Understanding the DORA regulation: Europe’s strategy for a more digitally resilient financial sector

The financial sector is more reliant on technology than ever. But with this digital transformation comes increased exposure to cyber threats, system failures, and IT disruptions. A single cyberattack or technical outage can cause widespread financial instability, impacting banks, insurers, and investment firms.

To address these risks, the European Union introduced the Digital Operational Resilience Act (DORA), a regulatory framework aimed at ensuring the financial sector’s digital stability. Effective January 17, 2025, DORA establishes measures to manage ICT risks, safeguarding the sector’s operations even during digital disruptions.

At Deepki, we have a long-standing commitment to ensuring the resilience of our ICT infrastructure, and we understand the importance of this for our clients. Below, we have broken down what DORA means for us and our clients.

What is the DORA regulation?

In September 2020, the European Commission introduced a proposal for a regulation on digital operational resilience for the financial sector, commonly referred to as the Digital Operational Resilience Act (DORA), as part of its digital finance strategy. The text was adopted on November 10, 2022, came into force on January 16, 2023, and has been in effect since January 17, 2025. The two-year transition period was designed to give financial entities and their ICT partners sufficient time to meet their requirements.

DORA compels financial institutions to strengthen their digital operational resilience. The regulation defines “digital operational resilience” as “the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions.”

DORA introduces new stipulations targeted at strengthening internal resources and the effective management of external partners. The regulation sets out new objectives for companies striving to ensure that their processes, infrastructure, and risk management meet the strict requirements set by the EU. The consequence of this for our clients, who are financial institutions working in the EU, is that they will likely want to examine the contractual arrangements in place with ICT suppliers.

What does DORA require?

At its core, DORA is about ensuring that financial institutions can operate safely in an era of digital uncertainty. The regulation introduces a comprehensive resilience framework built on five essential pillars:

1. ICT risk management: Financial entities must implement a sound ICT risk management framework, as well as an internal governance and control framework to address and mitigate digital risks. This includes up-to-date systems, documentation, and continuity policies.
2. ICT-related incident management, classification & reporting: Entities must have processes to manage ICT-related incidents, including detection, reporting, and root cause analysis. 
3. Digital operational resilience testing: Financial entities (excluding microenterprises) must establish, maintain, and review a digital operational resilience testing program. This program is designed to identify weaknesses, assess preparedness, and implement corrective measures. 
4. ICT third-party risk management: financial entities to manage risks associated with third-party ICT providers and risk management framework. This includes maintaining full responsibility for compliance with DORA’s provisions, regardless of outsourcing arrangements. Financial entities must assess and manage third-party risks based on the criticality and potential impact on their operations. Additionally, entities must keep a register of ICT service contracts and report annually on their ICT third-party relationships. 
5. Information sharing arrangements: Financial entities are encouraged to share cyber threat intelligence, including indicators of compromise and cybersecurity alerts, with one another to enhance sector-wide resilience. They must report their participation in these information-sharing arrangements to the relevant competent authorities.

Pillars 1 and 4 are likely to be particularly relevant for our clients in working with Deepki.

Who needs to comply with DORA?

DORA applies directly to financial institutions – including banks, investment firms, credit rating agencies, and third-party payment service providers. According to PwC, more than 22,200 financial entities and IT service providers fall within DORA’s scope. If your organization plays any role in financial services, compliance isn’t optional – it’s a necessity.

DORA requires these institutions to put specific provisions in place with ICT third-party providers, with heightened requirements for suppliers deemed critical to financial operations.

In this context, Deepki qualifies as a “third-party ICT service provider” in accordance with the regulation.

What happens if you don’t comply?

DORA isn’t just another regulatory checkbox – it comes with real consequences. 

A January 2025 McKinsey report revealed that many financial institutions are still struggling to meet DORA’s requirements, particularly when managing third-party compliance. Smaller ICT providers often lack the resources to implement the necessary security measures, creating compliance gaps that could extend the implementation timeline for financial firms.

Additionally, financial institutions often face a dual challenge. They must comply with DORA not only as service recipients but also as service providers to other institutions. This dual role increases regulatory scrutiny, requiring firms to both enforce compliance among their partners and meet the obligations imposed by their own third-party relationships.

At Deepki, therefore, we understand the importance of our clients analysing their exposure and contracts in place with suppliers. Moreover, we are prepared to guide our clients every step of the way to ensure our relationship stays within the regulatory framework outlined by DORA.

DORA’s global impact: what it means for UK and multinational firms

Although DORA is an EU regulation, its impact extends far beyond the jurisdiction of the European Union. 

If your business interacts with EU financial markets, compliance is crucial to maintain trust and avoid regulatory roadblocks. This is especially relevant for firms involved in cross-border services or supply chains linked to the EU, even if they don’t have a physical presence in the region.

For multinational corporations, navigating multiple regulatory frameworks adds another layer of complexity. Businesses must align their ICT risk management strategies with DORA while adhering to other international standards. This may include:

• Updating contracts with ICT third-party providers, if necessary, to ensure compliance with DORA’s stringent terms, particularly for risk management and incident reporting.
• Operational changes: Adjusting ICT systems and processes to meet DORA requirements, which may require strategic planning and resource investment.
• Adjusting IT systems and risk management processes to meet DORA’s evolving requirements.

Keeping up with regulatory changes across multiple jurisdictions to stay ahead of compliance deadlines.

Are you ready for DORA? What to focus on today.

DORA is now in force, and consequently, both financial institutions and ICT service providers across Europe should consider it.

Financial institutions that proactively embrace DORA will better manage cyber risks, strengthen customer trust, and maintain operational stability. Instead of viewing compliance as a burden, forward-thinking businesses can leverage DORA as an opportunity to enhance digital security, improve risk management, and gain a competitive edge.