Starting January 17, 2025, the Digital Operational Resilience Act (DORA) will require financial entities and their critical information and communication technology (ICT) service providers to comply with enhanced cybersecurity risk management measures. Its goal is to protect the financial sector from ICT disruptions and a new generation of cyber threats.
Scope. DORA applies to financial entities in the EU, such as banks, crypto-providers, trading venues and insurers, and their designated critical ICT service providers. Providers, regardless of their location, must establish a subsidiary in the EU if designated as critical by the European Supervisory Authorities (ESAs), with the first designations expected in the second half of 2025.
Key requirements. This EU regulation introduces comprehensive ICT risk management frameworks, including incident reporting (within four hours), resilience testing, third-party risk management, and threat monitoring. Financial entities must also conclude mandatory contract terms with all their ICT service providers (e.g., SaaS, security, data analysis, communication services) to implement these frameworks. As a result, DORA will affect many organizations servicing financial entities, regardless of their location. A brief overview of the DORA incident reporting timelines (together with those under NIS2 and the Cyber Resilience Act):
Penalties. Non-compliance can result in significant penalties, with national authorities empowered to enforce through inspections, administrative fines varying by country (e.g., up to EUR 5 million or 10 percent of total annual turnover), suspending managerial positions, and criminal sanctions.
Next steps. To prepare, financial companies should review their ICT risk management and incident reporting processes, ensure contracts with ICT providers meet DORA standards, and familiarize themselves with these requirements. Service providers should prepare for customer inquiries and contract amendments.
