DORA Compliance for EU Financial Institutions and IT Providers

Understanding the EU’s Digital Operational Resilience Act and What It Means for Your Business

The Digital Operational Resilience Act (DORA) has become one of the most important pieces of EU financial regulation in recent years. Designed to strengthen the information and communications technology (ICT) resilience of the financial sector, DORA creates a harmonised legal framework across the European Union to ensure that all participants in the financial system, and their critical service providers, can withstand, respond to, and recover from ICT-related incidents such as cyberattacks, system failures, or operational disruptions.

As of 17 January 2025, compliance with DORA becomes mandatory for thousands of financial entities and ICT providers operating in or serving the EU market. The Regulation introduces comprehensive obligations across ICT risk management, incident reporting, resilience testing, and third-party oversight, all under a single supervisory regime.

At AGPLAW, we help financial institutions, investment firms, fintechs, and ICT providers understand this new regulatory landscape, from assessing exposure to achieving and maintaining full compliance.

1. What is DORA and why was it introduced?

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) was adopted in December 2022 and entered into force on 17 January 2025, following years of increasing concern over the vulnerability of Europe’s financial infrastructure to cyber and operational threats.

Historically, EU regulations on ICT and cybersecurity were fragmented: each member state applied its own rules, and each financial sub-sector (banking, insurance, markets, payments, etc.) had different supervisory expectations. DORA resolves this by introducing a unified and directly applicable regulation, ensuring consistency and clarity across all EU jurisdictions.

Its core objective is to make sure that the entire financial ecosystem, including banks, insurers, investment firms, and their ICT vendors, are digitally resilient — able to prevent, detect, contain, recover from, and learn from incidents.

2. Who must comply with DORA?

DORA applies to a wide range of financial entities and technology service providers.

Financial Entities

The regulation covers almost every category of financial institution operating within the EU, including:

• Credit institutions / banks
• Investment firms and asset managers
• Payment institutions and e-money providers
• Insurance and reinsurance undertakings, including intermediaries
• Central counterparties, trading venues, trade repositories, and securities depositories
• Credit rating agencies
• Crypto-asset service providers (under MiCA)
• Crowdfunding and portfolio management platforms
• Account Information Service Providers
• Data Reporting Services
• Administrators of critical benchmarks

ICT Third-Party Providers

DORA also regulates the third-party service providers that deliver ICT services to financial entities, including cloud computing platforms, data centres, software vendors, cybersecurity firms, and managed IT services.

Some of these will be designated as Critical ICT Third-Party Providers (CTPPs), meaning they will fall under direct supervision by EU authorities such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), or the European Insurance and Occupational Pensions Authority (EIOPA).

Even non-EU providers serving EU financial entities must align their contractual terms and oversight mechanisms with DORA requirements. This extraterritorial reach is particularly relevant for global technology firms and outsourcing partners.

3. The Core Requirements of DORA

DORA’s obligations are built around five key pillars, each of which sets out detailed operational and legal requirements:

ICT Risk Management

Financial entities must establish a comprehensive ICT risk management framework that integrates into their overall risk governance.

This includes:

• Identifying and classifying ICT systems, assets, and data;
• Establishing robust security, backup, and recovery mechanisms;
• Implementing clear policies for access control, change management, and encryption;
• Ensuring business continuity and disaster recovery; and
• Having the Board of Directors ultimately responsible for ICT risk oversight.

The framework must be reviewed regularly and adapted to emerging threats and technological developments.

Incident Management and Reporting

Under DORA, financial entities must detect, manage, and report ICT-related incidents following a unified European reporting process. Incidents are classified based on their impact, duration, and severity, and those meeting the threshold of a “major incident” must be reported to the competent authority within tight timeframes, often within hours of detection.

Entities must also perform root-cause analysis, document remedial actions, and submit a final incident report once the issue is resolved.

Digital Operational Resilience Testing

Entities must regularly test the resilience and effectiveness of their systems through technical and procedural exercises, including:

• Vulnerability assessments
• Penetration testing
• Disaster recovery simulations
• “Threat-Led Penetration Testing” (TLPT) based on real-world attack scenarios

Smaller entities may apply simplified testing regimes, but all must perform some form of regular resilience validation. For large or systemically important entities, advanced TLPT exercises must be conducted at least every three years and by independent, certified testers.

Third-Party Risk and Outsourcing Oversight

Given the dependence of most financial institutions on external ICT vendors, DORA imposes strict requirements on outsourcing and third-party arrangements.

Before engaging a provider, entities must:

• Conduct due diligence and risk assessments;
• Classify whether the outsourced function is “critical or important”;
• Ensure contracts include mandatory clauses such as audit rights, data access, termination rights, subcontracting conditions, and cooperation in case of incidents; and
• Maintain an updated register of all third-party ICT arrangements.

Where an ICT provider is designated as critical, the European Supervisory Authorities will exercise direct oversight, including the right to conduct inspections and impose corrective measures.

Information Sharing and Threat Intelligence

DORA encourages the creation of trusted networks for information exchange, allowing entities to share cyber-threat intelligence and incident data within their sector while ensuring confidentiality and data protection. This collaboration aims to improve collective resilience and early warning systems across the financial ecosystem.

4. Governance and Accountability

DORA makes it clear that compliance is not an IT function — it is a management responsibility.

• Approve the ICT risk management framework;
• Allocate adequate financial and human resources for resilience;
• Integrate ICT risk into the entity’s overall governance and risk appetite; and
• Ensure that all policies are properly documented, tested, and reviewed.

Delegating compliance to external consultants or ICT departments does not absolve management from liability.

5. Frequency and Ongoing Compliance

DORA compliance is continuous, not a one-off exercise. The following periodic obligations are typical:

Supervisory authorities are empowered to request documentation, conduct on-site inspections, or order additional testing at any time.

6. Penalties for Non-Compliance

Failure to comply with DORA can result in serious financial, operational, and reputational consequences.

Administrative Fines

The Central Bank of Cyprus and the Cyprus Securities & Exchange Commission have been vested with powers to impose administrative penalties and remedial measures, including:

• Access to any document or data held in any form
• On-site inspections or investigations
• Corrective and remedial measures for breaches of DORA
• Orders to cease conduct in breach of the regulation
• Temporary or permanent cessation of non-compliant practices
• Publication of public statements identifying the offender and the nature of the breach

Regulatory and Operational Measures

• Order corrective actions or impose deadlines for remediation
• Restrict or suspend specific business activities
• Withdraw authorisations for persistent breaches
• Publicly disclose non-compliance, damaging the institution’s reputation

In addition to these penalties, organisations risk losing the trust of clients, investors, and regulators — often more damaging than monetary fines.

7. DORA’s Relationship with Other Frameworks

DORA interacts closely with several other EU regulatory frameworks:

• NIS2 Directive: DORA complements and extends cybersecurity requirements for financial entities already covered by NIS2.
• GDPR: Data protection obligations remain intact; DORA adds operational resilience and reporting layers.
• MiCA and PSD2: DORA aligns with digital finance rules for crypto-asset and payment firms.
• EBA and ESMA Guidelines: Technical standards will specify classification criteria, reporting templates, and testing procedures.

8. Preparing for DORA: The Practical Steps

With enforcement already in place since early 2025, financial institutions and ICT providers should have implemented compliance measures. A typical roadmap includes:

• Gap Analysis: Assess current ICT risk governance, incident handling, and outsourcing frameworks.
• Governance Alignment: Ensure senior management understands its accountability and integrates ICT risk into governance.
• Policy Development: Draft or update ICT policies, continuity plans, and reporting procedures.
• Vendor Review: Revisit contracts with all ICT suppliers to include DORA-compliant clauses.
• Testing Framework: Implement regular penetration testing, recovery drills, and TLPT exercises.
• Incident Reporting Mechanisms: Establish escalation paths and templates for regulatory reporting.
• Training & Awareness: Educate management and staff on roles, responsibilities, and duties.
• Continuous Monitoring: Create a compliance monitoring program for ongoing readiness.

9. How can AGPLAW assist

DORA compliance demands coordinated legal and governance expertise. At AGPLAW, our multi-practice teams combine deep knowledge of financial regulation, cybersecurity law, and ICT governance to provide full support, including:

• DORA Readiness Assessments and Gap Analysis
• Development of ICT Risk and Resilience Frameworks
• Preparation of Governance and Board-level Policies
• Drafting and Review of ICT and Outsourcing Contracts
• Incident Response and Regulatory Reporting Support
• Cross-border Coordination for Groups with EU and non-EU Operations
• Alignment with NIS2, GDPR, and Sectoral Requirements
• Training and Awareness for Senior Management and Staff

10. Final thoughts

DORA represents a major shift in how the European financial system manages digital risk. It is not simply another cybersecurity regulation — it is a governance and resilience mandate reshaping management responsibilities, ICT provider roles, and EU supervision.

Non-compliance carries significant risks, but with the right guidance, DORA can become a competitive advantage, demonstrating strong operational integrity and reliability.