Skip to content
Knowledge base Updated: February 5, 2026

DORA Regulation - Everything You Need to Know

The DORA regulation strengthens the digital resilience of the financial sector. Learn what it covers and what requirements it introduces.

Grzegorz Gnych Grzegorz Gnych

The DORA regulation (Digital Operational Resilience Act) is an EU regulation concerning the digital resilience of financial institutions. It aims to ensure operational stability in the face of digital threats through ICT risk management, incident reporting, and system testing. It also covers ICT service providers, such as cloud computing. The regulation harmonizes cybersecurity standards across the European Union.

Table of Contents

What is the DORA regulation?

The DORA regulation (Digital Operational Resilience Act) is a groundbreaking legal act of the European Union, aimed at strengthening the digital operational resilience of the financial sector. It constitutes a response to growing cyber threats and the increasing dependence of financial institutions on information and communication technologies (ICT).

DORA introduces comprehensive regulatory frameworks that include ICT risk management, incident reporting, digital resilience testing, and oversight of ICT service providers. This regulation is crucial for ensuring the stability and security of the European financial system in the digital age.

The main goal of DORA is to unify and strengthen cybersecurity requirements across the entire EU financial sector. The regulation fills gaps in existing regulations and creates a coherent approach to digital risk management for all financial institutions.

DORA introduces the concept of “digital operational resilience,” defining it as the ability of a financial institution to build, ensure, and review its operational integrity from a technological perspective. This means that institutions must be able to prevent, withstand, and quickly recover from ICT disruptions.

This regulation is part of the EU’s broader digital finance strategy, which aims to create an innovative and competitive financial sector while ensuring a high level of consumer protection and financial stability.

DORA imposes on financial institutions the obligation to implement advanced ICT risk management systems, regularly test digital resilience, and report serious ICT-related incidents. It also introduces oversight of critical ICT service providers for the financial sector.

It’s worth emphasizing that DORA is not an isolated legal act but works in conjunction with other EU regulations, such as GDPR, NIS2, or PSD2, creating comprehensive frameworks for cybersecurity and digital resilience in Europe.

In summary, DORA is a fundamental change in the approach to cybersecurity in the EU financial sector. This regulation requires financial institutions to make significant investments in technologies, processes, and people, but in the long term, it aims to ensure greater resilience and stability of the European financial system in the face of growing cyber threats.

📚 Read the complete guide: Ransomware: Ransomware - czym jest, jak się chronić, co robić po ataku

What are the main objectives of DORA?

The DORA regulation (Digital Operational Resilience Act) was developed with several key objectives in mind that are fundamental to strengthening the digital operational resilience of the financial sector in the European Union. Here are the main objectives of DORA:

  • Enhancing the digital resilience of the financial sector: The primary objective of DORA is to strengthen the ability of financial institutions to resist, respond to, and recover from cyberattacks and other ICT disruptions. The regulation aims to create a more resilient financial ecosystem that can survive and function even in the face of serious cyber incidents.

  • Harmonization of regulations in the EU: DORA aims to unify requirements for cybersecurity and digital resilience across the European Union. By introducing consistent standards, the regulation eliminates regulatory fragmentation and creates a level playing field for all financial institutions operating in the EU.

  • Strengthening ICT risk management: The regulation places great emphasis on improving ICT risk management processes. DORA requires financial institutions to implement comprehensive ICT risk management frameworks, covering identification, assessment, mitigation, and monitoring of cyber threats.

  • Improving incident reporting: One of DORA’s key objectives is to streamline the process of reporting and analyzing ICT-related incidents. The regulation introduces uniform reporting requirements, which should contribute to a better understanding of threats and faster response to incidents across the entire sector.

  • Strengthening digital resilience testing: DORA emphasizes regular and rigorous testing of financial institutions’ ICT systems. The goal is to identify weaknesses and security gaps before they are exploited by attackers.

  • Oversight of ICT service providers: The regulation introduces new oversight frameworks for critical ICT service providers for the financial sector. The goal is to reduce risks associated with outsourcing and ensure that external providers meet high security standards.

  • Increasing awareness and competence: DORA aims to raise the level of awareness and competence in cybersecurity among financial sector employees, from rank-and-file employees to top management.

  • Promoting innovation while maintaining security: The regulation seeks to create an environment that supports innovation in the financial sector while ensuring a high level of security and digital resilience.

  • Strengthening trust in the financial system: By improving cybersecurity and digital resilience, DORA aims to increase consumer and investor confidence in the European financial system.

  • Protecting financial stability: The ultimate goal of DORA is to protect the financial stability of the EU by reducing systemic risk associated with cyber incidents in the financial sector.

Achieving these goals requires significant investment and changes in the operational practices of financial institutions. However, in the long term, DORA should contribute to creating a more resilient, secure, and innovative financial sector in the European Union.

Who does the DORA regulation cover?

The DORA regulation (Digital Operational Resilience Act) has a broad scope of application, covering a significant part of the financial sector in the European Union. Its provisions apply to various entities, from traditional financial institutions to modern technology companies providing services to the financial sector. Here is a detailed overview of entities covered by DORA:

  • Credit institutions: Banks and other institutions accepting deposits and granting loans are at the center of DORA’s scope. This includes both large commercial banks and smaller cooperative banks or savings banks.

  • Investment firms: Entities providing investment services, such as portfolio management, investment advice, or order execution, are covered by DORA regulations.

  • Insurance and reinsurance undertakings: Companies offering insurance and reinsurance products must adapt to DORA requirements for cybersecurity and digital resilience.

  • Payment institutions: Entities providing payment services, including payment system operators and payment initiation service providers, are covered by the regulation.

  • Electronic money institutions: Companies issuing and managing electronic money must meet DORA requirements.

  • Exchanges and trading platforms: Operators of regulated markets, multilateral trading facilities (MTFs), and organized trading facilities (OTFs) are covered by the regulation.

  • Central counterparties (CCPs): Entities intermediating in transactions on financial markets, providing clearing and settlement, must adapt to DORA.

  • Transaction repositories: Institutions collecting and storing data on transactions in financial markets are covered by regulations.

  • Asset managers: Companies managing investment funds, including alternative investment funds (AIFs) and undertakings for collective investment in transferable securities (UCITS), must meet DORA requirements.

  • Crypto-asset service providers: With the growing importance of cryptocurrencies, entities providing services in this area are also covered by the regulation.

  • Crowdfunding service providers: Platforms enabling crowdfunding must adapt to DORA requirements.

  • Rating agencies: Companies engaged in credit rating are covered by the regulation.

  • Critical ICT service providers: DORA introduces oversight of key technology service providers for the financial sector, such as cloud service providers or data processing companies.

  • Financial market infrastructure operators: Entities managing key infrastructure of financial markets, such as clearing and settlement systems, are covered by DORA.

It’s worth emphasizing that DORA applies the principle of proportionality, meaning that requirements can be adapted to the size, risk profile, and systemic significance of a given institution. Nevertheless, all listed entities must implement appropriate measures to ensure compliance with the regulation.

The broad subject scope of DORA reflects the EU’s comprehensive approach to cybersecurity in the financial sector, recognizing the interconnections and dependencies in the modern financial ecosystem.

When does the DORA regulation come into force?

The DORA regulation (Digital Operational Resilience Act) entered into force on January 16, 2023, 20 days after its publication in the Official Journal of the European Union. However, entry into force does not mean the immediate obligation to apply all its provisions. The DORA implementation process is spread over time to enable financial institutions and supervisory authorities to properly prepare for the new requirements.

Key dates related to DORA implementation:

  • January 16, 2023 - official entry into force of the DORA regulation.

  • January 17, 2025 - the date when most DORA provisions begin to apply. From this day, financial institutions and other entities covered by the regulation must be fully compliant with its requirements.

  • By July 17, 2024 - European Supervisory Authorities (EBA, ESMA, EIOPA) are to develop draft regulatory technical standards that will clarify some aspects of DORA.

  • By January 17, 2026 - The European Commission is to present to the European Parliament and the Council a report on the review of DORA application, along with any proposals for amendments.

It’s worth emphasizing that although full application of DORA will begin in January 2025, financial institutions and other entities covered by the regulation should already start preparations for implementing its requirements. The process of adapting to DORA can be time-consuming and require significant investments in IT infrastructure, security systems, processes, and employee training.

For many organizations, it will be crucial to conduct a detailed gap analysis between current practices and DORA requirements. Based on this, a comprehensive implementation plan should be developed, which should include:

  • Updating ICT risk management policies and procedures.

  • Implementing or improving incident monitoring and reporting systems.

  • Developing digital resilience testing programs.

  • Reviewing and updating contracts with ICT service providers.

  • Training for employees and management.

Financial supervisory authorities in individual EU countries are also preparing for DORA implementation, developing guidelines and tools for supervised entities. Financial institutions should follow communications and recommendations from their supervisory authorities to ensure compliance with local interpretations of DORA.

In summary, although DORA entered into force in January 2023, full application of its provisions will begin in January 2025. This two-year transition period is crucial for effective implementation of the regulation. Financial institutions should use this time to thoroughly familiarize themselves with DORA requirements, conduct necessary analyses, and implement required changes.

It’s also worth noting that DORA is part of the EU’s broader digital finance strategy. Therefore, financial institutions should consider implementing DORA in the context of other related regulations, such as MiCA (Markets in Crypto-assets Regulation) or DLT Pilot Regime, which also impact the digital transformation of the financial sector.

For many organizations, especially smaller or less technologically advanced ones, adapting to DORA requirements may pose a significant challenge. That’s why it’s so important to start preparations as early as possible. Institutions should consider using the help of external experts or consulting firms specializing in cybersecurity and regulatory compliance.

It should also be remembered that DORA is not a static legal act. Mechanisms for its regular review and updating have been provided to ensure that the regulation remains adequate to the changing landscape of cyber threats. This means that financial institutions must be prepared for continuous adaptation of their practices and systems in response to evolving regulatory requirements.

In summary, although full DORA implementation will occur only in 2025, the time until then should be intensively used by all entities covered by the regulation. Effective preparation for DORA will not only ensure regulatory compliance but also contribute to increasing the overall digital resilience of the organization, which is crucial in the face of growing cyber threats in the financial sector.

What are the key pillars of DORA?

The DORA regulation (Digital Operational Resilience Act) is based on five key pillars that create comprehensive frameworks for ensuring digital operational resilience in the financial sector. Each of these pillars addresses a key aspect of cybersecurity and digital resilience, creating a coherent and comprehensive approach to ICT risk management.

  • ICT risk management: This pillar focuses on establishing solid frameworks for managing risk related to information and communication technologies. DORA requires financial institutions to implement comprehensive processes for identifying, assessing, mitigating, and monitoring ICT risk. Key elements include: • Developing and implementing ICT risk management strategy • Regular risk assessments • Establishing clear roles and responsibilities for ICT risk management • Ensuring top management engagement in cybersecurity issues

  • ICT-related incident reporting: DORA introduces unified requirements for reporting serious cyber incidents. This pillar aims to improve transparency and enable faster response to threats across the entire sector. Key aspects include: • Establishing clear incident classification criteria • Defining deadlines and procedures for reporting incidents • Introducing mechanisms for threat information exchange between institutions • Ensuring effective communication with supervisory authorities and other stakeholders

  • Digital operational resilience testing: This pillar focuses on regular testing of ICT systems to identify weaknesses and security gaps. DORA requires conducting various tests, including: • Penetration tests • Threat-led penetration testing • Scenario-based business continuity tests • Disaster recovery plan tests

  • ICT service provider risk management: Recognizing the growing dependence of financial institutions on external ICT service providers, DORA introduces detailed requirements for supply chain risk management. Key elements include: • Conducting due diligence of ICT service providers • Establishing clear security requirements in contracts with providers • Monitoring and auditing providers • Developing exit strategies for critical ICT services

  • Information sharing and cooperation: This pillar aims to promote information sharing about threats and best practices between financial institutions, supervisory authorities, and other stakeholders. Key aspects include: • Establishing secure information exchange mechanisms • Participating in sector-level cybersecurity exercises • Cooperating with law enforcement and other institutions in combating cybercrime • Sharing knowledge and experience within the financial sector

Each of these pillars is equally important and mutually complementary, creating a comprehensive approach to cybersecurity and digital resilience. DORA requires financial institutions to take an integrated approach that covers all these areas.

Implementation of these pillars requires significant investments in technologies, processes, and people. However, in the long term, it should lead to creating a more resilient and secure financial sector in the European Union, capable of effectively countering growing cyber threats.

What requirements does DORA set for ICT risk management?

The DORA regulation (Digital Operational Resilience Act) introduces comprehensive and rigorous requirements for ICT risk management for financial institutions. These requirements aim to ensure that organizations can effectively identify, assess, mitigate, and monitor risks associated with information and communication technologies. Here is a detailed overview of key DORA requirements in this area:

  • Establishing ICT risk management frameworks: DORA requires financial institutions to develop and implement comprehensive ICT risk management frameworks that are integrated with the organization’s overall risk management system. These frameworks should include: • Clearly defined roles and responsibilities • ICT risk management policies and procedures • Risk assessment methodology • Risk mitigation plans • Monitoring and reporting mechanisms

  • Top management engagement: DORA emphasizes active engagement of the board and senior management in ICT risk management issues. Requirements include: • Regular reviews and approval of ICT risk management strategy by the board • Ensuring adequate resources for ICT risk management purposes • Promoting a risk awareness culture in the organization

  • Regular risk assessments: Financial institutions must conduct systematic ICT risk assessments, which include: • Identifying critical or important functions, processes, and assets • Assessing vulnerabilities and threats • Analyzing the potential impact of ICT incidents • Determining risk tolerance

  • Protection and prevention measures: DORA requires implementation of appropriate technical and organizational measures to prevent and minimize the impact of ICT incidents. This includes: • Implementing advanced security systems • Vulnerability management and updates • Access control and identity management • Protection against malware

  • Threat detection: Institutions must implement mechanisms enabling rapid detection of anomalies and potential security incidents, including: • Security monitoring systems • Intrusion detection and prevention solutions (IDS/IPS) • Log and security event analysis

  • Business continuity and disaster recovery plans: DORA requires development, implementation, and regular testing of business continuity and disaster recovery plans, which include: • Scenarios for different types of ICT incidents • Escalation and communication procedures • Alternative solutions for critical systems and processes

  • Incident management: Institutions must establish effective ICT incident management processes, including: • Incident classification and prioritization procedures • Incident response protocols • Post-incident reporting and analysis mechanisms

  • Digital resilience testing: DORA requires regular testing of the effectiveness of ICT risk management measures through: • Penetration tests • Threat-led penetration testing • Simulation exercises

  • Third-party risk management: Institutions must implement processes for managing risks associated with ICT service providers, including: • Provider due diligence • Provider monitoring and auditing • Contract and SLA management

  • Reporting and transparency: DORA requires regular reporting on the state of ICT risk management to supervisory authorities, including: • ICT risk indicators • Results of risk assessments and resilience tests • Information on serious incidents

Implementation of these requirements requires financial institutions to take a comprehensive approach to ICT risk management that integrates technical, organizational, and human aspects. DORA sets the bar high, but at the same time aims to create a more resilient and secure financial sector in the EU.

The DORA regulation introduces a comprehensive and unified approach to managing ICT-related incidents in the financial sector of the European Union. These regulations aim to ensure rapid detection, effective response, and accurate reporting of incidents, which is crucial for minimizing their impact and preventing the spread of threats across the entire sector.

  • Definition of ICT-related incident: DORA precisely defines an ICT-related incident as an event that has the potential to disrupt or impair the provision of financial services. This definition covers a wide range of events, from cyberattacks to hardware failures and human errors.

  • Incident classification: The regulation requires financial institutions to implement an incident classification system, taking into account their potential impact on: • Continuity of financial service provision • Data integrity and confidentiality • Institution’s reputation • Financial stability

  • Incident reporting obligation: DORA introduces uniform requirements for reporting serious incidents to relevant supervisory authorities. Key aspects include: • Initial report within 24 hours of incident detection • Updates during the incident • Final report after incident resolution

  • Criteria for classifying serious incidents: The regulation defines criteria that help financial institutions identify serious incidents subject to reporting obligation. These include, among others: • Number of affected customers or counterparties • Incident duration • Geographic scope • Financial losses

  • Incident management processes: DORA requires financial institutions to implement comprehensive incident management processes, covering: • Detection and identification of incidents • Response and mitigation of effects • Restoration of normal functioning • Post-incident analysis and lessons learned

  • Business continuity plans: The regulation emphasizes developing and regularly testing business continuity and disaster recovery plans that account for various ICT incident scenarios. These plans should include: • Escalation and decision-making procedures • Internal and external communication strategies • Alternative solutions for critical systems and processes

  • Threat information exchange: DORA promotes the exchange of information about threats and incidents between financial institutions and supervisory authorities. The goal is faster detection and response to new threats across the entire sector.

  • Incident resilience testing: The regulation requires regular testing of the organization’s ability to detect, respond to, and recover from ICT incidents. This includes: • Incident simulations • Business continuity plan tests • Incident response exercises

  • Reporting to supervisory authorities: DORA introduces unified formats and procedures for reporting incidents to relevant supervisory authorities. This aims to ensure consistency and comparability of incident information across the entire EU.

  • Root cause analysis: Financial institutions are required to conduct detailed root cause analyses of serious incidents. The results of these analyses must be incorporated into the continuous improvement process of security systems and processes.

  • Communication with customers and stakeholders: DORA specifies requirements for communicating about incidents with customers, counterparties, and other stakeholders. The goal is to ensure transparency and build trust in the financial sector.

  • Penalties for non-compliance: The regulation provides for severe penalties for violating obligations related to incident management and reporting, which is intended to motivate institutions to treat these issues with the utmost seriousness.

  • Role of supervisory authorities: DORA grants supervisory authorities broad powers to monitor and assess the ability of financial institutions to manage ICT incidents. This includes the right to conduct inspections and request additional information.

  • Continuous improvement: The regulation requires financial institutions to continuously improve incident management processes based on experiences from past events and the changing threat landscape.

In summary, DORA introduces a comprehensive and rigorous approach to managing ICT incidents in the EU financial sector. These regulations aim not only to effectively respond to individual incidents but also to build the overall digital resilience of the entire sector. This requires financial institutions to make significant investments in technologies, processes, and people, but in the long term, it should ensure greater stability and security of the European financial system in the face of growing cyber threats.

What does DORA say about digital operational resilience testing?

The DORA regulation attaches great importance to testing digital operational resilience, recognizing it as a key element in building and maintaining effective defense against cyber threats. DORA introduces comprehensive testing requirements aimed at ensuring that financial institutions can effectively detect, respond to, and recover from ICT incidents.

  • Comprehensive testing program: DORA requires financial institutions to develop and implement a comprehensive digital operational resilience testing program. This program should include various types of tests, tailored to the organization’s risk profile.

  • Penetration tests: The regulation emphasizes regular penetration testing that simulates techniques and procedures used by real attackers. These tests aim to identify security gaps before they are exploited by cybercriminals.

  • Threat-Led Penetration Testing (TLPT): DORA introduces the requirement to conduct advanced TLPT tests for the most critical functions and systems. These tests are based on current threat information and simulate tactics, techniques, and procedures of real attacking groups.

  • Business continuity plan tests: The regulation requires regular testing of business continuity and disaster recovery plans. These tests should cover various ICT incident scenarios and verify the organization’s ability to maintain or quickly restore critical functions.

  • Security control tests: DORA requires regular testing of the effectiveness of implemented security controls, including threat detection, protection, and response mechanisms.

  • Scenario resilience tests: The regulation promotes conducting scenario-based tests that simulate different types of ICT incidents. These tests aim to assess the organization’s ability to respond to complex and evolving threats.

  • Test frequency: DORA specifies minimum frequencies for conducting different types of tests. For the most critical systems and functions, tests should be conducted at least once a year.

  • Independence of testing: The regulation emphasizes the importance of independence in the testing process. In the case of TLPT, tests should be conducted by external, qualified entities.

  • Test scope: DORA requires that tests cover not only ICT systems and infrastructure but also processes, personnel, and organization. The goal is a holistic assessment of digital resilience.

  • Reporting test results: Financial institutions are required to document test results in detail and report them to supervisory authorities. Reports should contain identified weaknesses and plans for their remediation.

  • Remedial plans: Based on test results, organizations must develop and implement remedial plans addressing identified gaps and weaknesses.

  • Cross-sector cooperation: DORA encourages conducting cross-sector tests that simulate scenarios involving multiple financial institutions simultaneously.

  • Data protection in the testing process: The regulation emphasizes the need to ensure protection of personal data and confidential information during testing.

  • Continuous improvement: DORA requires that testing programs be regularly reviewed and updated based on the changing threat landscape and results of previous tests.

  • Regulatory oversight: Supervisory authorities have the right to verify the testing programs of financial institutions and may require additional tests to be conducted if significant weaknesses are identified.

In summary, DORA treats digital operational resilience testing as a key element in building security in the financial sector. These requirements aim not only to identify weaknesses but also to continuously improve the defensive capabilities of financial institutions. Implementation of these requirements requires significant investment and commitment from organizations but is necessary to ensure long-term resilience to increasingly advanced cyber threats.

How does DORA approach third-party risk management?

The DORA regulation attaches particular importance to managing risks associated with ICT service providers and other third parties. It recognizes that in today’s complex financial ecosystem, the security and operational resilience of financial institutions largely depend on their suppliers and partners. Here are the key aspects of DORA’s approach to third-party risk management:

  • Comprehensive risk management strategy: DORA requires financial institutions to develop and implement a comprehensive strategy for managing risks associated with ICT service providers. This strategy should be integrated with the organization’s overall risk management system.

  • Provider due diligence: Before establishing cooperation with an ICT service provider, financial institutions must conduct detailed due diligence. This includes assessing the provider’s ability to ensure security and continuity of provided services.

  • Provider classification: DORA requires categorization of ICT service providers based on their criticality to the financial institution’s operations. Providers of critical services are subject to particularly rigorous requirements and oversight.

  • Contracts with providers: The regulation specifies minimum requirements that must be included in contracts with ICT service providers. These include, among others, service levels (SLAs), security requirements, audit rights, and business continuity plans.

  • Monitoring and oversight: Financial institutions are required to continuously monitor the performance and security of services provided by suppliers. DORA requires regular reviews and risk assessments related to providers.

  • Right to audit: DORA grants financial institutions the right to conduct audits of their ICT service providers. This applies to both on-site and remote audits.

  • Exit plans: The regulation requires developing exit plans for critical ICT services. These plans should enable financial institutions to smoothly transfer services to another provider or take them over internally if necessary.

  • Managing risk concentration: DORA draws attention to the risk associated with concentration of services with one provider or in one geographic region. Financial institutions must assess and manage this risk.

  • Incident reporting: ICT service providers are required to promptly inform financial institutions about any incidents that may impact provided services.

  • Resilience testing: DORA requires that digital resilience tests also include scenarios related to failures or incidents at key ICT service providers.

  • Oversight of critical providers: The regulation introduces a new oversight mechanism for providers of critical ICT services for the financial sector. These providers may be subject to direct oversight by European supervisory authorities.

  • Supply chain: DORA requires financial institutions to assess and manage risks associated with the entire ICT supply chain, including subcontractors of key providers.

  • Continuous improvement: The regulation promotes continuous improvement of third-party risk management processes based on experience and the changing threat landscape.

  • Information exchange: DORA encourages the exchange of information about threats and incidents related to ICT service providers between financial institutions and supervisory authorities.

  • Management responsibility: The regulation emphasizes the responsibility of the board and senior management for overseeing third-party risk management.

In summary, DORA introduces a comprehensive and rigorous approach to third-party risk management in the financial sector. It recognizes that ICT supply chain security is crucial for the overall digital resilience of the financial sector. These requirements aim not only to minimize risks associated with outsourcing ICT services but also to build a more resilient and transparent financial ecosystem in the EU.

What penalties are there for non-compliance with DORA?

The DORA regulation introduces a strict penalty regime for non-compliance with its provisions, aimed at ensuring effective implementation and compliance with new requirements for digital operational resilience. These penalties are deterrent in nature and proportionate to the severity of violations. Here are the key aspects of the penalty system provided for in DORA:

  • Types of penalties: DORA provides for a wide range of penalties that can be imposed by relevant supervisory authorities.

These include:

• Financial penalties: Can reach significant amounts, depending on the size of the institution and the severity of the violation. • Administrative orders: Requiring cessation of certain practices or implementation of specific remedial measures. • Public warnings: Identifying the institution and the nature of the violation. • Temporary or permanent bans: Relating to holding managerial positions in financial institutions for persons responsible for serious violations.

  • Amount of financial penalties: DORA specifies maximum limits for financial penalties that can be imposed for violations. These can amount to:

• Up to EUR 10,000,000 or up to 2% of the company’s total annual turnover for the previous financial year (whichever is higher) for less serious violations. • Up to EUR 20,000,000 or up to 4% of total annual turnover for more serious violations.

  • Criteria for determining penalties: When determining the type and amount of penalties, supervisory authorities take into account a number of factors, including:

• Severity and duration of the violation • Degree of responsibility of the institution • Scale of losses or damages caused by the violation • Level of cooperation with supervisory authorities • Previous violations committed by the institution • Measures taken to prevent recurrence of the violation

  • Personal liability: DORA introduces the possibility of imposing penalties not only on financial institutions but also on individuals responsible for violations. This may include members of the board or senior management.

  • Publication of penalties: Supervisory authorities are required to publish information about imposed penalties, which is intended to further strengthen their deterrent effect and increase transparency.

  • Right of appeal: DORA guarantees the right to an effective remedy against a decision to impose a penalty before an independent and impartial court.

  • Cooperation between supervisory authorities: The regulation promotes cooperation between supervisory authorities of different member states in imposing and enforcing penalties, especially in the case of cross-border institutions.

  • Penalties for incorrect reporting: Particular emphasis is placed on penalties for incorrect or delayed reporting of ICT-related incidents.

  • Proportionality of penalties: DORA emphasizes that penalties should be proportionate to the size of the institution and the potential impact of the violation on financial stability.

  • Incentives for voluntary disclosure: The regulation provides for the possibility of mitigating penalties in case of voluntary disclosure of violations by financial institutions.

  • Periodic financial penalties: DORA enables the imposition of periodic financial penalties to enforce compliance with administrative orders.

  • Reputational impact: Beyond direct financial penalties, DORA violations can have a serious impact on the reputation of financial institutions, which can lead to loss of customer and business partner trust.

In summary, the penalty system provided for in DORA is comprehensive and strict. It aims to ensure that financial institutions treat cybersecurity and digital resilience with the utmost seriousness. High potential financial penalties, combined with the possibility of imposing personal penalties on management, provide a strong incentive to comply with the regulation’s provisions. At the same time, flexibility in determining penalties allows for their adaptation to the specifics of each case, ensuring a fair and proportionate approach to enforcing DORA provisions.

How to prepare for DORA implementation?

Preparation for DORA implementation requires a comprehensive approach and engagement of the entire organization. Here are the key steps that financial institutions should take to effectively prepare for meeting DORA requirements:

  • Gap analysis: • Conduct a detailed analysis of the current state of cybersecurity and digital resilience in the organization. • Compare existing practices with DORA requirements, identifying areas requiring improvement. • Assess the organization’s readiness in terms of ICT risk management, incident reporting, resilience testing, and ICT service provider management.

  • Development of implementation strategy: • Based on the gap analysis, create a comprehensive strategy for adapting to DORA requirements. • Set priorities for actions, taking into account the criticality of systems and processes and DORA implementation deadlines. • Determine necessary resources (financial, human, technological) needed to implement the strategy.

  • Updating policies and procedures: • Review and update existing policies and procedures related to cybersecurity and operational resilience. • Develop new policies where necessary to meet specific DORA requirements. • Ensure that policies are understandable, accessible, and regularly updated.

  • Strengthening ICT risk management: • Improve processes for identifying, assessing, and mitigating ICT risks. • Implement or update risk monitoring and reporting systems. • Ensure top management engagement in ICT risk management.

  • Streamlining incident management processes: • Adapt processes for detecting, classifying, and reporting incidents to DORA requirements. • Implement systems enabling rapid reporting of serious incidents to supervisory authorities. • Conduct training for personnel on new incident management procedures.

  • Expanding digital resilience testing program: • Develop a comprehensive testing program, including penetration tests, threat-led penetration testing (TLPT), and business continuity plan tests. • Plan regular testing and analysis of their results. • Ensure that test results are used for continuous improvement of systems and processes.

  • Strengthening oversight of ICT service providers: • Review and update contracts with ICT service providers, taking into account DORA requirements. • Implement processes for regular assessment and monitoring of providers. • Develop exit plans for critical ICT services.

  • Investments in technologies and infrastructure: • Identify and implement necessary technological solutions supporting DORA compliance (e.g., SIEM systems, risk management tools). • Strengthen security infrastructure, taking into account the latest trends and threats.

  • Development of competencies and awareness: • Conduct training for employees at all levels of the organization on DORA requirements and cybersecurity. • Develop competencies of IT and security teams in areas key to DORA. • Build a culture of cybersecurity awareness throughout the organization.

  • Establishing reporting and oversight mechanisms: • Implement systems enabling regular reporting on the state of cybersecurity to the board and supervisory authorities. • Establish internal mechanisms for overseeing DORA compliance.

  • Cooperation with supervisory authorities and industry partners: • Establish active dialogue with supervisory authorities to understand their expectations and interpretations of DORA requirements. • Participate in industry initiatives and threat information exchange forums.

  • Conducting trial audits: • Before DORA officially comes into force, conduct internal compliance audits. • Consider engaging external experts to assess the organization’s readiness.

  • Planning continuous improvement: • Establish processes for regular review and updating of cybersecurity practices in response to changing threats and regulatory requirements.

Preparation for DORA requires significant investment of time and resources but is crucial for ensuring regulatory compliance and strengthening the overall digital resilience of the organization. Early start of preparations will allow for smooth adaptation to new requirements and avoidance of potential penalties.

What challenges are associated with DORA implementation?

Implementation of the DORA regulation poses a significant challenge for financial institutions, requiring comprehensive changes in the approach to cybersecurity and operational resilience. Here are the key challenges associated with DORA implementation:

  • Complexity of regulations: DORA introduces a wide range of requirements covering various aspects of cybersecurity and digital resilience. Understanding and interpreting all aspects of the regulation can be difficult, especially for smaller institutions with limited legal and technical resources.

  • Implementation costs: Adapting to DORA requirements may require significant investments in IT infrastructure, security systems, processes, and employee training. For many institutions, especially in the current economic situation, this may pose a serious financial burden.

  • Time constraints: Although DORA provides for a transition period, the time for full adaptation to new requirements may prove insufficient for some organizations, especially those that need to introduce significant changes to their systems and processes.

  • Lack of qualified specialists: There is a global gap in cybersecurity skills. Finding and employing appropriately qualified specialists to implement and manage DORA-compliant systems can be a challenge for many institutions.

  • Integration with existing systems: Implementation of new solutions and processes required by DORA may be difficult to integrate with existing, often outdated IT systems. This may require significant changes to system architecture.

  • Third-party risk management: DORA places great emphasis on managing risks associated with ICT service providers. Assessing and monitoring the security of providers, especially in the case of extensive supply chains, can be complicated and time-consuming.

  • Continuous testing and reporting: DORA requirements for regular digital resilience testing and incident reporting can pose a significant operational burden for financial institutions, requiring dedicated resources and processes.

  • Harmonization with other regulations: Financial institutions must ensure DORA compliance while meeting the requirements of other regulations, such as GDPR, PSD2, or NIS2. Harmonizing all these requirements can be complicated.

  • Cultural changes: DORA implementation often requires significant changes in organizational culture, especially in the approach to cybersecurity. Overcoming resistance to change and ensuring engagement of all employees can be difficult.

  • Differences in implementation between countries: Although DORA aims to harmonize the approach to cybersecurity in the EU, there may be differences in the interpretation and implementation of the regulation in individual member states, which can pose a challenge for institutions operating in multiple countries.

  • Rapidly changing threat landscape: Cyber threats evolve very quickly. Institutions must be able to adapt their security strategies to new threats while meeting the static requirements of DORA.

  • Incident management and business continuity: Developing and implementing effective incident response and business continuity plans, compliant with DORA requirements, can be challenging, especially for organizations with complex structures and distributed systems.

  • Board responsibility: DORA increases the board’s responsibility for cybersecurity. Ensuring that board members have appropriate knowledge and engagement in cybersecurity issues can be challenging, especially in organizations where this has traditionally been treated as the exclusive domain of the IT department.

  • Data management: DORA requires a comprehensive approach to data management, including their classification, protection, and monitoring. For many institutions, this may mean the need for significant reorganization of information management processes.

  • Automation and analytics: Meeting DORA requirements for monitoring, detecting, and reporting incidents may require implementation of advanced automation and analytics solutions, which can be a technological and financial challenge.

  • Cross-sector cooperation: DORA promotes information exchange about threats between institutions. Establishing effective cooperation mechanisms while maintaining confidentiality and competitiveness can be difficult.

  • Identity and access management: Implementing advanced identity and access management systems compliant with DORA requirements may require significant changes to existing processes and IT infrastructure.

  • Employee education and awareness: Ensuring that all employees, from rank-and-file to management, understand and comply with DORA requirements requires comprehensive and continuous educational programs.

  • Change management: DORA implementation often requires significant organizational and process changes. Effective management of these changes, minimizing operational disruptions, poses a significant challenge.

  • Measuring effectiveness: Developing effective metrics to assess DORA compliance and the overall effectiveness of cybersecurity measures can be difficult, especially in the context of continuously evolving threats.

Despite these challenges, DORA implementation also brings significant benefits. Institutions that successfully cope with these challenges can expect to strengthen their position in cybersecurity, increase customer and business partner trust, and better prepare for future cyber threats.

The key to success will be a strategic approach to DORA implementation, treating it not only as a regulatory requirement but as an opportunity for comprehensive strengthening of the organization’s digital resilience. Financial institutions should consider cooperation with external experts, participation in industry initiatives, and continuous investment in developing internal competencies in cybersecurity.

Ultimately, although DORA implementation poses a significant challenge, it is necessary to ensure the long-term stability and security of the European financial sector in the digital age.

Learn key terms related to this article in our cybersecurity glossary:

  • Ransomware — Ransomware is a type of malicious software (malware) that blocks access to a…
  • Security Operations Center (SOC) — Security Operations Center (SOC) is a central location where a team of security…
  • SOC as a Service — SOC as a Service (Security Operations Center as a Service), also known as…
  • Backup — Backup, also known as a backup copy or safety copy, is the process of creating…
  • Cybersecurity — Cybersecurity is a collection of techniques, processes, and practices used to…

Learn More

Explore related articles in our knowledge base:

Explore Our Services

Need cybersecurity support? Check out:

Tags:

Compliance Cybersecurity SOC Ransomware Backup

Share:

Talk to an expert

Have questions about this topic? Get in touch with our specialist.

Product Manager
Grzegorz Gnych

Grzegorz Gnych

Sales Representative

+48 664 003 003grzegorz.gnych@nflo.pl
Response within 24 hours
Free consultation
Individual approach

Providing your phone number will speed up contact.

Want to Reduce IT Risk and Costs?

Book a free consultation - we respond within 24h

Response in 24h Free quote No obligations
Book a Call +48 22 487 86 36

Or download free guide:

Download NIS2 Checklist