DORA Compliance: Digital Operational Resilience for Financial Entities

DORA — the Digital Operational Resilience Act (Regulation 2022/2554/EU) — is a mandatory EU regulation that has applied to financial entities across the EU since 17 January 2025, covering banks, insurance companies, investment firms, payment institutions, electronic money institutions, crypto-asset service providers, and ICT third-party service providers designated as critical. DORA requires these entities to implement a comprehensive ICT risk management framework, report major ICT incidents to competent authorities (including Banco de España and the CNMV for Spanish entities), conduct regular digital operational resilience testing including threat-led penetration tests (TLPT), and manage ICT third-party risk through compliant contractual arrangements under Article 30 of the Regulation. Non-compliance is supervised and sanctioned by national competent authorities.

Our financial regulatory compliance team combines deep knowledge of the DORA Regulation with practical experience implementing ICT risk management frameworks in financial sector entities.

Why DORA Is More Than a Documentation Exercise

DORA (Digital Operational Resilience Act, Regulation 2022/2554) has applied directly across the EU since January 2025. Unlike many compliance frameworks, DORA does not limit itself to documentation requirements — it demands real operational changes in how financial entities govern their technology, manage incidents, and contract with their providers. The experience of the first months of application confirms uneven sector readiness, with material gaps particularly in ICT provider contract compliance and the operational capacity to meet incident notification deadlines.

The Four Pillars in Practice

The ICT risk management framework required by Article 6 of DORA calls for board-approved ICT risk policies, a complete inventory of critical ICT systems and assets, a regular risk assessment methodology, and a business continuity plan specific to technology disruptions. For many mid-sized financial entities, this level of formal ICT governance is genuinely new — operational IT management existed, but not the structured framework DORA requires. Our approach builds on what already exists, avoiding duplication and minimising implementation burden.

Third-party ICT risk is the second major area of complexity. Almost every financial entity today depends on cloud providers, SaaS platforms, and specialist software vendors that are essential to daily operations. DORA imposes detailed contractual obligations for these relationships, including audit rights that many global providers do not grant by default, and a complete register of all ICT provider agreements. We coordinate closely with third-party risk management functions and the legal teams negotiating these contracts.

TLPT and Advanced Resilience Testing

For larger entities subject to Threat-Led Penetration Tests, we coordinate the end-to-end process: selecting a certified red-team provider, defining the scope with the supervisory authority, executing the tests across critical functions and systems, and producing the final report with a documented remediation plan. DORA is explicit that TLPT results — including identified vulnerabilities — must be shared with the supervisor and accompanied by a concrete remediation timeline. The coordination demands between the entity, the tester, and the supervisor are substantial, and early engagement with the supervisory authority is essential to avoid process delays.

Relationship with NIS2 and Other Frameworks

Financial entities subject to DORA are exempt from NIS2 in the areas DORA regulates. For groups with both financial and non-financial activities, we map the respective scopes to identify where a single governance framework can serve both regulations and where separate treatment is required. We also integrate DORA compliance with NIS2 compliance programmes for groups that need both, ensuring that security investments are leveraged across regulatory requirements rather than duplicated.