The Digital Operational Resilience Act (DORA) requires EU operating financial service organisations to meet compliance by January 2025. In this post, co-authored by Kocho and Evolve North, we explain why this matters, how it could impact you, and what you can do to meet the deadline.
Time is running out.
The deadline for financial institutions to meet DORA requirements is January 2025. So, for any organisation that has yet to do so – there’s really no time to waste.
Now let’s look at the requirements, implications, and options available to meet compliance obligations.
What is DORA?
DORA was introduced in January 2023 to strengthen the financial sector’s digital resilience. It provides clear guidelines for managing IT risks, reporting incidents, testing resilience, and managing third-party risks.
Organisations were then given two years to achieve compliance by January 2025.
During this time they’ve been required to align their ICT risk management and operational resilience to DORA standards.
- January 2023: DORA comes into effect, starting the compliance clock.
- 2023-2024: Organisations should conduct gap analyses, strengthen ICT risk frameworks, and implement resilience testing.
- January 2025: Deadline for full compliance.
The rules also cover third-party providers, holding them to the same standards as financial institutions. Firms must secure their systems and ensure partners meet DORA requirements too.
Who needs to be DORA compliant?
DORA applies to a wide range of organisations within the financial services sector, including:
- Credit institutions and investment firms
- Payment and electronic money institutions
- Insurance and reinsurance undertakings
- Crypto-asset service providers
- ICT third-party providers (e.g., cloud services)
Essentially, if a financial entity operates in the EU, DORA likely applies to it. UK-based organisations may also need to comply, particularly if they have operations or partnerships in the EU.
Even post-Brexit, aligning with DORA is often necessary to maintain market access and ensure smooth cross-border relationships, given the interconnected nature of financial services between the UK and EU.
Independent Research
Cyber Threat Report 2025
Key threats, popular strategies, and what IT leaders predict will have the biggest impact on cyber security in 2025.
Discover more insights like this:
- 91% want to simplify their security stack
- 94% plan to integrate AI within 6-18 months
- 64% rank data security a top priority
DORA’s key focus areas for resilience
DORA focuses on several critical areas to help financial services enhance digital resilience and ensure they’re prepared for evolving risks.
IT risk management
DORA sets requirements for managing ICT risks:
- Implement strong governance and controls
- Build resilient ICT systems with ongoing risk management
- Establish robust continuity and disaster recovery plans
Risk management frameworks should match the organisation’s size and complexity.
Incident reporting
DORA emphasises prompt and effective incident reporting:
- Detect, log, and manage incidents quickly
- Report significant incidents consistently to authorities
- Maintain transparency through regular updates
Effective and clear reporting helps protect the entire financial ecosystem.
Resilience testing
Testing resilience is crucial for staying ahead of threats:
- Periodically test ICT systems for vulnerabilities
- Conduct advanced tests like TLPT for high-risk organisations
- Address weaknesses promptly
Testing frequency should match the organisation’s risk level.
Third-party risk management
Managing third-party risks is essential:
- Closely manage risks from ICT providers
- Contracts should specify service levels, data locations, and exit strategies
Third-party risk is key to overall ICT risk management.
Information sharing
DORA encourages information sharing to strengthen defences:
- Share threat intelligence with other financial firms
- Collaborate to build collective defences and reduce risks
Sharing information helps the sector mitigate risks more effectively and strengthen its overall resilience.
Getting ready for DORA compliance
With the deadline approaching, it’s crucial to act now.
Here are some key steps to prepare:
- Conduct a gap analysis
Compare your current ICT risk practices to DORA’s requirements. Identify necessary changes in policies, processes, or tech to build a solid compliance plan. - Enhance ICT risk management
Make sure you have structured frameworks in place to manage ICT risks consistently and adapt as your organisation evolves. - Set up incident reporting
Ensure processes are in place for detecting, logging, and reporting incidents internally and to authorities. Make sure the team knows how to handle this effectively. - Plan resilience testing
Create a testing programme that includes regular exercises and penetration tests. Address any weaknesses quickly to strengthen your resilience. - Assess third-party risks
Review contracts with third-party providers to ensure DORA compliance, including clear SLAs, data handling details, and exit strategies. - Engage in information sharing
Join a trusted community to share and receive threat intelligence. This can help you stay updated on emerging cyber threats and effective defences.
What happens if organisations don’t comply?
Non-compliance with DORA can lead to significant penalties. Financial authorities have the power to impose fines and other remedial measures, and for ICT third-party providers, the penalties could reach up to 1% of their average daily turnover until compliance is achieved.
The reputational damage of non-compliance could also be considerable. With DORA’s requirements being central to operational stability, failing to comply could undermine client and market confidence in the business.
DORA and other regulations
DORA does not replace existing data protection laws such as GDPR, it works alongside them.
Organisations need to consider where these regulations overlap, particularly around incident reporting. Understanding how DORA fits within the broader regulatory landscape is essential to ensure full compliance.
Why DORA matters now more than ever
Digital resilience is crucial for the financial sector. Breaches and failures can lead to significant costs, and as cyber threats grow in frequency and sophistication, financial institutions are prime targets.
Ransomware attacks or system failures don’t just cost money; they can destroy trust and reputation. Issues like data breaches or outages can even create economic instability beyond the affected firm.
DORA tackles these challenges with a unified approach. By enforcing common standards across European financial institutions, it strengthens the entire system—vital in a global economy where firms rely on complex networks of providers.
DORA also aims to future-proof financial services, requiring institutions to build flexible, resilient systems that can adapt to new threats, including those from emerging tech like AI and blockchain.
Turning compliance into resilience
DORA is not just about avoiding fines.
It’s an opportunity to enhance resilience and build trust in an interconnected financial world. The requirements are designed to not only withstand cyber attacks but also to respond effectively and recover swiftly. Ensuring stability across the financial ecosystem.
We appreciate that many organisations have already got their ducks in a row on this issue and will be confidently compliant ahead of the January deadline.
But if you’re still unsure or unprepared, then the time to act is now.
For organisations seeking guidance on how to best prepare for DORA or to enhance their digital resilience journey, reaching out to industry experts can provide valuable support.
Kocho and Evolve North are here to help
Working together in partnership means aligning Evolve North’s many years of compliance expertise with Kocho’s leadership in cyber security, secure cloud services, and Microsoft technology. Together, we’re here to guide financial organisations towards DORA compliance with confidence.
From gap analysis to ICT risk enhancement and resilience testing, our tailored support ensures financial institutions are prepared for DORA’s challenges. We offer practical, hands-on help to mitigate risks, streamline processes, and achieve full compliance before the January 2025 deadline.
Ready to align with DORA? Then get in touch here or via the link at the bottom of the page to set up a short discovery call.
And take the first steps towards strengthening digital resilience and meeting compliance requirements.
Key takeaways
DORA requires full compliance from financial organisations by January 2025 to enhance digital resilience.
Compliance covers IT risk management, incident reporting, resilience testing, and third-party oversight.
UK firms may need DORA compliance if they operate or partner within the EU to maintain smooth cross-border relationships.
Non-compliance can lead to heavy fines, reputational damage, and loss of market trust.
Key preparation steps include gap analysis, resilience testing, and third-party contract reviews.
DORA aligns with existing regulations like GDPR to strengthen both operational stability and data protection.
Kocho and Evolve North work together to deliver tailored support for achieving DORA compliance.
Independent Research
Cyber Threat Report 2025
Key threats, popular strategies, and what IT leaders predict will have the biggest impact on cyber security in 2025.
Discover more insights like this:
- 91% want to simplify their security stack
- 94% plan to integrate AI within 6-18 months
- 64% rank data security a top priority
Next steps
Like this? Then don’t forget to share it with your followers.
Great emails start here
Sign up for free resources and exclusive invites
Subscribe to the Kocho mailing list if you want:
- Demos of the latest Microsoft tech
- Invites to exclusive events and webinars
- Resources that make your job easier
Got a question? Need more information?
Our expert team is here to help.