increasingly digital financial ecosystem
Final Thoughts
The Digital Operational Resilience Act (DORA) is a pivotal regulation introduced by the European Union to strengthen the financial sector’s ability to withstand and recover from adverse cyber events. Its importance lies in creating a unified, comprehensive framework that ensures all financial entities can manage digital risks effectively. By focusing on areas like risk management, incident reporting, resilience testing, third-party oversight, and information sharing, DORA not only enhances operational stability but also builds trust in the digital financial ecosystem. It marks a shift from reactive compliance to proactive resilience, making it a strategic imperative for organisations operating in or with the EU financial market.
As the Digital Operational Resilience Act (DORA) reshapes the regulatory landscape, financial institutions face more than a compliance challenge, they face a strategic inflection point. DORA demands a fundamental shift in how organisations think about digital risk.
For forward-thinking Financial Services firms, this is an opportunity to build trust, enhance operational continuity, and differentiate in a competitive market. But navigating DORA’s complexity across governance, incident response, third-party oversight, and resilience testing, requires more than internal effort. It requires a partner who understands the regulatory nuance and the operational realities of financial services.
At Cyberfort, we help organisations turn DORA readiness into a strategic advantage. From assessing your current posture to designing scalable resilience frameworks, we align your digital operations with regulatory expectations while strengthening your ability to adapt and recover in the face of disruption.
For more information about Cyberfort Governance, Risk and Compliance services and how we can help your organisation shift from reactive compliance to proactive resilience contact us at [email protected].
