The EU’s Digital Operational Resilience Act (DORA) came into force just over 12 months ago. DORA was introduced in 2022, and became fully applicable on January 17, 2025. The regulation was intended to ensure operational resilience across the financial services industry and their key suppliers as the sector is increasingly reliant on digital infrastructure and third parties.

In this post, we’ll look at the impact the regulation has had for the financial sector and beyond.

The Digital Operational Resilience Act (DORA)

The Act comprises more than 1,000 specific requirements across five core pillars:

  1. ICT risk management framework

  2. ICT incident reporting

  3. Digital operational resilience testing

  4. ICT third-party risk management

  5. Cyber threat intelligence sharing

DORA offers financial institutions, burdened with regulatory obligations, a consistent framework for ICT risk management that can be integrated into enterprise governance frameworks alongside (among others) NIS2, GDPR and the EU AI Act.

One year of DORA

One year since DORA came into force, its effectiveness remains unclear. This will take some time to emerge, especially as organizations in scope of the regulation are struggling to comply. DORA is a complex regulation that applies not only to an individual company but also to its ICT suppliers.

This presents challenges for financial institutions as they work to fully understand their digital and software supply chains, document them and revise contracts enabling them to monitor third-party compliance.

The regulatory landscape has shifted too. Since DORA was introduced, the EU has enacted the NIS2 Directive for securing network and information systems, and the AI Act, which regulates prohibited and high-risk AI systems. This means that rather than focusing on DORA compliance in isolation, they’ve had to adopt an integrated approach, consolidating requirements wherever possible.

The European Commission, responsible for enforcing DORA, has made clear that the regulation isn’t merely a paper-based exercise, but its execution must be supported with evidence and matured through continuous improvement to achieve effective cyber-resilience.

Start with strong foundation for DORA

One of the core components of DORA is Article 8 of the ICT risk management framework. Article 8 mandates the identification, classification and documentation of all ICT-supported business functions, and roles and responsibilities. In addition, it requires organizations to maintain and update documented inventories of information assets - establishing the foundation for effective identification and management of ICT information risks.

Not only is this crucial for financial institutions themselves, but also for their ICT supply chain. By implementing comprehensive data discovery that facilitates the mandatory ICT asset inventories, organizations can gain the visibility they need to begin their DORA compliance journey.

To find out how Ground Labs can help enhance your business resilience, request a demo or book a call with one of our experts today.