ARTICLE
13 March 2025

DORA: The Digital Operational Resilience Act

BI
Boccadutri International Law Firm

Contributor

Boccadutri International Law Firm logo
Boccadutri is an Italian law firm that specialises in assisting international clients with legal matters in Italy. We are able to serve our clients in their native language and also have offices located across the globe that allow clients to meet our lawyers without having to travel to Italy.Our international offices are located in Palermo, Milan, Rome, London, Barcelona, New York, Bucharest, Krakow, Rosario, Istanbul, Sydney and Rio de Janeiro. We are also well placed in Italy to attend court hearings and other local matters with our offices in Milan (North) and Palermo (South).Boccadutri specialises in a wide range of Italian matters such as personal injury, real estate, civil law, forex, and administrative and criminal litigation matters. All our expert lawyers are fully qualified and specialists in their respective fields.
Explore Firm Details
The European Union has introduced the Digital Operational Resilience Act, commonly known as DORA, a crucial Regulation set to transform the financial sector.
European Union Finance and Banking
Calogero Boccadutri
Your Author LinkedIn Connections

The European Union has introduced the Digital Operational Resilience Act, commonly known as DORA, a crucial Regulation set to transform the financial sector. Its primary goal is to strengthen the digital operational resilience of financial sector firms and enhance protection against cybersecurity risks.

It has become a top priority for businesses, financial institutions and governments, ensuring the security and resilience of IT infrastructures.

The European DORA regulation extends the scope of MiCA and also applies to cryptocurrency businesses and Virtual Asset Service Providers (VASPs), including cryptocurrency exchanges. These entities are required to enhance their cybersecurity measures and risk management frameworks.

The objective is to bolster resilience against potential disruptions (such as cyberattacks or system failures) by investing in preventive solutions that safeguard investors and uphold market integrity.

What is DORA?

DORA, the Digital Operational Resilience Act, is a European regulation designed to establish a unified regulatory framework to ensure that financial sector firms can withstand and respond swiftly to incidents or cyberattacks.

The primary aim of European lawmakers is to protect the European financial system from increasingly sophisticated and pervasive threats, including hacking attempts, IT service disruptions, and other digital vulnerabilities.

When Did It Come into Force?

Approved in December 2022, DORA came into effect on January 16, 2023, requiring financial organizations to adopt specific measures to ensure operational continuity even in the face of technological incidents.

From January 17, 2025, all provisions and required adaptations must be fully implemented.

What is Business Resilience?

Experience and historical events show that the most robust companies are those capable of adapting and thriving despite uncertainty and rapid societal changes.

Business resilience refers to an organization's ability to tackle and overcome IT-related disruptions with minimal consequences or to recover effectively from them.

In physics, resilience is the ability of a material to absorb impact without breaking. Similarly, for a company, overcoming predictable or unforeseen challenges strengthens user trust.

The essence of DORA is to ensure that all players in the European financial market can respond to and survive potential crises, whether anticipated or unexpected.

Economic downturns, natural disasters, technological changes, political instability, network failures, cyberattacks—any of these can be mitigated with proper preparation.

A resilient organization can anticipate, prepare for, respond to, and adapt to these challenges, minimizing disruptions and maximizing learning and improvement opportunities.

Who is Affected by DORA?

DORA applies to a wide range of financial institutions within the European Union.

It covers traditional financial entities such as banks, insurance companies, and investment firms, as well as emerging (non-traditional) players, including cryptocurrency service providers and crowdfunding platforms.

This broad coverage reflects the complexity of today's financial landscape and the necessity of protecting every link in the operational chain.

The Five Pillars of DORA

DORA is built upon five key pillars that define its requirements and primary areas of intervention:

1. ICT and Cyber Risk Management:

  • Companies must implement effective systems to identify, assess, and mitigate risks associated with Information and Communication Technology (ICT).
    • This includes adopting policies and procedures to prevent cyber incidents and ensure data security.
    • Each financial entity must establish its ICT risk tolerance level in line with its overall risk appetite.

2. ICT and Cyber Incident Management:

  • Companies must streamline ICT incident reporting by registering and classifying incidents according to severity.
    • Major incidents must be reported to competent authorities using standardized models and procedures.

3. Digital Operational Resilience Testing:

  • Companies must conduct basic digital operational resilience tests at least annually across all financial entities.
    • Significant financial institutions are also advised to perform cyberattack simulations or crisis scenario drills at least once every three years.

4. Third-Party ICT Risk Management:

  • If IT services are outsourced, firms must monitor contractual agreements at all stages and allow European supervisory authorities (ESAs) to oversee critical third-party ICT service providers.
    • All technology partners must comply with security standards, with primary oversight resting with the contracting financial entity.

5. Information Sharing:

  • The regulation promotes information sharing among financial firms and competent authorities to enhance collective responses to cyber incidents.
    • Voluntary participation in the exchange of cybersecurity threat intelligence—such as indicators of compromise, tactics, techniques, and procedures—is encouraged among financial institutions and critical ICT service providers.

Who Oversees DORA Compliance?

The enforcement of DORA is entrusted to regulatory authorities designated in each EU Member State.

Their role may range from requiring specific security measures and vulnerability corrections to imposing administrative penalties on non-compliant entities. In extreme cases, criminal sanctions may also apply.

The nature and severity of sanctions are at the discretion of each Member State.

Financial institutions may face fines of up to €10 million or 5% of their total annual revenue in cases of serious breaches of the regulation.

Critical ICT service providers identified by the European Commission will be directly supervised by "primary monitoring bodies" within the ESAs.

The three European Supervisory Authorities (EBA, EIOPA, and ESMA—collectively referred to as the ESAs) are responsible for overseeing DORA's implementation alongside national regulatory authorities.

They have the power to demand security measures, enforce corrections, and penalize ICT providers that fail to comply.

Impact of DORA on Businesses

DORA introduces significant challenges for many firms, particularly those lacking robust cybersecurity risk management systems.

At the same time, it presents an opportunity to enhance digital security and build trust among clients and investors.

Key impacts include:

  • Initial Costs: Implementing DORA's requirements may necessitate significant investments in technology, staff training, and expert consultancy.
  • Greater Transparency: Companies will be required to document their processes in detail and submit regular reports to regulatory authorities.
  • Competitive Advantage: Firms that comply with DORA ahead of competitors may gain a competitive edge by demonstrating a concrete commitment to security and resilience.

How to prepare for DORA

To ensure compliance following DORA's implementation, businesses can take a structured approach by following these steps:

  1. Initial Assessment: Conduct a thorough analysis to identify gaps relative to DORA's requirements.
  2. Action Plan: Once gaps are identified, develop a plan to address them, setting priorities and timelines.
  3. Engaging Suppliers: Collaborate with third-party vendors to ensure compliance with the regulation's standards.
  4. Staff Training: Ensure employees are adequately trained to handle digital operational resilience challenges.
  5. Continuous Monitoring: Implement monitoring systems to regularly assess progress and identify emerging threats.

The Digital Operational Resilience Act marks a crucial step in addressing cybersecurity challenges in the financial sector.

While compliance may demand time and resources, the long-term benefits—such as data protection, operational continuity, and stakeholder trust—far outweigh the initial effort.

For businesses, DORA is not just a regulatory obligation but it is also an opportunity to strengthen their positions in the global digital market.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Calogero Boccadutri
Calogero Boccadutri
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More