Navigating DORA: the EU regulation for digital resilience in finance

Siarhei Sukhadolski

May 12, 2025 10 min lesing

Since its enforcement, the Digital Operational Resilience Act (DORA) has become a defining force in how the financial sector addresses ICT risk, security, and third-party dependencies. While the DORA meaning is clear in theory — a unified framework to strengthen digital resilience — applying it across systems, vendors, and operations still leaves many institutions navigating uncertainty.

This isn’t just another DORA regulation summary. You already understand the stakes. The real question is: Are your systems, partners, and internal controls truly aligned with the DORA framework, and what’s your strategy for long-term, sustainable compliance?

So, grab a seat — I’ll walk you through what DORA really expects from your business, and more importantly, how to meet those expectations without slowing down.

DORA framework and the push for unified digital risk governance

DORA, formally known as Regulation (EU) 2022/2554, is a binding EU regulation that came into force on 16 January 2023 and became applicable on 17 January 2025. Its launch wasn’t a theoretical move. It was a direct response to escalating cyber threats in the financial sector. As financial institutions increasingly rely on cloud infrastructure, SaaS platforms, and other external partners to deliver digital services, they’ve also become more vulnerable to interconnected risks that are difficult to predict, contain, and recover from.

The numbers speak for themselves: in 2024, the average cost of a data breach in finance hit $6.08 million, which is 22% higher than the global average of $4.88 million across all industries.

Real-world incidents have only reinforced the need for stronger resilience. In 2018, TSB attempted a major core banking platform migration. Poor risk management, inadequate testing, and ineffective incident handling led to widespread outages, locking thousands of customers out of their accounts. As a result, regulators fined TSB £48.65 million for operational risk and governance failures.

Similarly, in 2019, Capital One suffered a massive breach due to a misconfigured firewall in its cloud infrastructure, exposing data from over 100 million customers. The aftermath included $80 million in penalties and major remediation costs.

The issues didn’t stop there. The CrowdStrike outage in July 2024 made the interconnectedness of digital infrastructure painfully obvious. Triggered by a faulty update, it rippled across critical systems — grounding flights, freezing banking operations, and halting professional services. It wasn’t just a tech glitch; it was a full-scale business continuity crisis, demonstrating how third-party ICT failures can carry systemic consequences.

So, DORA emerged as the EU’s answer: a comprehensive, enforceable regulation built to close the digital resilience gap with clear accountability, harmonized standards, and a framework suited for today’s interconnected economy.

Why DORA compliance is now a business-critical priority

Think of it this way: cybersecurity used to be something you checked off with annual audits, some incident playbooks, and a handful of siloed policies tucked into IT’s corner. But with DORA, that model is no longer good enough. Now, DORA security is everyone’s responsibility — from engineers to executives.

It’s not just about proving you had a firewall — it’s about proving your entire digital supply chain can take a hit and keep running. DORA brings cybersecurity out of the shadows and into the boardroom, forcing companies to treat digital risk like a business-critical issue, not just a technical one.

Who must comply?

The DORA EU regulation applies to more than 20 categories of financial entities across the EU, including:

Banks, insurers, and investment firms
Payment and e-money institutions
Crypto-asset service providers
Trading venues, clearing houses, and central securities depositories
Credit rating agencies, crowdfunding platforms, and more

But the DORA meaning extends beyond traditional finance. The regulation also places critical ICT service providers under the compliance spotlight. That means if you’re delivering technology that supports any core function of a financial entity — whether it’s cloud infrastructure, data analytics, SaaS for payments or onboarding, KYC/AML tools, AI-based fraud detection, or even API platforms that connect core systems — you’re part of the compliance chain now.

The risks of non-compliance

Falling short of DORA standards is a risk to your operations, your reputation, and your long-term strategy. Under DORA, the European Supervisory Authorities (EBA, ESMA, and EIOPA) now have the power to issue financial sanctions, public reprimands, and binding remediation measures. More critically, in cases where a third-party ICT provider is deemed a threat to operational stability, DORA enables regulators to force the termination of contracts, even with those vendors who provide core infrastructure or essential digital services.

But regulatory consequences are only part of the picture. The real cost of non-compliance is multidimensional:

Regulatory reputation: Institutions that fall short of DORA requirements may be flagged as high-risk, leading to tighter supervision, more inspections, and less flexibility in regulatory interactions.
Regulatory reputation: Institutions that fall short of DORA requirements may be flagged as high-risk, leading to tighter supervision, more inspections, and less flexibility in regulatory interactions.
Board-level accountability: DORA frames operational resilience as a governance issue. Boards must set risk thresholds, approve ICT frameworks, and oversee risk treatment with potential personal liability for major failures.
Business continuity: A single ICT failure, either internal or third-party, can cause widespread disruption and compliance breaches, which damage trust and reputation.
Investor and media scrutiny: Public ICT failures can hit headlines and valuations, with long-lasting effects on customer trust, investor sentiment, and team morale.

That’s why financial institutions aren’t just looking for vendors — they’re looking for resilience partners. They want tech providers who understand DORA compliance requirements, offer auditable solutions, and share accountability through strong SLAs, transparent processes, and collaborative testing.

Shield your business. Achieve DORA compliance with confidence.

The real edge behind DORA finance regulation

For financial institutions, the DORA framework marks a fundamental shift in how operational resilience defines market leadership. Compliance alone is no longer enough. DORA forces financial firms to prove they can sustain critical services through severe ICT disruptions — even when failures occur in outsourced ecosystems beyond their direct control.

This is where the strategic value emerges:

Resilience as a market credential: Institutions that align with DORA standards and can demonstrate real operational resilience — tested, auditable, and continuously monitored — are better positioned to win client trust, secure B2B partnerships, and attract investor confidence. In a financial sector increasingly defined by digital experience and continuity, proven resilience becomes a differentiator as powerful as pricing or product innovation.
Faster recovery as a strategic edge: Consider two payment providers hit by the same cloud service outage. The firm that reroutes transactions within minutes, thanks to tested failover systems and strong third-party contingency planning, retains clients and market reputation. The firm that takes hours to recover risks customer attrition, regulatory penalties, and public scrutiny.
Third-party control as operational stability: DORA compels firms to extend governance over outsourced ICT functions and demands full contractual rights to audit, monitor, and intervene in third-party operations. Institutions that proactively manage these dependencies can avoid serious risks that come from unstructured vendor relationships.
Board-level integration as a trust signal: Resilience is no longer an IT function buried in technical departments. Under the DORA EU regulation, boards must actively govern ICT risks. Institutions that embed resilience KPIs into enterprise risk frameworks, alongside capital, liquidity, and credit risk, demonstrate to regulators, clients, and partners that they are serious about operational durability.

In effect, DORA finance regulation transforms resilience from a defensive compliance exercise into a proactive business strategy. Institutions that treat DORA as an opportunity will move faster, recover stronger, and build deeper trust than competitors still focused solely on technical security measures.

“At Innowise, we’ve thoroughly analyzed DORA’s requirements and reinforced our commitment to digital resilience at every level. Whether you need consulting, DevSecOps integration, resilience testing, or full compliance support, we have the expertise to keep you ahead. We also bring the right tools and operational discipline to help you build the future of secure finance.”

Dzianis Kryvitski

Leveransesjef i FinTech

DORA standards vs. existing cybersecurity frameworks

You may be wondering: if regulations like NIS (Network and Information Security Directive) 2 and GDPR (General Data Protection Regulation) were already in place, why was DORA even necessary? Good point — and in fact, NIS 2 and GDPR still play important roles in strengthening cybersecurity and data protection across the EU. However, the principal difference is that the DORA framework goes beyond safeguarding information. It focuses on ensuring the continuous delivery of critical financial services, even during severe ICT disruptions.

To make the distinctions clear, I’ve compiled the main differences in the table below:

Beskrivelse	DORA	NIS 2	GDPR
Scope	Applies to financial entities and critical ICT third-party providers across the EU financial sector	Applies to essential and important entities across critical sectors in the EU	Applies globally to organizations handling personal data of EU citizens
Purpose	To strengthen ICT risk management, third-party oversight, and operational resilience for uninterrupted delivery of financial services	To improve overall cybersecurity standards across essential services, including energy, transport, healthcare, and digital infrastructure	To protect the personal data and privacy rights of EU citizens
Incident reporting	Major ICT-related incidents must be reported without undue delay using standardized templates	Significant cybersecurity incidents must be reported within 24 hours to national authorities	Personal data breaches must be reported within 72 hours to the supervisory authority
Third-party risk management	Mandatory contractual oversight, monitoring, and exit strategies for critical ICT third-party providers	Supply chain cybersecurity risk management encouraged but less prescriptive compared to DORA	Data processors must ensure security of personal data but operational resilience requirements for vendors are not defined
Testing & audit requirements	Requires periodic resilience testing, including advanced threat-led penetration testing (TLPT) every three years for critical entities	Requires risk assessments and general cybersecurity measures but no mandatory resilience or penetration testing standards	Requires appropriate technical and organizational security measures but no mandatory resilience testing
Governance & accountability	Board and management body must define, approve, oversee, and be accountable for ICT risk management	Management must approve cybersecurity measures, but operational resilience governance is less detailed	Data controllers and processors are accountable for data protection, but there is no specific operational resilience governance requirement
enalties	No fixed penalties defined; national and EU supervisors have authority to impose fines, remediation orders, or mandate termination of critical third-party contracts	Essential entities: up to €10M or 2% of global turnover; Important entities: up to €7M or 1.4% of global turnover	Severe violations: up to €20M or 4% of global turnover; Less severe violations: up to €10M or 2% of global turnover

Turning DORA compliance requirements into business action

DORA compliance is built on five pillars. Together, these pillars challenge financial institutions to rethink how they manage digital risk as a core business capability. Let’s walk through what matters most and how Innowise can help you take the right steps toward full compliance.

1. ICT risk management: building digital resilience into core operations

DORA requires financial institutions to build digital resilience into every part of their operations — from identifying risks to protecting, detecting, responding, and recovering. It’s not about reacting after something goes wrong. It’s about staying one step ahead, minimizing disruption, and strengthening your systems before trouble hits.

How Innowise can support

Critical systems and risk mapping: We map your core business functions and ICT assets to spot weak points before they become crises.
Real-time threat detection: Our teams configure and fine-tune SIEM and SOAR platforms to provide continuous monitoring aligned with DORA security principles.
GRC platform integration: We help you choose, customize, and connect GRC tools to your workflows and make risk tracking part of your daily business.
Continuous risk testing and monitoring: We run regular threat modeling, penetration tests, and automated code scans to catch risks early and strengthen defenses.
DevSecOps best practices: We embed security checks directly into your development pipelines, so resilience is built in, not bolted on.

2. Incident reporting: streamlining detection and regulatory notifications

Financial institutions must detect, classify, and report ICT-related incidents to regulators swiftly, following strict templates and timelines. A disorganized or delayed response can lead to reputational damage, regulatory penalties, or worse, a loss of market trust. To meet DORA’s demands, businesses need to turn ad-hoc processes into streamlined, auditable workflows.

How Innowise can support

Automated detection and response: We set up smart systems that flag, classify, and escalate incidents instantly based on criticality.
Regulatory-ready reporting tools: Our experts build or tune your reporting systems to auto-generate reports that meet DORA requirements.
Simulation drills and tabletop testing: We organize live-fire exercises to stress-test your incident response and reporting processes.
Rapid incident support: Our teams are here to guide you through real incident escalations and reporting deadlines without panic.
Security-first incident detection: We also advise on implementing secure coding practices and real-time monitoring to catch issues earlier, not after the damage is done.

3. Digital operational resilience testing: stress-testing systems before they fail

DORA doesn’t just demand that businesses claim resilience. It requires them to prove it through regular, threat-led digital operational resilience testing (TLPT). Institutions must subject critical systems to extreme, realistic scenarios to expose hidden vulnerabilities and validate recovery capabilities.

How Innowise can support

Penetrasjonstesting and red teaming: We simulate real-world cyberattacks and system failures to find weaknesses before attackers do.
Threat-led testing programs: Our specialists design TLPT programs tailored to your business risks and regulatory needs.
Disaster recovery plan testing: We run full disaster recovery drills and recovery point testing to check if your business can bounce back when it matters. .
Automated testing frameworks: We help automate resilience tests and track the results so you can show regulators real evidence.
Secure development and resilience: We also advise on secure software development practices, threat modeling, and risk assessment to strengthen systems before they're tested.

4. ICT third-party risk management: controlling risks beyond your perimeter

Under DORA, financial institutions are directly accountable for the resilience of their third-party ICT providers — from cloud services and software vendors to outsourced IT partners. A supplier’s failure could instantly become a regulatory crisis for you. That’s why DORA finance regulation demands continuous oversight and documented controls across all ICT partners.

How Innowise can support

Vendor risk inventory building: Innowise creates centralized systems that track all your ICT suppliers, dependencies, and resilience gaps.
Third-party audits and assessments: Our teams run detailed resilience audits on critical vendors — from cybersecurity defenses to incident response readiness.
Real-time third-party monitoring: We integrate smart tools that continuously track vendor risks, contract compliance, and early warning signals. .
Contract resilience consulting: Our experts review and strengthen ICT vendor contracts with built-in risk mitigation, transparency, and exit clauses.
Third-party DevSecOps alignment: We help make sure your critical vendors meet secure development and operational standards right from onboarding.

5. Information sharing: strengthening sector-wide resilience collaboratively

DORA cybersecurity regulation encourages financial entities to actively share information on cyber threats, vulnerabilities, and incidents, not as a formality, but as a strategic defense mechanism. By contributing to trusted networks, organizations strengthen collective resilience and gain early warning intelligence that could prevent major disruptions.

How Innowise can support

Threat intelligence platform setup: We connect your systems to trusted intelligence networks and integrate threat feeds into your internal defenses.
Secure information sharing workflows: Our consultants build safe, compliant ways to share and receive threat information without exposing sensitive data.
Cyber intelligence analysis: We help turn incoming threat feeds into clear, actionable insights that improve your risk posture..
Public-private collaboration support: We assist with technical and legal frameworks to work closely with regulators and sector resilience programs.
Proactive risk modeling: We also help model risks based on external threat intelligence, so you’re preparing for what’s coming, not reacting to what has already happened.

Build unstoppable resilience and stay ahead with Innowise.

Starting your journey toward full DORA security

Meeting DORA compliance requirements demands a clear, structured approach that connects risk management, incident response, third-party oversight, and operational testing. I’ve mapped out the essential steps to help you move from compliance on paper to resilience in practice.

Review your ICT risk management framework

Check if you have a formal ICT risk management framework. If not, building one should be your first move. Use established standards as a foundation and align them with DORA’s full risk lifecycle.

Identify gaps against DORA requirements

Assess whether your current framework fully meets DORA expectations. Focus on sikkerhetstesting, resilience KPIs, third-party risk management, and governance to shape your immediate priorities.

Strengthen your incident response and reporting

Evaluate your incident detection, escalation, and reporting. Confirm they meet DORA’s timelines and content requirements. If needed, upgrade workflows, reporting templates, and escalation paths.

Build a threat-led testing program

Build a resilience testing plan. Define what systems you will test, how often, and how results will be documented. Include penetration testing, scenario-based drills, and red teaming where relevant.

Develop a DORA compliance roadmap

Create a structured roadmap covering required investments, system upgrades, governance changes, and staff training. Prioritize critical areas first and align timelines with regulatory milestones.

Automate risk monitoring & compliance reporting

Automate risk assessments, incident tracking, and compliance reporting. Custom software, DevSecOps practices, and integrated monitoring tools make compliance scalable, repeatable, and auditable.

01 Review your ICT risk management framework

Check if you have a formal ICT risk management framework. If not, building one should be your first move. Use established standards as a foundation and align them with DORA’s full risk lifecycle.

02 Identify gaps against DORA requirements

Assess whether your current framework fully meets DORA expectations. Focus on sikkerhetstesting, resilience KPIs, third-party risk management, and governance to shape your immediate priorities.

03 Strengthen your incident response and reporting

Evaluate your incident detection, escalation, and reporting. Confirm they meet DORA’s timelines and content requirements. If needed, upgrade workflows, reporting templates, and escalation paths.

04 Build a threat-led testing program

Build a resilience testing plan. Define what systems you will test, how often, and how results will be documented. Include penetration testing, scenario-based drills, and red teaming where relevant.

05 Develop a DORA compliance roadmap

Create a structured roadmap covering required investments, system upgrades, governance changes, and staff training. Prioritize critical areas first and align timelines with regulatory milestones.

06 Automate risk monitoring & compliance reporting

Automate risk assessments, incident tracking, and compliance reporting. Custom software, DevSecOps practices, and integrated monitoring tools make compliance scalable, repeatable, and auditable.

Though these steps provide a solid starting point, every company’s path to DORA security will look a little different. You may need a broader scope, a deeper focus, or simply more confidence that nothing has been missed. In these cases, the smartest move is to have cybersecurity experts by your side — professionals who can guide you through the entire process and dive deep into the critical areas.

Innowise expertise for DORA compliance

Achieving DORA compliance demands proven expertise in cybersecurity, operational resilience, and regulatory readiness. At Innowise, we bring a strong foundation of recognized standards, frameworks, and real-world technical capabilities that align directly with DORA requirements.

Our compliance and resilience expertise includes:

ISO 27001 Certification (information security management system)

We apply ISO 27001 best practices to build strong risk management, governance, and incident response frameworks, which are the critical foundations for DORA compliance.

Alignment with the NIST cybersecurity framework

We structure our resilience programs around NIST principles, covering threat identification, protection, detection, response, and recovery, fully in line with DORA’s operational risk approach.

SOC 2 Type II Compliance (for cloud-based and managed services)

When delivering cloud or managed services, our SOC 2 compliance ensures robust controls over data security, availability, and confidentiality to support DORA’s third-party oversight requirements.

Advanced Cloud Security Posture Management (CSPM)

We use leading CSPM tools (like Chef Compliance, tfsec, OpenSCAP, CloudBots) to detect and fix misconfigurations across cloud environments, thereby reducing operational risk.

Continuous compliance monitoring and reporting

Tools such as ELK, Nagios, Prometheus, Grafana, and Kibana allow us to deliver real-time compliance status, incident insights, and resilience trends, which are critical for DORA’s monitoring and reporting expectations.

Built-in compliance controls

Our development and operational practices incorporate pre-approved compliance controls through tools like Terraform and Ansible, ensuring regulatory readiness at every stage of the technology lifecycle.

Automated compliance audits

Regular resilience audits using platforms like Lynis, Wazuh, Checkov, OpenSCAP, and CIS-CAT keep operational resilience practices current and ready for regulatory scrutiny.

Future-proof your compliance with Innowise expertise.

DORA and the future of financial cybersecurity

DORA is shaking up the financial world — and not quietly. The regulation is now in full swing, but for many institutions and vendors, things still feel a bit uncertain. I’ve had countless conversations lately with tech leads, compliance teams, and board members trying to unpack the DORA meaning in real, operational terms. So, I’m laying out the most common questions I get — and how I see it all unfolding.

DORA is here. So what now?

Now that DORA is live, most financial institutions have moved from planning to doing. But here’s the reality — a lot of companies still aren’t fully there. According to a McKinsey-undersøkelsen from mid-2024, only about a third of firms felt confident they’d meet all DORA requirements by January 2025. Even the confident ones admitted they’d be ironing out processes well into this year. The biggest pain point? Managing third-party risk at scale. For many, just figuring out which vendors count as “critical” under the DORA framework has been a project in itself.

So, what’s actually happening on the ground? Teams are getting more organized. Companies are setting up dedicated DORA programs, pulling in people from IT, legal, compliance, and procurement, and investing in platforms that bring everything under one roof. There’s also a growing shift from treating DORA as “just another IT thing” to making it a board-level conversation. One recurring challenge is working with smaller tech vendors who simply don’t have the resources to hit all the compliance marks. That means some financial institutions are now acting as support partners, not just clients.

And the pressure isn’t stopping at DORA. Inside the EU, NIS 2 is tightening rules for critical infrastructure, and the Cyber Resilience Act is about to put product-level security under the microscope. Meanwhile, regulators outside the EU are watching closely. The UK’s FCA and PRA have already rolled out their own resilience rules, and in the US, the SEC now expects public companies to disclose how they handle cyber risks. If you’re thinking long-term, DORA finance regulation isn’t just a European rule — it’s a global starting point.

Will AI and automation make compliance less of a headache?

AI for regulatory compliance is definitely going to play a bigger role — not just in theory, but in day-to-day operations. A lot of teams are already using natural language processing (NLP) tools to go through massive piles of contracts and vendor agreements. These tools help spot red flags automatically, like missing audit rights or vague recovery time guarantees. Instead of relying on lawyers or compliance leads to scan through every line manually, companies are plugging in AI to flag risks upfront and keep documentation tight from day one.

On the automation side, things are moving fast. Tools like SOAR — that’s Security Orchestration, Automation, and Response — are making it way easier to handle incidents without the chaos. Let’s say something breaks. These platforms can trigger alerts, lock things down, and even generate the initial DORA-compliant report for regulators, all without a human jumping in first. And GRC platforms like ServiceNow or MetricStream are leveling up, too. They’re adding smart dashboards, automated resilience testing, and bots that remind teams when to run drills or check on third-party KPIs.

How does DORA affect software development outsourcing?

DORA doesn’t regulate tech vendors directly, but it does hold financial institutions fully responsible for the resilience of the software they use. That’s a big deal. It means banks, insurers, and fintechs can’t just pick a dev team based on speed or budget anymore. If your code ends up in anything remotely critical — like payments, onboarding, trading platforms — then your client needs to prove that the software is secure, tested, and traceable from end to end.

So what does that actually look like in practice? Procurement teams are now asking for things like secure SDLC documentation, automated test logs, and vulnerability scan reports right up front. Contracts are getting updated with resilience clauses that cover everything from backup recovery times to incident response responsibilities. Some companies are even running joint testing sessions with their vendors to stress-test response times. The Bottom line is if you’re building financial software for a client, you’re part of their compliance story now.

Avsluttende tanker

I hope you’re walking away from this post feeling a little more confident about DORA — or at the very least, asking yourself the right questions. And honestly, that’s already a big step. Whether you’re just starting to unpack the regulation or knee-deep in implementation, the path to compliance doesn’t have to be overwhelming.

At Innowise, we’re here to help you make sense of the DORA maze, build real digital resilience, and keep your business protected not just for now, but for whatever comes next.

Del:

Siarhei Sukhadolski

FinTech-ekspert

Siarhei leder FinTech-avdelingen vår med dyp bransjekunnskap og et klart syn på hvor digital finans er på vei. Han hjelper kundene med å navigere i komplekse regelverk og tekniske valg, og utformer løsninger som ikke bare er sikre - men som også er bygget for vekst.

Innholdsfortegnelse

Kontakt oss

Bestill en samtale eller fyll ut skjemaet nedenfor, så kontakter vi deg så snart vi har behandlet din

Navn

Selskap

E-post

Telefon

Melding Ta med prosjektdetaljer, varighet, teknisk stack, behov for IT-fagfolk og annen relevant informasjon.

Spill inn en talemelding om din
prosjektet for å hjelpe oss å forstå det bedre

Legg ved ytterligere dokumenter om nødvendig

Last opp fil

Du kan legge ved opptil 1 fil på totalt 2 MB. Gyldige filer: pdf, jpg, jpeg, png

Vær oppmerksom på at når du klikker på Send-knappen, vil Innowise behandle personopplysningene dine i samsvar med vår personvernerklæring. Retningslinjer for personvern med det formål å gi deg relevant informasjon. Ved å oppgi et telefonnummer og sende inn dette skjemaet samtykker du til å bli kontaktet via SMS. Priser for meldinger og data kan påløpe. Du kan svare STOPP for å reservere deg mot ytterligere meldinger. Svar Hjelp for mer informasjon.