A month with DORA: What has changed for the financial sector? | PAYSTRAX
DORA
Compliance

A month with DORA: What has changed for the financial sector?

Digital threats are becoming more sophisticated and frequent, new regulations and standards are essential to safeguard the financial sector from potential disruptions. The Digital Operational Resilience Act (DORA) is an EU regulation designed to strengthen the financial industry’s ability to withstand cyber risks and operational disruptions. As of January 17, 2025, DORA is fully enforceable across the entire EU financial sector, requiring financial institutions and their Information and Communication Technology (ICT) service providers to comply with a comprehensive resilience framework.

Why was DORA needed?

The Digital Operational Resilience Act (DORA) was introduced because the financial sector is increasingly vulnerable to cyber threats, ICT failures, and operational disruptions. As financial services become more digitised, a single cyberattack or IT failure can have systemic consequences, impacting banks, insurance companies, payment service providers, and their customers.

DORA future-proofs the financial sector by making digital operational resilience a core regulatory requirement. It ensures financial institutions are better prepared for cyber threats, operational disruptions, and ICT risks – ultimately making the EU’s financial system more secure and stable.

Key areas of focus

DORA establishes strict requirements for financial entities to enhance their digital resilience. With the regulations now in effect, all regulated financial institutions in the European Union must comply with these requirements, which include:

  • ICT Risk Management: Implementing robust governance and controls to proactively identify and mitigate cyber risks. Financial institutions must establish a structured risk management framework that ensures continuous monitoring, assessment, and mitigation of ICT threats. This includes regular risk evaluations, the adoption of advanced security measures, and clear accountability at the board level to ensure resilience against evolving cyber threats.
  • ICT-Related Incident Reporting: Establishing standardized procedures for detecting, responding to, and reporting major ICT incidents in a timely manner. Financial institutions are required to report major ICT incidents to their national competent authorities (NCAs) using predefined reporting formats. Additionally, they may voluntarily report significant cyber threats to enhance sector-wide intelligence sharing and coordination.
  • Digital Operational Resilience Testing: Financial entities must conduct regular resilience testing, including Threat-Led Penetration Testing (TLPT) for institutions deemed significant based on their risk profile. TLPT must be conducted at least every three years under the supervision of competent authorities.
  • Third-Party Risk Management: Financial institutions must implement stricter oversight of third-party ICT service providers, ensuring compliance with DORA standards. Companies must evaluate and select secure vendors to support their critical functions, ensuring business continuity and minimizing operational disruptions. Critical third-party providers (CTPPs) will be directly supervised by the European Supervisory Authorities (ESAs) reduce systemic risks and prevent supply chain vulnerabilities.
  • Stronger Regulatory Oversight & Penalties: Regulators will have enhanced supervisory powers, including the ability to impose fines, corrective measures, or operational restrictions for non-compliance. Financial institutions must be prepared for increased regulatory scrutiny and mandatory reporting obligations.

What are the benefits now that DORA is in effect?

Now that DORA is fully enforceable, it brings several key benefits to financial institutions, their service providers, and customers:

  • Better protection against cyberattacks, reducing financial losses and reputational damage.
  • All financial institutions follow the same cybersecurity rules, reducing compliance complexity.
  • Enhanced preparedness against cyber threats and IT failures.
  • Reduced downtime and service disruptions, ensuring customers have uninterrupted access to banking and financial services.
  • A more secure financial ecosystem, safeguarding sensitive data from breaches and ensuring regulatory compliance.

Building a resilient future

DORA’s focus on Information Sharing & Sector-Wide Cooperation significantly strengthens cybersecurity resilience across the financial sector. By actively sharing threat intelligence and collaborating, financial institutions can bolster their collective defense against evolving threats. This collaborative approach fosters a culture of shared security, enabling faster identification and mitigation of emerging risks. Through real-time information exchange, institutions enhance their risk management frameworks and security measures, ensuring the protection of critical functions and sensitive data. This alignment not only improves individual risk postures but also fortifies the stability and continuity of the entire financial ecosystem.

Prepared by PAYSTRAX risk and security team: Rokas Muraška, CSRO, and Akvilė Venskavičiūtė, Information Security Specialist.