Alle Beiträge

DORA Explained: What Companies Must Implement

The Digital Operational Resilience Act (DORA) requires financial institutions to systematically strengthen their digital operational resilience. This includes, among other things, ICT risk management, ICT incident reporting, and the management of ICT third-party risks.

With this regulation, European supervisory authorities aim to ensure that financial institutions and their ICT service providers are able to maintain their critical business processes even in the event of IT disruptions, cyberattacks, or failures of external service providers.

As the business models of financial institutions are heavily dependent on IT-based business processes, IT represents a central risk factor and therefore requires a particularly high level of protection.

The regulation has been in force since January 2023 and is mandatory as of 17 January 2025. As an EU regulation, DORA applies directly in all Member States and does not require transposition into national law.

Who Is Affected by DORA?

DORA primarily applies to:

  • Financial institutions (e.g. banks, insurance companies, investment firms)
  • Payment service providers
  • Crypto-asset service providers
  • Critical ICT third-party service providers

In addition, DORA also indirectly affects many service providers that deliver ICT services to financial institutions, such as:

  • SaaS providers
  • Data center and cloud service providers
  • Software and application developers
  • Managed service providers

As a result, DORA is not solely a financial-sector regulation, but is relevant to large parts of the ICT ecosystem.

What Does DORA Require in Practice?

DORA establishes a harmonised regulatory framework across five key areas of action.

1. ICT Risk Management

Financial institutions must establish a structured framework for managing ICT risks. This includes the identification, assessment, and mitigation of risks, as well as measures to ensure the continuity of (IT) operations in crisis situations.

Key requirements include:

  • An ICT and digital resilience strategy
  • Protection of critical systems and data
  • Clearly defined roles and responsibilities
  • Documented processes, controls, and measures

2. ICT Incident Reporting

Significant ICT-related incidents must be classified according to defined criteria and reported to supervisory authorities within short timeframes. In addition to the initial notification, interim reports and a final report with detailed information are required.

Specifically, DORA requires:

  • Detection, classification, and handling of ICT incidents
  • Mandatory reporting to supervisory authorities
  • Traceable documentation and structured lessons-learned management

3. Digital Operational Resilience Testing

Financial institutions must regularly test the resilience of their IT systems, including:

  • Vulnerability assessments
  • Penetration testing
  • Scenario-based and emergency testing

For certain institutions, advanced threat-led penetration testing (TLPT) is mandatory. The determination of which entities are subject to TLPT and how it must be conducted is made by the competent national supervisory authority, such as the BaFin in Germany.

4. ICT Third-Party Risk Management

A key focus of DORA is the management of risks arising from the use of ICT third-party service providers. Financial institutions must actively manage their ICT vendors and monitor supply chains and subcontracting arrangements.

This results in requirements such as:

  • Identification and documentation of all ICT services
  • Classification of critical and important ICT services
  • Risk analyses and due-diligence assessments
  • Contractual requirements and audit/control rights
  • Exit and substitution strategies
  • Ongoing monitoring of service providers

5. Information Sharing

DORA promotes the voluntary exchange of information on cyber threats and vulnerabilities among financial institutions in order to strengthen the collective resilience of the financial sector.

What Does DORA Mean for the Organisation?

DORA is not purely an IT issue. Its implementation requires close coordination between:

  • Governance and management
  • Information security (ISMS)
  • Business continuity management (BCM)
  • Outsourcing and contract management
  • Compliance and risk management

Existing structures often need to be reviewed, harmonised, and further developed.

Typical Challenges in DORA Implementation

In practice, organisations frequently face the following challenges:

  • DORA requirements are distributed across multiple organisational units
  • ISMS, BCM, and TPRM processes are insufficiently integrated
  • Contracts with ICT service providers do not meet DORA requirements
  • High documentation effort combined with limited resources

How Can Organisations Implement DORA Pragmatically?

An effective DORA approach should be:

  • Risk-based rather than purely formal
  • Integrated rather than siloed
  • Technology-enabled rather than manual

The key is to translate regulatory requirements into living, controllable, and auditable processes that strengthen both compliance and operational resilience.

Viewing DORA as an Opportunity

When implemented correctly, DORA is not merely a regulatory obligation, but offers tangible benefits:

  • Improved IT resilience
  • Reduced third-party and supply-chain risks
  • Clearer governance structures
  • Greater transparency for management and supervisory authorities

Next Steps

Would you like to learn how to implement DORA efficiently, in an automated and compliant manner with Leno? Get in touch with us.”

👉 Next Post

Get to know Leno

Book a demo
Book a meeting today to discover Leno.

How can we help? Contact us.

Visit our Trust Center
CompanyCareerInsight
Contact us
© 2025 LeanMind. All rights reserved.