DORA Requirements: A Guide

Why improving operational resilience is necessary in today’s financial sector

In today’s fast-paced, tech-driven world, financial entities, third-party vendors, and proposal managers alike face unprecedented challenges from rising cyber vulnerabilities and global supply chain complexities. The stakes are higher than ever—disruptions caused by security breaches can cripple operations, completely derail projects, and destroy trust with clients.

Regulators are stepping in with initiatives like the EU’s Cyber Resilience Act to address security flaws in digital products, making operational resilience a non-negotiable priority. A single cyberattack on critical systems, like global payments, could result in losses of trillions, underscoring the need for proactive defense.

Strong operational resilience not only safeguards your team’s workflow and sensitive data but also positions your organization as a trusted partner in a high-stakes environment. Failure to comply with evolving regulations risks legal penalties, reputational damage, and lost business opportunities.

Regardless of whether you work at an EU-based financial institution, a third-party vendor that supplies to an EU-based financial institution, or as a proposal manager responding to an increasing volume of security questionnaires, staying ahead of these risks isn’t just important—it’s essential for long-term success.

What is an ICT risk?

An Information and Communication Technology (ICT) risk refers to the potential for loss or disruption within an organization due to failures or breaches in its information systems and digital processes. This encompasses a range of issues, including system malfunctions, cyber-attacks, data breaches, and other events that can compromise the confidentiality, integrity, or availability of data and ICT services.

In 2020, a sophisticated cyberattack compromised the SolarWinds Orion software, affecting numerous organizations, including EU institutions. Attackers inserted malicious code into software updates, providing unauthorized access to sensitive data. Between 2019 and 2022, the EU experienced numerous telecom security incidents, with system failures being the most common cause. In 2019 alone, 153 major incidents were reported, resulting in approximately one billion user hours lost.

In 2021, 22% of EU enterprises experienced ICT security incidents, leading to unavailability of services, data corruption, or disclosure of confidential information.

These attacks highlight the vulnerability of critical infrastructure to cyber threats and the potential for significant operational disruptions, financial losses, reputational damage, legal liabilities, and operational setbacks across various sectors. A single ICT failure or security breach can have cascading effects, disrupting supply chains, eroding customer trust, and compromising sensitive information.

Organizations must implement robust ICT risk management strategies to identify, assess, and mitigate these risks, ensuring resilience against potential threats. DORA sets out to provide rules and frameworks for companies to do exactly that.

Understanding DORA

The Digital Operational Resilience Act (DORA) is a European Union regulation aimed at enhancing the digital operational resilience of financial entities. The Act establishes uniform requirements to ensure that financial institutions can withstand, respond to, and recover from ICT-related disruptions and threats. DORA applies to a broad range of financial entities, including banks, insurance companies, investment firms, and critical third-party ICT service providers.

DORA entered into force on Jan. 16, 2023, and goes into effect on Jan. 17, 2025. This timeline gave financial entities a two-year period to align their operations with the regulation’s requirements. Over these past two years, the European Supervisory Authorities (ESAs) have developed regulatory technical standards to ensure an effective implementation.

For businesses in the financial sector, DORA mandates the establishment of comprehensive ICT risk management frameworks, regular digital operational resilience testing, and stringent oversight of third-party ICT service providers. Financial entities are required to implement robust internal controls and governance structures to manage ICT risks effectively. They must also report major ICT-related incidents to competent authorities and may voluntarily share information on significant cyber threats.

The implications of DORA extend beyond the financial sector, as the Act also affects ICT third-party service providers that offer services to financial entities. These providers, including cloud platforms and data analytics services, are subject to oversight to ensure they meet the necessary resilience standards.

DORA’s comprehensive approach ensures that the entire supply chain supporting financial services adheres to robust resilience protocols, thereby enhancing the stability and integrity of the financial system as a whole.

DORA’s regulatory objectives

DORA covers a wide range of regulatory objectives, such as:

1. Strengthening digital resilience
   
   1. DORA’s primary goal is to ensure that financial institutions and their third-party ICT providers can withstand and recover from digital disruptions.
   2. By mandating comprehensive ICT risk management frameworks and regular resilience testing, DORA bolsters the ability of organizations to maintain continuity in an increasingly volatile digital environment.
2. Unifying operational resilience requirements across the EU
   
   1. DORA introduces a standardized approach to operational resilience, creating a cohesive framework that applies to all EU member states.
   2. This will eliminate fragmented national guidelines, ensuring that financial entities operate under a single, consistent set of requirements, regardless of jurisdiction.
3. Enhancing risk management of third-party ICT providers
   
   1. Recognizing the critical role of third-party ICT services in financial operations, DORA places significant emphasis on overseeing these providers.
   2. Organizations must ensure their ICT vendors adhere to strict resilience standards, mitigating risks posed by supply chain vulnerabilities and external dependencies.
4. Creating a more informed financial ecosystem
   
   1. By requiring the sharing of significant cyber threat information and establishing protocols for incident reporting, DORA fosters a more transparent and informed financial sector.
   2. This collaborative approach allows entities to anticipate and respond more effectively to emerging risks.
5. Establishing clear standards for reporting and response 
   
   1. DORA mandates clear, standardized procedures for reporting ICT-related incidents and responding to operational disruptions.
   2. These protocols ensure timely communication with regulatory authorities and stakeholders, minimizing the impact of incidents on the financial system and consumers.

DORA’s comprehensive framework to enhance digital operational resilience

DORA establishes a comprehensive framework to enhance the digital operational resilience of financial entities within the EU, including:

1. ICT risk management: DORA mandates that financial entities implement vigorous internal governance and control frameworks to effectively manage ICT risks. This includes strategies, policies, procedures, and tools designed to protect and ensure the resilience, continuity, and availability of ICT systems, information assets, and data.
2. Incident management and reporting: Financial entities are required to establish processes for detecting, managing, and reporting major ICT-related incidents to the relevant authority using standardized procedures. Clients must also be informed about the incident and any mitigation measures that will be implemented.
3. Digital operational resilience testing: DORA introduces requirements for regular testing of critical ICT systems and applications on an annual to triennial basis. This includes advanced testing methods such as threat-led penetration testing (TLPT) to identify vulnerabilities and assess the effectiveness of protective measures.For example, imagine a new type of phishing scam is becoming popular. With TLPT testing, you could create a realistic scenario based on this threat, work with the appropriate authority to establish the test, and then test whether the company can handle it effectively. To ensure the authenticity of the test, you would only inform the fewest, most essential people beforehand.
4. ICT third-party risk management: DORA requires financial entities to manage risks associated with third-party ICT services. This involves assessing risks before entering contracts, ensuring contractual agreements include key provisions, and maintaining oversight of third-party providers.
5. Information sharing: DORA encourages financial entities to share information and intelligence, including indicators of compromise, tactics, techniques, and procedures, cyber security alerts, and configuration tools. The goal is to help all entities raise awareness of potential threats, limit the ability of a threat to spread, share knowledge of newer threat detection techniques, and hasten response and recovery stages.

For the Responsive community, DORA requires efficient management and sharing of complex security questionnaires and documents to ensure compliance with these new regulations. Proposal professionals must ensure that all shared content is current, complete, and compliant with DORA, and Interactions with shared content must also be tracked in real-time with real-time analytics provided to ensure the compliance and effectiveness of the shared information.

Entities governed by DORA

While DORA directly applies to entities operating within the EU, its influence extends globally, especially to non-EU financial organizations that have subsidiaries or branches within EU jurisdictions. These non-EU entities must ensure that their EU operations comply with DORA’s requirements.

Additionally, third-party ICT service providers — regardless of their location — must comply if they offer services to EU-based financial institutions.

DORA encompasses a wide array of financial entities, and the regulation applies to 21 different types of financial entities, including:

• Credit institutions (banks)
• Payment institutions
• Account information service providers
• Electronic money institutions
• Investment firms
• Crypto-asset service providers and issuers of asset-referenced tokens
• Central securities depositories
• Central counterparties
• Trading venues
• Trade repositories
• Managers of alternative investment funds
• Management companies
• Data reporting service providers
• Insurance and reinsurance undertakings
• Insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries
• Institutions for occupational retirement provision
• Credit rating agencies
• Administrators of critical benchmarks
• Crowdfunding service providers
• Securitisation repositories

Standards for DORA compliance

Now that we’ve covered a high-level overview of DORA, let’s dig a little deeper and walk through some of the key areas. Your partners across the EU financial sector will expect you to regularly share information about your organization’s compliance with these regulations. You should be prepared to nimbly communicate your compliance.

These regulations include:

ICT risk management and governance

Financial entities are required to implement robust frameworks to identify, assess, and mitigate ICT risks under DORA. This includes establishing governance structures, defining risk management policies, and ensuring continuous monitoring of ICT systems to address potential vulnerabilities. For all regulations covered in this section, this is mandatory by Jan. 17, 2025.

For example, a bank could develop an ICT risk management policy that outlines procedures for regular vulnerability assessments and assigns roles for incident response.

To prepare, organizations should conduct comprehensive assessments of their current ICT risk management practices, document policies aligned with DORA, and deploy monitoring tools to detect and mitigate threats proactively.

Incident response and reporting

Organizations must establish systems to monitor, manage, log, classify, and report ICT-related incidents. If an incident is serious, they may need to report it to regulators, clients, and partners. For critical incidents, they must submit three types of reports: an initial report to notify authorities, a progress report on resolving the issue, and a final report that explains the root causes.

For example, if an investment firm experiences a cyber-attack compromising client data, it must notify the appropriate regulatory body promptly.

To comply, entities should develop detailed incident response plans, train staff on detection and reporting protocols, and establish clear communication channels with regulators to ensure timely reporting. Responsive can help with our Profile Center solution, as companies can post their incident response questionnaires on their Trust Center and point clients to that instead of fielding inbound calls from clients, investors, and stakeholders.

Digital operational resilience testing

Regular resilience testing of ICT systems is a cornerstone of DORA compliance. Basic tests like vulnerability assessments are expected at least once a year. More advanced testing, such as threat-led penetration testing (TLPT), to identify and address vulnerabilities are required every three years. Testing protocols must be in place by Jan. 17, 2025, with ongoing evaluations conducted as required.

As an example, a payment institution might conduct annual penetration tests to ensure the security of its transaction processing systems.

Financial entities should schedule regular resilience testing, document identified weaknesses, address them promptly, and engage qualified professionals for advanced testing. Financial services (finserv) vendors are also required to strengthen cybersecurity, follow strict incident reporting rules, and regularly test their resilience. Vendors face the same higher standards for risk management, detailed incident response plans, and increased due diligence.

Third-party risk management

DORA emphasizes the importance of managing risks associated with third-party ICT service providers. Financial entities must assess these risks before contracting, ensure agreements include specific provisions, and maintain oversight of third-party performance.

For example, an insurance company might evaluate the cybersecurity measures of a cloud service provider before signing an agreement.

Actionable steps include conducting due diligence assessments, updating contracts to include DORA-mandated clauses, and regularly monitoring provider adherence to agreed-upon standards.

As we noted above, finserv vendors are also required to comply with DORA regulations, which inevitably means vendors will be required to handle more security questionnaires. Responsive’s automated security questionnaire software can help vendors prepare and ensure compliance and risk mitigation by using industry-leading AI to respond quickly with confidence, scalability, efficiency, and accountability in every response.

Information sharing

Under DORA, financial entities are encouraged to share information on cyber threats and vulnerabilities to foster collective resilience across the sector. Organizations should establish practices for information sharing by Jan. 17, 2025.

For instance, a financial consortium might create a secure platform for member institutions to exchange anonymized threat intelligence, ultimately leading to a more safe and secure platform.

To comply, entities should join industry information-sharing networks, develop internal policies for sharing cyber threat data responsibly, and collaborate with other financial organizations to strengthen sector-wide defenses. Responsive can help with our Profile Center solution that helps companies showcase compliance through a robust Trust Center, empowering profile viewers with Responsive AI so they can easily find specific details within disclosures and risk assessments.

Mandatory contract provisions

DORA requires that contracts with ICT third-party service providers include specific provisions addressing risk management, security measures, and regulatory compliance. For critical or important functions, even greater service level descriptions and full access rights must be provided.

For example, a management company might revise its contract with an IT services provider to incorporate clauses on data protection and incident reporting.

To meet these requirements, organizations should review all existing contracts for compliance gaps, update them with DORA-mandated clauses, and ensure future contracts are aligned with the regulation from the outset. This also applies to third-party finserv vendors.

As we noted above, Responsive can help third-party vendors handle the inevitable increase in security questionnaires with secure, accurate, and automated security questionnaire software to complete up to 80% of a security questionnaire with a few keystrokes, rather than manually addressing the same lengthy questions over and over.

Risks of non compliance

Non-compliance with DORA can lead to severe bottom-line consequences, including substantial legal fines and penalties. Financial institutions can be fined up to 1% of their daily global turnover for each day of non-compliance. Critical third-party ICT service providers can be fined up to €5 million for companies or €500,000 for individuals. In severe cases, regulators may suspend company operations to enforce compliance.

Beyond financial penalties, non-compliance can cause significant reputational damage and erode consumer trust, ultimately leading to decreased business and reduced income. Operational disruptions due to inadequate ICT risk management can lead to service outages, directly impacting customer confidence and loyalty. Such disruptions not only result in immediate financial losses but also harm long-term profitability and market reputation.

These severe legal, financial, and reputational risks underscore the importance of immediate and thorough adherence to DORA in 2025 and beyond.

Preparing for DORA: Compliance checklist

To effectively prepare for DORA, financial entities should adopt a structured approach encompassing several key steps, which we’ve outlined below in a compliance checklist.

Conduct a gap analysis to assess current operational resilience levels

Begin by evaluating your organization’s existing ICT systems and processes against DORA’s requirements. This assessment identifies areas needing improvement to meet regulatory standards.

Engage departments such as IT, compliance, and risk management to gain a comprehensive understanding of current resilience levels. Address identified gaps by updating policies, enhancing security measures, and implementing necessary controls.

Develop resilience training programs and protocols

Create training programs to educate employees on operational resilience and their roles in maintaining it, especially in regards to new DORA standards. Regular training sessions ensure employees are aware of best practices and compliance obligations.

Collaborate with human resources and department heads to tailor training content to specific roles and teams. Address knowledge gaps by providing targeted training and resources.

Build a DORA compliance strategy

Develop a comprehensive strategy outlining steps to achieve DORA compliance, including timelines, resource allocation, and responsibilities.

Involve senior management to ensure alignment with organizational goals. Address potential compliance discrepancies by setting clear objectives and regularly reviewing progress.

Update existing contracts

Review and amend contracts with third-party ICT service providers to include DORA-mandated provisions related to risk management and security measures.

Work with legal teams to ensure contracts reflect regulatory requirements. Address discrepancies by renegotiating terms to align with DORA standards.

Implement a vendor management strategy

Establish a strategy to assess and monitor third-party vendors’ compliance with DORA. This includes due diligence, regular audits, and performance evaluations.

Involve procurement and risk management teams to oversee vendor relationships. Address non-compliance by setting clear expectations and corrective action plans.

Invest in upgrading resilience and cybersecurity tech

Allocate resources to enhance ICT infrastructure, focusing on systems that support operational resilience and cybersecurity. Leverage your IT departments to identify and implement necessary technological upgrades. Address outdated systems by prioritizing upgrades that align with DORA requirements.

Additional DORA resources

This article has covered a lot of information relating to DORA, as well as surrounding background information leading to its creation. However, we’ve only just scratched the surface on the breadth of information available to help entities in the EU and around the world understand and prepare for DORA.

Here are some additional resources you can use to comply with DORA and learn more about strategies relevant for your organization:

• Digital Operational Resilience Act (DORA) – EIOPA
• Implementing and delegated acts – European Commission
• Preparation for DORA application – European Banking Authority
• DORA: The EU’s New Regulatory Framework on Digital Operational Resilience – CITI
• Digital Operational Resilience Act (DORA) – CSSF

Future-proof compliance with Responsive

With such sweeping changes affecting financial entities in the EU, DORA is set to dramatically alter digital operational resilience with uniform requirements to ensure that financial institutions can withstand, respond to, and recover from ICT-related disruptions and threats.

These sweeping changes have entities around the world asking how they can ensure compliance with the new requirements. Responsive customers are ready for the coming changes DORA will bring thanks to a free DORA compliance questionnaire in Profile Center to help customers demonstrate their compliance with DORA.

This DORA questionnaire includes 120 Q&A pairs companies can use to quickly and thoroughly demonstrate DORA compliance across six sections, including:

• IT Risk Management
• Incident Reporting and Management
• Digital Operational Resilience Testing
• Third-Party Management
• Information & Intelligence Sharing and Reporting
• Section for additional questions as needed.