Digital Operational Resilience Act (DORA)New IT security requirements for companies in the financial sector

Digitalisation has fundamentally changed the financial sector in recent years. While digital processes enable efficiency gains and innovative services, the risk of IT failures and cyberattacks is also increasing. To meet these challenges, Regulation (EU) 2022/2554 – better known as the Digital Operational Resilience Act (DORA) – has been in force since 17 January 2025. This new regulation defines uniform requirements for the digital operational resilience of financial companies across Europe and ensures uniform regulation of IT security requirements in the European Union.

Digital resilience must become more important in many companies

DORA affects a large number of companies in the financial sector, including credit institutions, payment and e-money institutions, insurance companies and intermediaries, rating agencies and investment firms. Financial holding companies, central securities depositories, trading centres, fund management companies, crypto service providers and companies that provide critical financial market services are also affected by the new requirements. External IT service providers that work for financial companies must also comply with the regulatory requirements, particularly if they provide essential or critical services. The regulation serves as a specialised supplement to existing national regulations and ensures that financial companies implement the necessary protective measures against IT risks and cyber attacks. Especially at a time when the threat of cybercrime is steadily increasing, a common regulatory framework is crucial.

Important requirements and implementation measures

DORA pursues a comprehensive approach to strengthen the resilience of financial organisations against digital threats. In particular, this includes requirements for ICT risk management, the control of IT third parties and stricter notification and reporting obligations. A key aspect of the regulation is the introduction of structured risk management for information and communication technology (ICT). Companies must ensure that they have robust IT governance structures in place and continuously monitor their networks and systems for vulnerabilities and threats.

In the area of ICT risk management, companies must take targeted measures to identify, assess and prevent IT risks. This includes implementing mechanisms to detect and defend against cyberattacks as well as plans to quickly restore operational capability after IT disruptions. DORA also calls for regular digital resilience tests to ensure that companies are prepared for possible threat scenarios.

Another important component of the regulation is the management of risks arising from the use of external IT service providers. Many financial organisations rely on external providers for cloud services, data processing or cybersecurity solutions, which leads to greater dependence on third parties. DORA requires financial companies to monitor their third-party providers more closely and ensure that they fulfil regulatory requirements. Particular attention is paid to the outsourcing of critical functions, where strict contractual requirements and monitoring mechanisms are required.

The regulation also places high demands on the obligation to report IT security incidents. Companies are obliged to report serious cyber attacks and IT failures to the relevant supervisory authorities in a timely manner. The reports are intended to enable better monitoring of threats and help companies to prepare for security incidents in a more targeted manner. In addition, regular audits and stress tests are required to check the resilience of the IT infrastructure.

Preparing for DORA: What companies should do now

In order to successfully implement the new requirements of DORA, financial organisations should take measures to adapt their IT and compliance strategies. A comprehensive inventory of the current IT security architecture helps to identify existing weaknesses and rectify them in a targeted manner. It is also advisable to develop emergency and recovery plans in order to be prepared for unexpected IT incidents.

Close collaboration between IT and compliance departments is essential to implement DORA-compliant security strategies. Companies should invest in training and awareness-raising measures for their employees to create a basic understanding of the new regulatory requirements. In addition, existing IT outsourcing contracts should be reviewed and, if necessary, adapted to ensure that third-party providers comply with the necessary security standards.

In addition, early audits and tests can help to identify gaps in the IT security architecture and take protective measures in good time. Companies that act proactively can not only avoid regulatory sanctions, but also strengthen their resilience to cyber threats in the long term.

Wie können wirksame Compliance-Maßnahmen in Ihrem Unternehmen umgesetzt werden?

With the entry into force of DORA, the digital resilience of financial organisations will be raised to a new level. Companies that prepare for the new requirements at an early stage will not only benefit from regulatory compliance, but also from increased IT security and improved protection against cyber threats. In view of the growing digital risks, the implementation of the DORA requirements is an indispensable measure for the long-term protection of the financial sector.

We are happy to support you in implementing the Digital Operational Resilience Act (DORA).