Follow us

Cutting Through the Confusion: The Key Provisions and Requirements of the Digital Operational Resilience Act (DORA)

July 30, 2024

There is much chatter around the Digital Operational Resilience Act and, to be honest, it feels as clear as mud.

We hear a lot of talk about the 5 pillars, what each pillar means, how a business can implement the pillars (and the accompanying 280 articles), with very little detail around the nuts and bolts of implementation, leaving businesses feeling baffled about how they may achieve the fundamentals of compliance.

Whilst many organisations have been waiting with bated breath for 18^th July when more detail on implementation was expected, they may be holding their breath for a little longer as this is now with the EU commission for review and it is unclear when the finalised details will be shared. So in terms of any light being shed on how DORA compliance can be achieved, it may be a longer wait.

What do we know about The Digital Operational Resilience Act?

The Digital Operational Resilience Act (DORA) is a legislative regulation introduced by the European Union to strengthen the digital operational resilience of financial entities. Its primary goal is to ensure that the financial sector in the EU can withstand, respond to and recover from all types of ICT-related disruptions and threats.

All financial institutions are covered credit institutions, crypto-asset service providers, payment institutions, insurance companies and statutory auditors. Regulation of critical third-party ICT providers including providers of cloud computing services, software, data analytics services and data centres are also included, but does not include providers of hardware components.

What are the Key dates for DORA?

Deadline for Compliance is 17th January 2025
Key draft information was presented to the EU 18^thJuly
Ambiguous information as to when final technical controls will be available

Let’s focus on what we know right now.

The cost of operational incidents each year is estimated to be between 2-27bn euros, so the EU is heavily focused on moving the needle and reducing this cost to financial institutions.

In order to comply, many organisations right now may be completing gap analysis to understand where their weaknesses are. However, this will only present the tip of the iceberg and soon, in order to reach the January deadline, focus is going to have to shift significantly to how implementation will happen in time.

Cutting to the change; how can implementation be achieved for the Digital Operational Resilience Act

Be clear, DORA is a regulation, not a framework – so the Digital Operational Resilience Act is a Government-enforced set of security guidelines

Right now, let’s break down what we know about each pillar so that financial institutions can start working someway into reaching DORA compliance. That way, when the detail is revealed, it is more than likely you will be some way ahead in achieving compliance and will lessen the scramble to get there.

ICT Risk Management

Financial businesses must have a robust governance framework for ICT risk management.
Clear roles and responsibilities must be assigned to senior management.
Businesses will be required to conduct regular (presently it is unclear how regular) ICT risk assessments so that potential threats and vulnerabilities are proactively identified.
Implement measures to protect ICT systems and prevent incidents with security controls and protocols.
Top Tip: If you are ISO27001 compliant then you will be some way there in covering off the Risk Management pillar.
Top Tip: DORA/C2-ICTRiskMgmt/Art 16/1(b)/0: This article stipulates that the ICT risk management framework must be continuously monitored to security the security and functioning of all ICT systems.

Incident Reporting

ICT related incidents will need to be reported to their national competent authorities (NCAs).
There are strict timelines for reporting incidents which must be adhered to within hours or days of detection.
Analysis and detailed reports will be expected as well as a clear remedial action plan demonstrated.
Top Tip: Continually monitoring your environment in real time will mean that you will be taking a proactive rather than reactive approach to DORA; this will also allow you to have reports at your fingertips rather than scrambling to create the necessary reporting.

Digital Operational Resilience Testing

Regular testing of systems and controls, as well as vulnerability assessments and penetration testing will be mandatory although right now it is unclear how regular these will need to be.
More sophisticated testing will be stipulated for those businesses that are deemed critical with threat-led pen testing.
Top Tip: Ensure you have a rigorous, regular testing process in place to demonstrate you are completing this.

Third Party Risk

Due Diligence must be conducted before any engagement of any third party
Provisions for compliance with the Digital operational Resilience Act must be included in any third-party contracts.
Continuous Monitoring and regular periodic assessment of third parties must be completed to ensure they meet the DORA standards.
Top Tip: There is significant detail on Third Parties and how compliance can be achieved. This may be the biggest change for many financial institutions so the sooner some of these processes are implemented will make life easier!

Information Sharing

Collaboration is a key element within DORA, with financial institutions expected to share their vulnerabilities and cyber threats for the greater good of combatting the steep incline in incidents.
All will be expected to contribute and benefit from a collective sharing of threat intelligence from networks and platforms

Oversight and Penalties of the Digital Operational Resilience Act

Significant financial penalties are expected if financial institutions fail to comply.
Supervision will be by each country’s local National Competent Authorities.

When is it time to start implementing DORA?

There is no time like the present. As demonstrated here, there is much financial institutions can be doing to actually start.

Whilst gap analysis is a great place to begin, the information you glean must be used as a starting block to implementation of DORA compliance. You may think that you need all the details to start, but if you delay the process in the hope that July 18^th will bring clarity, then you may be deeply disappointed. Use the information you know now to start to ensure that you are working toward the Digital Operational Resilience Act deadline, because quite frankly you will need the last two quarters of the year to be able to reach the level of compliance that will be necessary.

That way, as more details are revealed, you will have already laid the foundations of DORA with what you already know which will considerably alleviate the mad dash to compliance in January 2025.

RECENT POSTS

When Assurance Becomes a Board Accountability, Not a Control Exercise

For years, assurance lived quietly in the second and third lines of defence. Controls were designed. Tests were scheduled. Reports were written. Boxes were ticked. And as long as the audit opinion was clean, everyone slept reasonably well. That model worked very well, when risk moved slowly. But today, assurance

When Point-in-Time Assurance Meets Continuous Risk to the Resilience Dividend

For years, assurance has been built around a simple premise: if controls are designed effectively and tested periodically, risk can be managed with confidence. That assumption held when environments were relatively stable and change was predictable. That world no longer exists. 89% of security professionals say they’re familiar with Continuous

6 Predictions for 2026: From AI Accountability to the Resilience Dividend

Every year, tech pundits release a flood of predictions more recently about AI, but always about cyber, and digital transformation. But most focus on adoption and hype, rarely anticipating the real-world fallout for boards, executives, and risk teams. As we step into 2026, the landscape is shifting faster than

From Cyber Speak to Board Speak: Closing the Gap Between Cyber Teams and the Board

Most cyber programmes don’t fail because the controls are wrong. They fail because the conversation is wrong. Boards and CISOs often believe they are aligned. The Board asks for assurance. The CISO provides updates. Reports are produced. Meetings are held. Yet when incidents happen, the same question always follows: “How

The Five Questions Every Board Should Ask Their CISO in 2026

How Boards Strengthen Cyber Resilience, Improve Decision-Making and Protect Business Outcomes Cyber security has shifted from a technical function to a core component of operational resilience. Boards now own cyber risk in the same way they own financial risk and regulators, insurers and shareholders expect visible accountability. Yet there’s still

What to Expect: January 2026 DORA Review and Supervision

The Digital Operational Resilience Act (DORA) is reshaping how financial services firms across the EU manage operational and cyber risk. Enforcement officially began on 17 January 2025, and now the focus is shifting to the supervisory review scheduled for January 2026. This imminent oversight will be guided by the European