women looking at a credit card

The EU Digital Operational Resilience Act (DORA) Will Mean Significant Changes for Financial Institutions and ICT Providers

The European Commission's legislation aims to create EU-wide laws to ensure the operational resilience of the financial services industry. 

The legislative proposal builds on existing Information and Communications Technology (ICT) risk management requirements established by various EU institutions and combines recent EU initiatives into a single Regulation. DORA entered into force on 16th January 2023 and will apply as of 17th January 2025.

DORA Regulation: What does this mean for organizations?

The DORA proposal was introduced as authorities around the world examined how they could improve the operational resilience of the financial sector and individual enterprises within it. The aim was to establish a consistent approach across Europe, across regulators, as well as within the financial services industry. In turn, this also has an impact on the Fintech-Bank collaboration.

This act subjects a wide range of Information and Communications Technology (ICT) enterprises that provide products and services to the finance industry under the regulatory authority of the EU. Its wide-ranging requirements have a significant operational impact on many businesses within the technology industry.

These businesses will be overseen by one of the European Supervisory Authorities (ESAs), who would have the authority to request information, perform off-site and on-site inspections, provide recommendations and requests, and, in certain cases, issue fines.

Who is affected by DORA regulation?

ICT Companies based in the EU or do business with a financial entity within the EU.

Financial Entities Information and Communications Technology (ICT) Service Providers
  • Payment solutions providers
  • Data storage solutions providers
  • Cloud providers / SaaS / Outsourcers
  • Software providers
  • Collaborative tools providers
  • Fraud management providers
  • Information management systems/ CRM solutions providers
  • Critical ISV and systems integration providers
  • Penetration testing providers
  • Governance, Risk Management and Compliance (GRC) / Risk management providers


What is the impact?

Financial Entities Information and Communications Technology (ICT) Service Providers
  • Financial entities must examine their partners' and third-party suppliers' policies and practices to ensure that they fulfill the new criteria.
  • Financial entities are responsible for ensuring that the ICT suppliers that they use have policies and processes in place to comply with the regulations.
  • ICTs must ensure that all policies and processes in place comply with the new regulations. Auditability is required for these rules and practices.
  • ICT providers will have to collaborate with financial entities to which they supply products and services.
  • ICT’s will be liable for the processes and policies they implement, as well as regulatory oversight.

DORA will have an impact on ALL financial entities and ICT enterprises in the EU that supply products and services to financial entities.

Organizations now need to plan for effective implementation in order to meet the deadline of 17th January 2025, when the DORA Act comes into force.

DORA's objective is to fortify the IT security of financial entities, encompassing banks, insurance companies, and investment firms. The goal is to ensure that the European financial sector maintains robust resilience in the face of significant operational disruptions.

Operational resilience is a well-established key strategic component in the financial services industry, as well as more broadly across information communications, and technology enterprises that provide services to financial services companies.

What are DORA’s Objectives?

The specific objectives of DORA are as follows:

  • Address ICT risks and strengthen digital resilience
  • Improve ICT incident reporting
  • Provide supervisors with access to ICT incident-related information
  • Ensure that preventive and resiliency measures are evaluated
  • Improve the process for testing results to be accepted across borders
  • Govern the monitoring of ICT third-party providers
  • Oversee key third-party ICT providers
  • Exchange threat intelligence.

Prepare For DORA

Operational resilience is not an option for financial institutions and ICT service providers. Although DORA primarily affects the financial industry, these regulations which are aimed at increasing cyber resilience, have significant impact on IT roles and tech companies. DORA explicitly states that financial entities must address “any reasonably identifiable" IT risks, including malicious events, that may impact enterprise networks. 

Organizations that demonstrate they've taken adequate precautions to address known cyber threats will be more accessible to investors and clients seeking to protect their assets and data. It gives those companies an immediate competitive advantage over those who delay change.

Other countries outside of the EU also need to consider this new regulation. Europe has been a regulation leader in many areas, such as data protection, privacy, and quality. Therefore, DORA also serves as a model for regulation in other regions of the world as digital operational resilience is scrutinized more.

Utimaco products provide compliant, flexible, and innovative cybersecurity solutions to organizations and critical infrastructures, delivering the reliability of an advanced and robust architecture in compliance with DORA's high operational resilience standards.

Take Strategic Action. Explore Utimaco's Critical Event Management solution for safeguarding both individuals and valuable business assets.



Related products

Related products

How can we help you?

Talk to one of our specialists and find out how Utimaco can support you today.
You have selected two different types of downloads, so you need to submit different forms which you can select via the two tabs.

Your download request(s):

    By submitting below form you will receive links for your selected downloads.

    Your download request(s):

      For this type of documents, your e-mail address needs to be verified. You will receive the links for your selected downloads via e-mail after submitting below form.

      About Utimaco's Downloads

      Visit our Downloads section and select from resources such as brochures, data sheets, white papers and much more. You can view and save almost all of them directly (by clicking the download button).

      For some documents, your e-mail address needs to be verified. The button contains an e-mail icon.

      Download via e-mail


      A click on such a button opens an online form which we kindly ask you to fill and submit. You can collect several downloads of this type and receive the links via e-mail by simply submitting one form for all of them. Your current collection is empty.