The European Union’s (EU) Digital Operational Resilience Act (DORA) is fully operational as of January 17, 2025, requiring financial institutions to follow risk management practices, report incidents, and have a plan for digital resiliency in case of breaches. But DORA isn’t just binding for banks and insurers — it regulates many third-party providers that offer services to financial institutions across the continent. What does that mean for financial companies and their service providers? And are the steps they’re already taking enough? We’re going deeper into what DORA means for organizations now and into the future.
What is the Digital Operational Resilience Act (DORA)?
DORA is a binding act passed by the European Parliament and the Council of the European Union and adopted in 2022. Enforced by member states and EU-wide supervisory bodies like the European Banking Authority (EBA), the European Security and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA), DORA emerged in an environment in which financial services could no longer protect their clients’ data and assets alone; instead, they increasingly rely on digital technologies and third-party service providers.
Key provisions include:
- Information and Communication Technology (ICT) risk management requirements
- Incident reporting requirements
- Operational resilience testing
- Third-party oversight
- Business continuity and disaster recovery plans
- Internal governance and accountability mechanisms
What changes did that suggest? Overall, the end of perimeter security meant several new risks for sensitive data:
- Increasing cybersecurity threats: From phishing to ransomware, cybercrime poses an increasing risk to financial systems.
- Dependency on third-party IT: Cloud computing, data storage, and third-party payment processing are here to stay, but they change the risk profile for financial institutions once firmly in control of their clients’ data.
- Fragmentation of EU regulations: The EU is a multinational coalition, but fragmented regulations meant banks operating across borders faced an incongruent regulatory environment. DORA unified regulation and enforcement
- Recovery strategies were unregulated: While cyberattacks were growing and institutions likewise sprawling across more countries and encompassing more clients and vendors, recovery strategies remained insufficient. Should stress testing be a regulatory necessity? What level of response mechanisms are must-haves?
- Increasing complexity: Besides growing international presence and data storage, interconnected systems, payment networks, and added complexity all meant it was becoming more difficult to assess potential resilience in the face of an attack.
- Customer protection risks: Cyberattacks mean more than trouble for institutions: they threaten customer data, finances, and trust in financial services.
Overall, by unifying regulations, DORA allows the EU to provide clear rules for managing critical financial services and protecting consumers in case of digital disruption.
Runtime and Container Scanning with Upwind
Upwind offers runtime-powered container scanning features so you get real-time threat detection, contextualized analysis, remediation, and root cause analysis that’s 10X faster than traditional methods.
What Does DORA Mean for Organizations?
Outside financial services, DORA continues to meaningfully impact organizations that do business with financial services firms in the EU. For example, critical ICT vendors will be responsible under DORA, but the level of responsibility varies according to their roles, and financial organizations can require vendors and partners to adhere to standards that make their own responsibilities under DORA easier.
Here are key actions vendors can take to comply with DORA, ensuring they help their client financial services companies comply with requirements, too:
Implement Strong ICT Risk Management and Resilience Practices
Establish a strong risk management framework from cybersecurity measures to recovery and business continuity. Use tools to continually monitor the cloud ecosystem and containerized infrastructure, proactively managing ICT risks with visibility into vulnerabilities and misconfigurations — and the mitigation needed to eliminate risks before they lead to security incidents.
Create Clear Incident Reporting and Response Mechanisms
Develop protocols for detecting and reporting ICT incidents within 24 hours, per DORA requirements. Automating alerts is a simple way to meet DORA requirements, making sure incidents always get reported. Detailed insights into the severity and impact of incursions that could represent breaches not only help in compliance but are straightforward to identify using Cloud Security Posture Management (CSPM) tools powered by runtime insights, making for effective response times, too.
Establish and Comply with Service-Level Agreements (SLAs)
Contracts with financial services companies in the EU can include reassuring operational resiliency goals, from service continuity to recovery capabilities and risk management. Aligning SLAs with DORA means expectations are clear that partners understand their clients’ needs.
Document and Maintain Compliance Records
Keeping records of compliance efforts, risk assessments, and incident reports helps assure clients and regulatory agencies get the data they need. By identifying areas that need attention, organizations can document they’ve addressed the biggest weaknesses in their environments and created an ecosystem better equipped to withstand attacks.
How Does DORA Differ from Other Regulatory Frameworks?
DORA brings clarity and uniformity to the management of ICT risks and operational resilience in the financial sector within the EU. But that’s not always simple to discern in the face of other acronyms representing multiple other regulatory frameworks in cybersecurity. Is DORA another form of overlap?
Other regulatory frameworks, both globally and regionally, do have similar objectives — making sure organizations are resilient in the face of disruptions and risks, particularly in cloud-based or hybrid environments. However, DORA was specifically designed to address the unique needs of the financial sector, which faces complex operational resilience challenges that are not fully covered by existing frameworks like GDPR, NIST, or ISO/IEC 27001. Here’s why DORA is different:
| DORA | GDPR (General Data Protection Regulation) | NIST Cybersecurity Framework | ISO/IEC 27001 (Information Security Management) | |
| Sector Focus | Financial institutions and its critical service providers | General data protection across all sectors | Broad cybersecurity framework for all industries | General information security management for all industries |
| Operational Resilience | Specific focus on ensuring continuous service availability and recovery in financial services | Focuses on data protection rather than operational continuity | Emphasizes risk management and response but not specifically for operational resilience | Focuses on managing information security but lacks provisions for operational resilience in the face of disruptions |
| Third-Party Risk Management | Strong emphasis on third-party oversight, continuous risk management, and contract enforcement for ICT service providers | Focuses on data processing agreements but not continuous third-party operational resilience monitoring | Focuses on supply chain security but does not mandate continuous third-party monitoring | Requires risk management for third-party relationships but not as focused on resilience or compliance enforcement |
| Incident Reporting | Requires reporting of significant ICT incidents within 24 hours for financial institutions | Requires breach reporting within 72 hours but only for personal data breaches | Focuses on incident response but not mandatory reporting timelines | Includes incident management but lacks stringent time-bound reporting requirements |
For DORA’s framers, operational resilience isn’t just about data protection but is also focused on continuous service availability and rapid recovery. It’s concerned with almost immediate reporting, reflecting a focus on the financial sector that had been missing from previous frameworks.
Thus, organizations already working with some of these other frameworks may find some distinct differences if they endeavor to apply their existing strategies and policies to clients bound by DORA. That’s because DORA’s focus on operational resilience extends beyond what many existing frameworks emphasize. Its distinctions are built on the urgency and systemic impact of disruptions within financial institutions, which could ripple out to affect the broader economy.
Fast Incident Reporting and Accountability
Unlike GDPR, which allows a 72-hour window for reporting breaches, DORA mandates that financial institutions report significant ICT incidents within 24 hours. That requires crystal-clear governance protocols to ensure fast action. Organizations already compliant with frameworks like NIST or ISO/IEC 27001 must enhance their incident response times, for example, automating detection.
Third-Party Oversight and Continuous Monitoring
DORA places significant emphasis on third-party ICT service providers, requiring not only risk assessments but continuous monitoring of vendors’ security posture. NIST and ISO/IEC 27001 include elements of third-party risk management, but DORA’s specific focus on the operational resilience of critical third-party vendors — such as cloud providers, data centers, and payment processors — goes beyond other frameworks. Organizations may need more stringent vendor management protocols and to integrate vendors into incident reporting workflows.
Cloud and Hybrid Environments
Today, financial institutions heavily rely on cloud infrastructure and hybrid environments, which introduces complexities that DORA addresses directly. While frameworks like GDPR and ISO/IEC 27001 do provide some guidelines for cloud security and data protection, DORA goes further, defining how these technologies should interact with regulatory compliance. For instance, DORA dictates that cloud service providers must be able to withstand significant operational disruptions with high levels of uptime.
Comprehensive Risk Management Across the Entire Organization
While frameworks like NIST and ISO/IEC 27001 outline security risk management in terms of protecting information assets, DORA mandates that organizations include business operations, service delivery, and recovery strategies as part of their operational resilience plan, too. It requires that organizations have a clear operational continuity plan in place that not only addresses cybersecurity risks but also operational failures that may impact financial transactions, payment systems, or other mission-critical services.
Security and Compliance as Integrated Business Functions
The distinction between DORA and broader frameworks like GDPR and NIST is DORA’s attention to business operations and economic stability. DORA makes security a core business function, forcing organizations to contend with cybersecurity outside traditional silos and, instead, embed in every layer of business operations. That may require extra steps to actualize when compared with previous compliance frameworks.
Upwind Helps Teams Do DORA Right
DORA is here, so it’s a critical time for financial institutions and their service providers to ensure they meet the EU’s new operational resilience requirements. Upwind offers cloud security posture management (CSPM) tools to ensure real-time monitoring, compliance with third-party risk management, and effective incident response.
And with Upwind’s runtime-powered CSPM, organizations can proactively address the most critical risks faster, meeting DORA’s reporting requirements, and demonstrating operational resilience across hybrid and multi-cloud environments. Want to see it in action? Schedule a demo.
FAQ
Who is exempt from DORA?
DORA applies to financial institutions within the EU and their critical third-party vendors. Where DORA is concerned, “critical” third-party vendors are those that are key to the functioning of financial institutions: cloud service providers, payment processors, data centers, trading platforms, and cybersecurity vendors are all critical. If they want to do business in the EU, they’re subject to DORA.
Non-critical vendors may include non-essential IT support, non-financial software providers (e.g., email, project management software), or marketing agencies working on behalf of financial institutions.
Here are some general exemptions:
- Small, limited EU financial institutions may be exempt from some provisions, like local insurers or small asset managers.
- Non-EU financial institutions are only covered if they provide services to EU financial entities or participate in EU financial markets.
- Public sector entities and non-critical third-party providers are typically exempt.
DORA mainly targets institutions with significant operations that post systemic risks to EU financial markets.
What are the 5 pillars of DORA / of operational resilience?
DORA is built on five core pillars of operational resilience that undergird financial institutions’ management of ICT risks and disruptions. They include:
- ICT risk management
- Incident reporting and response
- Operational resilience testing
- Third-party risk management
- Business continuity and disaster recovery
The goal of these components is to strengthen financial institutions’ ability to withstand and recover from digital disruptions in Europe.
Does DORA apply to U.S. companies?
DORA applies to EU-based financial institutions and third-party partners, with many U.S. companies finding that they’re required to comply in order to do business in Europe or with European clients:
DORA would apply to U.S. companies if:
- They provide critical services used in financial operations to EU financial institutions (e.g., cloud services, data centers, payment processors, or cybersecurity vendors).
- They provide operational resilience services to EU-based financial firms (e.g., backup services, network infrastructure, systems monitoring).
- They are involved in EU financial markets or transactions that affect the stability of the EU financial system (e.g., a trading platform that facilitates trades for EU investors).
- If they participate in cross-border financial operations with EU financial institutions that require compliance with EU regulations (e.g., a U.S. company providing loans or asset management to EU clients or with EU financial instruments).
