3 answers to 3 questions: DORA (Digital Operational Resilience Act)

Diana Campar from our Banking Technology and Security team explains what DORA means for banks and enterprises in the European financial sector.

An increase in digitalisation in the financial sector is also increasing the risk of IT disruptions, cyberattacks or technical errors. In order to improve the stability and security of the European financial system, the European Union has passed the Digital Operational Resilience Act, or DORA for short. It took effect in 2023 and is binding as of January 2025. But what exactly does DORA regulate? And what does that mean for the banks, and their clients?

1. What does DORA regulate?

DORA (the Digital Operational Resilience Act) is an EU regulation that unifies and strengthens the comprehensive digital security requirements that apply to financial enterprises. It affects banks, insurance companies, payment service providers, investment firms and many other financial enterprises, including certain IT service providers that work with these businesses.

DORA’s goal is to allow financial businesses to act even in the event of a crisis or IT outage. The act requires businesses to:

• Actively manage risks connected to information and communications technologies (ICT)
• Conduct regular tests to identify weak points
• Prepare for a worst-case-scenario (e.g. emergency and recovery plans)
• Report and document serious IT incidents
• Monitor risks connected to cooperation with third-party IT service providers

The goal is to improve the resilience of the financial system in light of growing cyber risks.

2. What does that mean for banks?

DORA presents a series of new challenges for banks and other financial institutions. They have to thoroughly audit their IT systems, improve them and prepare for any potential disruptions. Even existing processes – such as risk management, IT security or use of third-party providers – will have to be adjusted to suit the new requirements.

There is a particular focus on monitoring and controlling third-party providers, for example businesses that provide cloud or software services. The regulation states that problems that arise with IT partners remain the responsibility of the bank. In addition, they have to promptly report serious IT incidents to the authorities, in order to facilitate a quick reaction to any systemic risks.

In the long term, DORA is designed to ensure digital stability and foster long-term, sustainable confidence in the industry.

3. What does that mean for clients?

Security is extremely important to consumers. If banks and other financial service providers can further improve their systems to ensure they are better protected against cyberattacks, disruptions or technical issues, the risk of long technical outages or data loss will drop.

And of course, increasing transparency in the event of security issues means that consumers are better informed and safer. Over the long term, DORA will promote confidence in digital financial services, which is an important step in a world that is increasingly online.