Insights

The Digital Operational Resilience Act (DORA): Enhancing Stability in the EU Financial Sector

By Dr Kelly Fenech, Founding Partner GKF Legal

October 2025

In an increasingly digitised financial landscape, where cyber threats and operational disruptions pose ever-greater risks, the European Union’s Digital Operational Resilience Act (DORA) emerges as a critical regulatory response. Designed to fortify the financial sector against information and communication technology (ICT) vulnerabilities, DORA mandates a proactive approach to risk management, ensuring that institutions can withstand, respond to, and recover from disruptions. As we approach full implementation in early 2025, financial entities across the EU must prioritise compliance to safeguard their operations and maintain stakeholder confidence.

At GKF Legal, our Financial Services Practice has counselled clients on integrating DORA’s requirements into their frameworks. This article offers a succinct yet thorough examination of DORA, covering its background, applicability, core obligations, potential hurdles, and broader business implications. Our goal is to provide actionable insights for those navigating this evolving regime, underscoring that robust digital resilience is not merely a compliance exercise but a cornerstone of sustainable growth.

Origins and Timeline: From Conception to Enforcement

DORA’s inception stems from the EU’s recognition that fragmented national approaches to ICT risks were insufficient in an interconnected financial ecosystem. Prior to DORA, incidents such as the 2021 SolarWinds cyber-attack highlighted systemic vulnerabilities, prompting the European Commission to propose a unified framework as part of its 2020 Digital Finance Strategy. The regulation addresses gaps in existing laws like the Network and Information Systems (NIS) Directive, focusing specifically on the financial sector’s unique dependencies on technology.

Formally adopted in November 2022, DORA entered into force on 16 January 2023, with full applicability scheduled for 17 January 2025. This two-year transitional period allows entities to prepare, during which the European Supervisory Authorities (ESAs)—including the European Banking Authority (EBA), European Securities and Markets Authority (ESMA), and European Insurance and Occupational Pensions Authority (EIOPA)—have issued technical standards and guidelines. By mid-2025, these include consultations on ICT risk management tools and incident classification, ensuring harmonised implementation across member states.

For firms, the timeline demands immediate action: gap analyses should be completed by late 2024, with full compliance programmes in place by the January 2025 deadline. Delays could expose organisations to supervisory scrutiny, as national competent authorities (NCAs) gear up for enforcement.

Scope and Applicability: Who Falls Under DORA?

DORA casts a wide net, applying to a broad spectrum of “financial entities” regulated under EU financial services legislation. This includes credit institutions, payment and e-money institutions, investment firms, insurance and reinsurance undertakings, and even crypto-asset service providers under the Markets in Crypto-Assets Regulation (MiCAR). Notably, it extends to critical third-party ICT service providers (CTPPs), such as cloud computing firms, which must register and submit to oversight by the ESAs.

Exemptions are limited: smaller entities may benefit from proportionality principles, where requirements are scaled to size and risk profile, but core obligations remain non-negotiable. Non-EU firms providing services to EU financial entities are indirectly affected through contractual mandates, emphasising DORA’s extraterritorial reach.

In essence, if your organisation relies on ICT for core functions—be it transaction processing, data storage, or client interfacing—DORA likely applies. At GKF Legal, we recommend early scoping exercises to clarify exposure, particularly for hybrid models blending traditional finance with digital innovations.

Core Requirements: Building a Resilient Framework

DORA’s obligations are structured around five pillars, each demanding integrated governance and operational changes:

  1. ICT Risk Management: Entities must establish comprehensive frameworks to identify, assess, and mitigate ICT risks. This includes board-level accountability, with senior management overseeing risk strategies. Policies should cover vulnerability assessments, access controls, and continuity planning, aligned with standards like ISO 27001 where appropriate.
  2. Incident Reporting: A standardised reporting regime requires prompt notification of major ICT incidents to NCAs, with thresholds based on impact severity. Entities must classify incidents (e.g., affecting confidentiality, integrity, or availability) and report within specified timelines—initial alerts within four hours, full root-cause analyses within one month. This harmonises with existing regimes like GDPR’s breach notifications.
  3. Digital Operational Resilience Testing: Annual testing is mandatory, progressing from basic scenarios to advanced threat-led penetration testing (TLPT) for systemically important institutions. Testing must involve independent auditors, with results informing remediation plans. For CTPPs, ESAs may mandate participation in joint exercises.
  4. Third-Party ICT Risk Management: Perhaps DORA’s most transformative element, this pillar requires due diligence on ICT providers, contractual safeguards (e.g., audit rights, exit strategies), and concentration risk monitoring. Critical providers face designation as CTPPs, subjecting them to direct ESA supervision, including on-site inspections.
  5. Information Sharing: Entities are encouraged to participate in threat intelligence networks, sharing anonymised data on cyber incidents to enhance collective resilience. While voluntary, this fosters a collaborative ecosystem, with ESAs facilitating platforms.

Compliance necessitates cross-functional teams—IT, legal, and risk functions working in tandem. In our experience at GKF Legal, embedding these requirements into existing enterprise risk management systems minimises disruption while maximising efficacy.

Compliance Challenges and Enforcement: Navigating the Pitfalls

Implementing DORA is not without obstacles. Legacy systems in traditional institutions may require substantial upgrades, while fintechs grapple with scaling proportionate measures. Third-party dependencies pose particular challenges, as renegotiating contracts with global providers like AWS or Microsoft demands careful legal drafting to ensure audit and termination clauses align with DORA.

Enforcement rests with NCAs, coordinated by the ESAs through an Oversight Forum for CTPPs. Penalties for non-compliance can reach up to 2% of global annual turnover, with additional reputational damage from public censure. Early 2025 will likely see supervisory focus on testing and reporting, with ESAs publishing annual resilience reports.

Common pitfalls include underestimating proportionality—smaller firms assuming leniency—or overlooking supply chain risks. Cross-border operations add complexity, as member states may interpret guidelines variably. We advise clients to conduct mock audits and engage with industry forums to benchmark progress.

Strategic Implications: Opportunities Beyond Compliance

Far from being burdensome, DORA presents strategic advantages. Compliant firms can leverage enhanced resilience for competitive differentiation, attracting investors and clients who prioritise security. In a post-pandemic world, where remote operations amplify cyber risks, DORA compliance signals operational maturity.

For the broader EU economy, DORA aims to prevent systemic disruptions, potentially reducing the €10 billion annual cost of ICT incidents in finance. Non-EU entities may find alignment beneficial for market access, influencing global standards akin to GDPR’s ripple effects.

At GKF Legal, we view DORA as a catalyst for innovation: integrating AI-driven monitoring or blockchain for secure data sharing can turn obligations into efficiencies. Forward-thinking organisations will integrate DORA into their digital transformation agendas.

Guiding Your Journey with GKF Legal

As DORA’s application date looms, proactive preparation is essential. GKF Legal has assisted over 40 financial clients in developing tailored resilience strategies, from risk assessments to contractual reviews. Our expertise ensures not just compliance, but a framework that enhances long-term value.

If DORA’s demands are shaping your priorities, contact us for a confidential discussion at info@gkflegal.com or visit www.gkflegal.com/services/digital-resilience. In an era of digital interdependence, resilience is your firm’s greatest asset.

Dr Kelly Fenech is a Founding Partner in GKF Legal’s Financial Services Practice, specialising in EU financial regulation and digital compliance. The views expressed are his own and do not constitute legal advice.