In 2024 every third financial organization in Europe faced serious ICT incidents that led to direct losses and reputational damage. According to the European Banking Authority, the damage from cyberattacks on the EU’s financial sector last year alone exceeded €6 billion, and the number of attacks using complex supply chains increased by 38%.
Today DORA (Digital Operational Resilience Act) is becoming not just a new standard but a key factor for survival and competitiveness for banks, insurers, fintechs, and investment organizations.
In this article I will explain in detail why DORA is not another “checkbox” in financial organizations’ information security report but a foundation for long-term resilience and growth. I will share practical recommendations, examples from COREDO’s experience COREDO and answer the most pressing questions: how to prepare a company for DORA requirements in 2025, what risks and opportunities the new regulatory regime opens, and how to build a digital operational resilience system that meets EU regulators’ expectations. If you want not just to comply with the new rules but to turn them into a source of strategic strength, I recommend reading this material to the end.
DORA for the EU financial sector: what is it?
DORA defines standards for ICT risk management, cybersecurity in the financial sector, operational resilience testing, incident management and control over third parties, including cloud providers and SaaS platforms. EU regulatory bodies (ESAs, EBA, EIOPA, ESMA) have been granted expanded powers for supervision and conducting DORA regulatory inspections, which requires companies to adopt a fundamentally new approach to digital maturity and cyber risk management.
Goals and objectives of DORA
The main task of DORA is to ensure resilience to cyberattacks and technological failures, minimize systemic risks and increase trust in the EU’s financial infrastructure. The regulation requires companies to carry out strategic cyber resilience planning, implement business continuity and disaster recovery, as well as regularly assess digital risks and conduct stress testing of ICT systems.
In one of the cases implemented by our team for an international investment firm, integrating DORA not only reduced the likelihood of ICT incidents but also increased the transparency of risk management processes for the board of directors.
Where DORA applies – geography and specifics
DORA applies to all financial organizations operating in the EU, as well as to critical third parties, including cloud providers and IT companies, regardless of their jurisdiction.
Implementing DORA in international companies requires taking into account multi-cloud strategies, managing digital ecosystems and assessing the maturity of business processes. The solution developed at COREDO for one of the largest fintech providers in Singapore included comprehensive adaptation of third-party Due Diligence processes and integration of DORA into corporate governance, which made it possible to ensure compliance with the new requirements and reduce risks when working with European clients.
DORA requirements – what you need to know
DORA is built on five key pillars, each of which requires companies to implement specific policies, procedures and technical solutions to ensure the digital resilience of the business.
| Key DORA pillar | Requirement essence | Examples of mandatory measures | Relevant keywords |
|---|---|---|---|
| ICT risk management | Building a digital risk management system | Asset inventory, security policy | ICT risk management, digital resilience |
| Incident management | Incident reporting and response regulations | 3-stage reporting, investigation | DORA incident management, incident reporting |
| Operational resilience testing | Regular security tests and stress tests | Penetration testing, disaster recovery | operational resilience testing |
| Third-party management | Control and audit of external providers | Due diligence, SLA monitoring | third-party management, due diligence |
| Information sharing | Voluntary sharing of cyber threat data | Participation in industry platforms | information sharing on cyber threats |
ICT risks and digital security
Companies must build an ICT risk management system that includes inventory of digital assets, regular assessment of digital service risks, implementation of a vulnerability management policy and conducting penetration testing.
Incident management: reporting and responsibilities
DORA requires companies to implement incident management: formalizing processes for detecting, classifying and reporting ICT incidents, as well as sharing information on cyber threats with regulators and industry platforms. For banks, a three-level incident reporting is provided: immediate notification, a detailed report and a final impact analysis.
COREDO’s practice confirms that automating incident management and integrating it with the risk management system significantly reduces response time and lowers the likelihood of fines for non-compliance with DORA.
Digital operational resilience testing
Regular testing of operational resilience: a mandatory DORA requirement for all financial organizations. This includes stress-testing ICT systems, conducting scenario exercises, penetration testing and disaster recovery drills. Best practices for testing digital resilience under DORA include using KPI and digital resilience metrics to assess a company’s readiness for cyber threats.
The COREDO team implemented projects to deploy automated resilience testing platforms for investment companies, which increased testing efficiency and reduced operational costs.
Third-party and cloud risk management
DORA and cloud providers are one of the most complex topics for international companies. The regulation requires strict third-party risk management, conducting supplier due diligence, monitoring SLAs and controlling incidents in the supply chain. For SaaS platforms and cloud services, integrating DORA into provider selection and audit processes is necessary.
COREDO’s solution for a group of fintech companies in the EU included the development of due diligence checklists, automation of contractor monitoring and the implementation of a multi-cloud strategy, which ensured compliance with the new DORA requirements and increased the resilience of business processes.
DORA for banks, insurers, fintech and investments
DORA for banks entails special attention to the business processes of digital banks, incident management and stress-testing of ICT infrastructure. For insurance companies the emphasis is on managing digital infrastructure and sharing information about cyber threats. Fintech companies and payment organizations must implement DORA regulation compliance in an environment of rapid digital innovation and multi-cloud operations.
Investment firms are required to integrate DORA into third-party due diligence and supply chain management processes. In each case COREDO develops tailored solutions that take into account the specifics of digital ecosystems and regulatory constraints, enabling clients not only to meet DORA requirements but also to strengthen their competitive positions in the market.
DORA in international companies: implementation
Implementing DORA in international companies requires taking into account the extraterritorial effect of the regulation, integrating DORA into corporate governance and building multi-cloud strategies. For companies outside the EU it is critical to ensure supply chain management and control over IT providers working with European clients.
In one of COREDO’s cases for an international group in Asia, a project was implemented to integrate DORA into risk management processes and compliance automation, which made it possible not only to pass DORA regulatory checks, but also to increase the company’s digital maturity.
Corporate governance under DORA: role of top management
DORA places personal responsibility on top management and the board of directors for implementing and maintaining a system of digital operational resilience. The role of the CISO and CIO in implementing DORA becomes key: they are responsible for strategic management of digital risks, integrating DORA into corporate governance and preparing reports for regulators.
COREDO recommends holding regular training sessions for top management on new DORA responsibilities, as well as implementing compliance automation systems to minimize human factor risks and increase the transparency of ICT risk management processes.
This will ensure business readiness for the new requirements and a seamless transition to the practical preparation stage for DORA in 2025.
Preparing for DORA for business in 2025
Preparing for DORA for business in 2025 is not only about complying with new requirements, but also about building a sustainable foundation for your company’s digital and operational security. In 2025 financial organizations and their IT partners will need to review their processes to ensure ICT risk management, conduct resilience testing and establish supplier management under the new standards.
Next we’ll look at how to choose and implement solutions for DORA so that the business not only complies with the law but is also protected from digital threats.
Solutions for DORA: how to choose and implement
- Conduct an audit of digital processes and identify risk areas.
- Develop and approve an ICT risk management policy, integrate it with business continuity and disaster recovery.
- Implement automated platforms for monitoring IT service providers, managing SLAs and third-party due diligence.
- Organize training for employees and top management on the new DORA requirements.
- Set up incident management and incident reporting processes in accordance with the requirements of EU regulators.
- Implement multi-cloud strategies and integrate DORA into cloud provider selection processes.
The COREDO team implemented a similar step-by-step strategy for a European payment organization, which made it possible not only to ensure business continuity under DORA, but also to reduce the costs of meeting requirements through automationand compliance.
Metrics and KPIs for assessing DORA
To evaluate the effectiveness of DORA implementation, we recommend using the following KPIs and digital resilience metrics:
- Response time to ICT incidents.
- Proportion of incidents fully investigated on time.
- Maturity level of ICT risk management processes (according to the CMMI model).
- Number of successfully passed stress tests and scenario exercises.
- Percentage of SLA compliance with providers.
- Company digital maturity index.
DORA and GDPR: similarities and differences
DORA and GDPR often overlap in data management, but have fundamental differences: GDPR focuses on the protection of personal data, while DORA focuses on digital operational resilience and ICT risk management. It is important to harmonize compliance processes to avoid duplication of procedures and reduce the burden on the business. COREDO’s practice shows that integrating DORA into the existing risk management system and automating compliance enables effective adherence to both regulations.
Fines for non-compliance with DORA
Practical recommendations for businesses
- DORA is not only a regulatory requirement but also a strategic tool for enhancing a business’s digital resilience.
- Implementing DORA requires a comprehensive approach: from ICT risk management and incident management to compliance automation and integration into corporate governance.
- Best DORA compliance practices in international companies include regular audits of digital processes, staff training, the adoption of multi-cloud strategies, and automation of vendor monitoring.
- Long-term consequences of DORA implementation: reduction of operational and reputational risks, increased investment attractiveness, and resilience to systemic failures.
- COREDO’s practice confirms: strategic cyber-resilience planning and integrating DORA into business processes are becoming key success factors in the European and international financial markets.