The Digital Operational Resilience Act (DORA) is an important EU regulation that changes how European banks have to approach cybersecurity and operational resilience.
Since coming into force in January 2025, DORA has required banks to meet a number of new regulatory obligations which has caused some challenges. In fact, 43% of organisations admitted they wouldn’t be fully compliant by the deadline.
Banks that don’t comply with DORA’s requirements can face hefty fines, so it’s important to understand what it requires and how it could affect your operations.
In this article, we’ll explain what DORA is, why it exists and what it means for your bank.
The Digital Operational Resilience Act (DORA) is an EU regulation that aims to improve the digital resilience of the European financial sector. It came into force on 17 January 2025.
Its aim is to ensure banks and other financial institutions can withstand, respond to and recover from digital disruptions. These might include cyberattacks, system failures and downstream effects of third-party technology provider issues.
DORA forms part of a broader package of EU regulatory changes that affect the financial services sector. It sits alongside PSD3 (enhancing payment security), FIDA (expanding open finance) and SEPA Instant Credit Transfer (enabling pan-European instant payments).
The regulation is built around five key ‘technology risk’ pillars:
DORA requires specific contractual provisions to be incorporated into agreements with technology suppliers. These include:
Before DORA, European banks had to comply with different cybersecurity requirements for each region. This was complex and costly for banks to navigate, and could often result in gaps in protection.
It was also uncompetitive. Banks that operated in countries with stricter requirements had to invest more into cybersecurity than those in countries with lighter requirements.
As digital banking has grown, banks have become increasingly attractive targets for cyber criminals (both individuals and states) whose methods have also become more sophisticated. But without consistent security standards, Europe was left vulnerable. Successful attacks on weaker parts of banking infrastructure could spread across the whole financial system. In essence, it was only as strong as its weakest link.
Dependencies on third-parties was also a challenge. Modern banks heavily rely on cloud providers, payment processors and other technology suppliers, so they were at risk when these suppliers had problems. The Crowdstrike outage in July 2024 is one example of how global financial services can be disrupted by a single technology provider’s failure. Unfortunately, there were no consistent EU-wide standards to help manage these risks.
Finally, it was hard for regulators to understand risks and coordinate effective responses due to inconsistent incident reporting within the financial sector.
DORA is a response to all these issues, creating consistent standards that apply across every member EU state.
Meeting DORA’s requirements takes a lot of investment in both technology and expertise. And not adhering to requirements can be costly. Banks that fail to meet DORA requirements can face fines of up to 2% of their total annual global turnover. For a mid-sized bank with €5 billion in annual revenue, this could mean a €100 million fine. Senior managers aren’t exempt either, facing personal fines of up to €1 million.
Meeting DORA’s third-party risk management requirements is widely considered the biggest challenge for European banks. Nearly half of financial institutions are struggling with this because they need to review dozens or hundreds of existing contracts with technology suppliers to ensure they include DORA-required clauses (like service continuity, incident reporting and audit rights). Many of these contracts would have been signed before DORA existed and lack the required provisions entirely. Banks also struggle to create clear ICT third-party risk management strategies, with many finding their current approach vague or not properly documented.
Banks can struggle to get a complete picture of their critical services and often handle things differently across regions, which makes it hard to meet DORA’s requirement for a unified ICT risk management framework.
ICT-related risks like third-party dependencies and information security are often managed by separate teams that don’t communicate effectively. This creates a fragmented approach that makes comprehensive oversight difficult. And when senior management and board members aren’t engaged enough with these technical issues, it becomes harder to get the resources and support that compliance requires.
Incident reporting and operational resilience testing
Often, banks don’t have a single place where they report incidents across the group. And they may not have consistent ways of categorising incidents, which is a problem because DORA requires standardised incident reporting to regulators within specific timeframes.
Many banks are also still assessing risks on an ad-hoc basis rather than following the consistent schedule that DORA requires, and their testing often focuses too much on paperwork instead of real-world scenarios.
When banks do penetration testing, many typically only test certain parts of the organisation, which leaves gaps that could lead to compliance failures.
Bank employees aren’t always sure about who's responsible for setting up information sharing arrangements between different [entities], which can delay or prevent participation in the cyber threat intelligence sharing that DORA encourages.
There are also compliance risks when sharing information across borders because different countries have different rules, and many banks don’t have the right tools to share information effectively - making it harder to benefit collectively.
The ongoing due diligence requirements have also proved challenging. DORA requires continuous monitoring of all your technology providers, rather than just checking them when you first work with them. So tracking their financial stability, security practices and operational resilience has to be done on an ongoing basis. And this means banks need to invest in new monitoring systems and dedicate employees to constantly assess hundreds of suppliers.
The costs of compliance can be very high. Industry estimates suggest banks could spend up to $10,000 per employee each year to be DORA compliant. For a bank with 5,000 employees, that’s around $50 million per year. These costs can include everything from hiring cybersecurity specialists and upgrading monitoring systems to conducting regular penetration testing and implementing new reporting tools.
But there’s a silver lining for banks that meet these challenges. Banks that approach DORA strategically should find that it helps them build a stronger operation. Better cybersecurity and operational resilience can also help build customer trust and reduce operational risks. It might even lower your insurance premiums.
While complying with DORA can be challenging and costly, the key to success is viewing it as an opportunity to modernise your risk management - rather than ticking another compliance box.
Banks that invest in proper ICT risk frameworks and maintain strong supplier relationships will be better positioned for long-term success in an increasingly digital world.
Want to learn how G+D Netcetera can help your bank stay up to date with regulatory changes? Get in touch with our experts.
On this topic