Friday, 5:30 PM. The bank’s transaction system stops responding. The IT team quickly identifies the problem - unauthorized access to the customer database. A race against time begins, but it’s not just about fixing the system. From the moment of incident detection, the bank has exactly 4 hours to submit an initial notification to the regulator. Not 24 hours like in NIS2, not “without delay” like in old regulations - exactly 4 hours. This is the new standard set by the DORA regulation.
The Digital Operational Resilience Act came into force in January 2025 and represents the most rigorous cybersecurity law in the world. However, it doesn’t just apply to banks. Every company that provides ICT services to the financial sector - from software vendors to hosting companies - must meet DORA requirements. This is a change that redefines the entire financial ecosystem in Europe.
How does DORA differ from other cybersecurity regulations?
DORA is not another directive requiring implementation by member states. It’s a regulation - a legal act directly applicable in all EU countries. There’s no room for different interpretations or lenient national implementations. Requirements are uniform for the entire European financial sector.
The fundamental difference between DORA and NIS2 lies in the approach to security. NIS2 focuses on protection against attacks and incident response. DORA goes further - it requires not only defense but proving that the organization can survive an attack and continue operations. The key word is “operational resilience,” not just “security.”
DORA also introduces unprecedented oversight of ICT service providers. For the first time in European regulatory history, technology companies outside the financial sector are subject to direct supervision by financial authorities. Key ICT providers will be monitored by specially appointed European supervisory bodies.
📚 Read the complete guide: DORA: DORA - rozporządzenie o cyfrowej odporności operacyjnej dla sektora finansowego
Which entities are subject to DORA requirements?
DORA’s subject scope is very broad. It covers virtually all types of financial institutions: banks, insurance and reinsurance companies, investment funds, payment firms, electronic money institutions, exchanges and clearing houses, pension funds, asset management companies, and rating agencies.
Importantly, DORA also applies to ICT service providers for the financial sector. If your company provides software, cloud services, hosting, data analysis, or any other technology services to a bank or insurer, you must meet DORA requirements - even if you’re not a financial institution yourself.
A special category consists of “critical ICT third-party service providers.” These are companies whose services are so important to the financial sector that their failure could threaten the stability of the entire system. Such providers are subject to direct supervision by European financial supervisory authorities.
What are the incident reporting requirements?
DORA introduces the most rigorous incident reporting deadlines in European regulatory history. Initial notification of a major ICT incident must occur within 4 hours of its classification. For comparison, NIS2 provides 24 hours for an early warning.
The reporting cycle consists of three stages. The initial notification within 4 hours is preliminary - it informs the supervisory authority of the incident occurrence and its potential impact. The intermediate report, submitted within 72 hours, contains detailed incident analysis and actions taken. The final report, required within one month, summarizes the entire incident and lessons learned.
It’s crucial to understand that the 4-hour deadline runs from the moment the incident is classified as major, not from the moment of detection. Therefore, organizations must have clear incident classification procedures to avoid wasting precious time determining whether an event qualifies for reporting.
What are TLPT tests and who do they apply to?
Threat-Led Penetration Testing (TLPT) is an advanced form of security testing required by DORA. They differ from standard penetration tests in that attack scenarios are based on real threat intelligence specific to the given organization.
TLPT must be conducted at least once every three years by entities meeting certain criteria - typically larger financial institutions of significant systemic importance. Tests must cover critical or important business functions and be conducted by external, certified testers.
DORA requires TLPT to comply with the TIBER-EU framework (Threat Intelligence-Based Ethical Red Teaming). This means preparing a threat intelligence report (TTIR) that forms the basis for test scenarios. The report must identify realistic threats and attack techniques specific to the given institution.
How does DORA regulate ICT risk management?
ICT risk management under DORA must be comprehensive and systematic. The regulation requires implementing an ICT risk management framework covering: identification, protection and prevention, detection, response and recovery, and learning and evolution.
A key element is mapping critical business functions to supporting ICT resources. Organizations must know which systems are essential for critical function performance, what dependencies exist between systems, and what the maximum acceptable downtime is for each.
DORA also requires regular resilience testing. Besides the mentioned TLPT, institutions must conduct annual scenario tests, penetration tests, business continuity plan tests, and vulnerability reviews. Test results must be documented and submitted to supervisory authorities.
What obligations does DORA impose on ICT suppliers?
DORA fundamentally changes relationships between financial institutions and their technology suppliers. Financial institutions must maintain a register of all ICT supplier contracts, containing detailed information about each supplier, service scope, and risk assessment.
ICT supplier contracts must include mandatory clauses specified in DORA. These include: clear service description, data processing location, security guarantees, audit rights, exit plans, and procedures for contract termination.
The audit right clause is particularly important. The financial institution must be able to conduct an audit at the ICT supplier - directly or through an external auditor. The supplier cannot object, and the contract must clearly define audit rules.
How does oversight of key ICT suppliers work?
DORA introduces an unprecedented oversight mechanism for key ICT service providers. European Supervisory Authorities (EBA, EIOPA, ESMA) may designate a provider as “critical” based on criteria such as: systemic significance of services, degree of financial sector dependence on the provider, and possibility of service substitution.
Key ICT providers are subject to direct supervision by a “Lead Overseer” - the main supervisor designated from among European supervisory authorities. The supervisor has broad powers: can request information, conduct on-site inspections, issue recommendations, and impose periodic financial penalties.
For ICT providers outside the EU, DORA requires establishing a representative in the European Union. If a large American cloud provider wants to provide services to the European financial sector, they must have an entity in the EU responsible for supervisory contacts.
What are the business continuity requirements?
DORA imposes detailed requirements for ICT business continuity plans. These plans must cover all critical business functions and supporting ICT systems. They must specify the maximum tolerated downtime (RTO - Recovery Time Objective) and maximum acceptable data loss (RPO - Recovery Point Objective).
Organizations must have the ability to restore critical function operations within specified time. DORA doesn’t impose specific RTO/RPO values - the institution must determine them based on business impact analysis. However, these values must be realistic and regularly tested.
DORA places particular emphasis on severe business disruption scenarios. Plans must consider not only individual system failures but also scenarios such as: simultaneous failure of the main data center and backup, cyberattack combined with supplier failure, or pandemic preventing staff work.
How do you prepare an organization for DORA requirements?
Preparation for DORA requires a systematic approach. The first step is conducting a gap analysis - comparing current state with regulation requirements. The analysis should cover: ICT risk management, incident reporting procedures, supplier contracts, business continuity plans, and testing capabilities.
The second step is developing an action plan with clearly defined priorities and deadlines. Due to the breadth of DORA requirements, not everything can be done simultaneously. Priority should be given to areas of highest regulatory risk - particularly incident reporting procedures due to the rigorous 4-hour deadline.
The third step is implementing technical solutions supporting compliance. Key elements are: an incident management system enabling rapid classification and reporting, 24/7 monitoring and threat detection tools, and business continuity solutions with automatic failover.
What role do SIEM and SOAR play in meeting DORA requirements?
SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation and Response) systems play a crucial role in meeting DORA requirements. SIEM provides a central point for collecting and correlating security events from across the infrastructure, enabling rapid incident detection.
Particularly important is automatic incident classification. To fit within the 4-hour reporting window, organizations must automatically identify incidents qualifying for reporting. IBM QRadar SIEM with User Behavior Analytics (UBA) can detect anomalies and automatically classify events by criticality.
SOAR complements SIEM with automatic response capability. When SIEM detects an incident, SOAR can automatically launch the notification procedure - prepare an initial report, fill out the regulator form, and notify appropriate people. This dramatically shortens time from detection to notification.
Strategic DORA compliance map
| DORA requirement | Description | Technical solution | Priority |
|---|---|---|---|
| 4h reporting | Initial incident notification within 4 hours | SIEM + SOAR with automatic classification | Critical |
| 24/7 monitoring | Continuous threat detection | SOC or Managed SOC | Critical |
| ICT risk management | Risk management framework | GRC + risk analysis | High |
| TLPT tests | Threat-led penetration testing every 3 years | External certified testers | High |
| Supplier register | Documentation of all ICT suppliers | Supplier management system | Medium |
| Continuity plans | RTO/RPO for critical functions | DR/BC with automatic failover | High |
| Audit rights | Ability to audit suppliers | Contract clauses + procedures | Medium |
Summary
DORA is not evolution but revolution in the approach to financial sector cybersecurity. The regulation forces a transition from reactive security management to proactive building of operational resilience. The 4-hour reporting window, mandatory TLPT tests, and unprecedented ICT supplier oversight are new standards that the entire sector must face.
For financial institutions, DORA means the necessity of investing in advanced monitoring and automation tools. For ICT suppliers - adapting contracts, processes, and capabilities to new customer requirements. For both groups - a fundamental change in approach to technology risk management.
Organizations that treat DORA as another “checklist to tick off” expose themselves to serious risk. Those that use the regulation as a catalyst for transforming their cybersecurity approach will build real competitive advantage and resilience against increasingly sophisticated threats.
Need support preparing for DORA requirements? nFlo experts will help conduct gap analysis, implement 24/7 monitoring solutions, and prepare incident reporting procedures compliant with regulation requirements. Contact us.
Related Terms
Learn key terms related to this article in our cybersecurity glossary:
- DORA — DORA (Digital Operational Resilience Act) is a European Union regulation…
- Incident Response — Incident Response (IR) is an organized process of detecting, analyzing, and…
- Blue Team — Blue Team is a group of cybersecurity specialists responsible for defending an…
- Endpoint Detection and Response — Endpoint Detection and Response (EDR) is an advanced cybersecurity solution…
- Extended Detection and Response — Extended Detection and Response (XDR) is an advanced cybersecurity technology…
Learn More
Explore related articles in our knowledge base:
- How DORA Protects Against Digital Threats? Processes, Mechanisms, Regulations and Development
- A security operations center (SOC) in every office? We demystify a key requirement of the KRI and NIS2
- Business Continuity Plan (BCP) for OT: What if the main control system is unavailable for 24 hours?
- DORA: one year of application - how the regulation changed the financial sector
- How Do AI Tools Support Threat Monitoring in Cybersecurity?
Explore Our Services
Need cybersecurity support? Check out:
- DORA Compliance Audit - DORA regulation preparation
- Incident Response - rapid response to security incidents
- SOC as a Service - 24/7 security monitoring
