If you work in a financial entity, or in a company that supplies technology services to one, DORA is already part of your daily life. The Digital Operational Resilience Act has applied directly across the entire European Union since 17 January 2025, and it is not a recommendation: it is an obligation. In this article I explain plainly what it is, who is affected, what it requires and where it makes sense to begin.
What DORA is, in one sentence
DORA (the Digital Operational Resilience Act) is the European regulation that requires the financial sector to withstand, respond to and recover from any incident related to information technology. In other words: having IT security is no longer enough; you have to demonstrate that the organisation keeps operating even when something breaks.
Who it applies to
DORA's scope is broad. It covers almost the whole European financial sector and, indirectly but very really, its technology providers. Among the entities subject to it:
- Credit, payment and electronic money institutions.
- Investment firms and fund management companies.
- Insurance and reinsurance undertakings.
- Crypto-asset service providers.
- And, notably, third-party ICT service providers deemed critical, which are placed under direct oversight.
If you are a technology provider to banks, you had better understand DORA even if you are not a financial entity: your clients will impose it on you by contract.
The five pillars of DORA
The whole regulation is built around five blocks. Understanding them means understanding DORA:
1. ICT risk management
The foundation of everything. It requires a solid framework to identify, protect, detect, respond and recover. This is neither optional nor delegable: ultimate responsibility rests with the management body.
2. Incident management, classification and reporting
You have to detect ICT-related incidents, classify them by severity and report the most serious ones to the authorities within precise deadlines. Improvising is expensive here.
3. Digital operational resilience testing
Saying you are ready is not enough: you have to prove it through regular testing. The most significant entities must carry out advanced testing based on real threats.
4. Third-party risk management
One of the most demanding points. It requires you to control the risk introduced by technology providers, with specific contractual clauses and an up-to-date register of information.
5. Information sharing
DORA encourages entities to share threat intelligence with one another, to strengthen the resilience of the sector as a whole.
Where to start if you have not made progress yet
If you are behind, don't panic, but you do need to get moving. Here are the first steps I recommend on the projects I work on:
- Gap analysis. Compare what you already have (probably a lot, if you comply with ISO 27001) with what DORA requires. Identify the real gaps.
- ICT provider inventory. Knowing who you depend on is half the third-party pillar. Without that mapping, you cannot manage it.
- Incident management framework. Define how you detect, classify and report, with clear deadlines.
- Involve senior management. DORA falls under the responsibility of the management body. If it is not informed and engaged, the project stays halfway there.
An under-exploited advantage: if your organisation already has an information security management system compliant with ISO 27001, you start with a good part of the journey already done. DORA and security risk management overlap on many points.
Getting trained in DORA: why certification makes the difference
Understanding DORA by reading the regulation is possible, but slow and full of nuance. A recognised certification, such as PECB's DORA Lead Manager, gives you the complete, structured framework, and accredits you to your organisation and the market as the person able to lead the path to compliance. For compliance and risk teams in the financial sector, it is one of the most valuable courses right now. The DORA Lead Manager course is available as an official PECB Self-Study option so you can progress at your own pace, or with one-to-one coaching until you are ready for the exam, in the standards I teach as a PECB Certified Trainer.