The EU’s Digital Operational Resilience Act (DORA), which entered into force on January 17, 2023, and becomes fully applicable on January 17, 2025, is designed to strengthen the digital operational resilience of the financial sector across the European Union. DORA unifies and tightens ICT security requirements to ensure that financial institutions can withstand, respond to, and recover from disruptions to their IT systems — including cyberattacks and system failures.
Who is subject to DORA?
DORA applies to a broad set of financial entities — including banks, insurers, investment firms, payment and crypto service providers — as well as their critical third-party ICT partners, such as cloud providers and software vendors. As an EU regulation, it applies directly and uniformly across all member states.
What does DORA require?
DORA defines mandatory requirements in five key areas:
1. ICT Risk Management
Financial organizations must establish a comprehensive ICT risk management framework, which includes:
- Identifying and assessing risks
- Implementing preventive and protective measures
- Detecting and managing incidents
- Establishing recovery and learning processes
The framework must be proportional to the size, activity, and risk profile of the organization.
2. ICT Incident Management and Reporting
Firms are required to identify, classify, and report significant ICT-related incidents to the relevant authorities. Reports must include the description, impact, and remediation actions.
3. Digital Operational Resilience Testing
Organizations must regularly test their resilience using:
- Vulnerability assessments
- Performance testing
- Threat-Led Penetration Testing (TLPT)
These tests aim to uncover system weaknesses and enhance overall resilience.
4. Third-Party Risk Management
Strict requirements apply when engaging with ICT service providers, including:
- Conducting risk assessments before contracting
- Defining contractual obligations such as audit rights, security requirements, and incident reporting
- Creating exit strategies for service termination
5. Information Sharing
DORA encourages financial institutions to share information about cyber threats and incidents to promote collective defense and faster response across the sector.
How do I know if DORA applies to my company?
DORA has broad applicability. Consider the following questions to assess potential relevance:
- Does your company provide financial services within the EU?
If you operate as a bank, insurer, investment firm, payment provider, or crypto service provider — you’re likely covered. - Do you provide ICT services to financial institutions?
This includes cloud hosting, software development, data center operation, or cybersecurity services. If so, you may fall under DORA as a critical ICT third-party provider. - Are your clients part of the financial sector?
Even indirect involvement may trigger regulatory expectations. - Are your services or operations dependent on ICT systems?
If these systems are essential to business continuity, DORA’s resilience and risk management rules may apply. - Do you handle sensitive data or face significant digital risk?
DORA places special emphasis on data protection, service continuity, and rapid incident response.
These considerations serve as general guidance and do not constitute legal advice. Whether DORA applies to your organization depends on your specific operational structure, activities, and contractual relationships. We recommend consulting legal or compliance professionals for a definitive assessment. Telvice accepts no liability for decisions made based on this summary.
Streamline DORA Compliance with the Right Technology
If you need support in building the technical foundation for DORA compliance, the Telvice team is here to help. We bring deep experience in aligning IT systems with the operational and regulatory demands of the financial sector.
The new Dynatrace Compliance Assistant module is designed specifically to support technical compliance with regulations like DORA. It enables IT teams to document, monitor, and continuously improve digital operational resilience.
Key capabilities include:
- Automated compliance reporting to simplify audit preparation
- Policy-driven alerting and evaluations to detect violations early
- Full audit traceability for reliable documentation of events and system changes
The module is currently in its rollout phase, but it already shows promise in bridging the gap between IT operations and regulatory requirements.Need Help with DORA Compliance?
Don’t hesitate to contact us!
