What the DORA Regulation Means for Financial Institutions in 2025

The Digital Operational Resilience Act (DORA), a regulation introduced by the EU requiring that financial institutions better manage technology risks and ensure uninterrupted operations, has gone into effect as of January 17, 2025. In an increasingly digital age, DORA is the first cybersecurity regulation of its kind.  

But what does this all mean for financial institutions? What will be the impact and how can they ensure compliance? In today’s blog, we dig deeper into the implications of DORA for firms, including how it may influence their vendor selection decisions and actions they can take to manage compliance demands effectively. 

Why is DORA needed? 

The financial sector is increasingly dependent on technology and on third-party companies to deliver financial services. This dependency can make financial entities vulnerable to cyber-attacks or other digital security breaches. 

When not managed properly, information and communications technology (ICT) risks can lead to disruptions of financial services offered across borders. This can adversely impact other companies, sectors and even the rest of the economy, which underscores the importance of the digital operational resilience of the financial sector. 

What are the impacts of DORA?  

With a focus on standardizing practices across all EU member states, DORA is intended to help financial entities manage cyber risks and secure their operations. This regulation applies to banks, insurance companies, investment firms, and payment service providers, as well as other key third-party providers. It is important to note that while the regulation directly applies to entities operating within the EU, it also impacts third-party ICT providers located outside the EU, that deliver services to EU financial entities. So, DORA’s impact will have a widespread reach.  

DORA is unique in the sense that it deals directly with cybersecurity and is beyond anything the industry has seen in terms of substance and penalties. Its aim is to unify various directives into a comprehensive regulation applied across the entire EU and enforced by financial services authorities. However, at this stage there remains some ambiguity with DORA requirements and overlap in what is required of financial institutions by the European Banking Authority (EBA).  

DORA differs from the EBA Guidelines primarily in its broader scope, covering all “ICT services” rather than just outsourcing arrangements. This includes a wide range of digital and data services, such as hardware support and firmware updates, which were not explicitly addressed under the EBA framework. As a result, firms that previously updated contracts for EBA compliance may now need to revisit their contractual provisions under DORA. 
 

Challenges in Meeting DORA Demands 

Prior to January 17, many firms already had aspects of DORA in place, but what the regulation requires is a formal codification of these efforts. However, one challenge is managing compliance in a unified manner, as relevant information is often scattered across firms’ various departments and systems. Consolidating this data is challenging, especially for organizations with decentralized operations, which may necessitate new systems and processes.  

Financial organizations are required to ensure robust operational resilience under DORA, which includes setting clear due diligence requirements for third-party vendors. When selecting new vendors, firms must conduct ICT concentration risk assessments before entering contractual agreements. This effort can ensure the vendor has the proper safeguards, technology, and procedures in place that align with DORA.  

Beyond partnering with vendors that prioritize DORA standards, financial institutions need the right infrastructure and contingency plans in place to mitigate the risk of vendor outages. Institutions cannot delegate their regulatory responsibilities entirely to third-party providers, as for example, the failure of any major cloud provider could have catastrophic impacts on a given firm’s operations and potentially even greater systemic implications. Thus, firms should assess a vendor’s resilience to ensure they are utilizing fault-tolerant infrastructures and architectures provided by the cloud. 

DORA Compliance Vendor Checklist  

Financial entities should seek out technology vendors that prioritize the security and compliance of their operations, with policies, procedures, and architecture that align with DORA standards. A vendor that remains at the forefront of the latest regional regulations and ensures compliance with each, such as GDPR, ECB, PIPL and DORA, should also be a priority. Stringent security measures, comprehensive compliance protocols, and a resilient infrastructure designed to protect clients’ data and maintain operational integrity are all critically important.  

When selecting a new tech provider, firms should prioritize the following checklist for DORA compliance. Seek out third-party vendors that offer:   

•  A comprehensive ICT risk management framework that enables users to identify, assess, manage, and mitigate all ICT-related risks 
• Established mechanisms for timely reporting of significant ICT-related incidents to regulatory authorities  
• Regular testing of digital operational resilience to ensure vendor systems can withstand and recover from disruptions 
• Proper management of risks associated with the vendor’s own third-party ICT service providers to ensure they meet the same resilience standards 
•  The sharing of information and intelligence on cyber threats and vulnerabilities among other financial entities 

DORA in 2025 and Beyond 

DORA marks a transformative juncture for financial institutions aimed at building digital resilience and safeguarding operations throughout the financial industry. However, while DORA sets crucial cybersecurity standards for the financial sector, its broad scope and evolving requirements create ambiguity for many firms. To navigate this terrain, organizations must ensure they have robust backup plans and resilient infrastructures in place, as reliance on third-party vendors alone is not enough. Given the complexity of DORA, firms should take proactive steps to safeguard their operations. Maintaining operational continuity requires both effective vendor management and independent resilience strategies on the part of financial institutions.