Get ready for
DORA
What is the Digital Operational Resilience Act (DORA)?
The Digital Operational Resilience Act (DORA) is an EU regulation that strengthens digital operational resilience across the financial sector. It establishes a harmonised framework for information and communication technology (ICT) risk management, incident reporting, resilience testing, third-party oversight and governance.
DORA entered into force with application beginning on 17 January 2025, and financial entities subject to the regulation must now meet its requirements.
Who must comply with DORA?
DORA applies to a wide range of financial entities operating in the EU, including but not limited to:
- Banks and credit institutions
- Investment firms and asset managers
- Insurance and reinsurance companies
- Payment institutions and e-money institutions
- Market infrastructures and trading platforms
- Crypto-asset service providers and crowdfunding platforms
DORA impacts ICT service providers and suppliers too
DORA also affects third-party ICT service providers, including cloud and software providers, that deliver digital services to financial entities, particularly where they support critical or important functions.
Even organisations that are not themselves financial entities may be impacted, as regulated institutions are required to manage and monitor the digital operational resilience of their key ICT providers.
What DORA requires
Under DORA, covered entities must implement robust and documented practices across several core areas. These typically include:
Organisations must build a documented framework for identifying, assessing, mitigating and monitoring ICT risk, with clear governance oversight.
Compliance, clarity and control
The implementation of DORA is timely, as financial institutions’ growing dependence on digital technologies and external ICT providers has increased operational vulnerabilities, while reported cyber and ICT incidents have roughly doubled in recent years.
Cyber incidents targeting Europe’s financial sector were publicly reported and analysed between early 2023 and mid-2024, with nearly half affecting banks.
Annual losses from cyber incidents in the financial sector have climbed from about $300 million in 2017 to roughly $2.2 billion in 2021.
More than 2,200 cyberattacks occur every day worldwide — roughly one attack every 39 seconds.
The challenge for financial entities and tech providers
Meeting DORA requirements can be demanding, especially for organisations without dedicated operational risk or compliance teams. Common challenges include:
- No dedicated compliance or security team
- Limited time to understand detailed legal requirements
- Scattered documents and unclear responsibilities
- Monitoring and managing third-party ICT provider risk
- Implementing consistent incident reporting processes
- Maintaining governance and documentation that satisfies supervisors
- Non-compliance can lead to financial penalties, regulatory intervention and reputational damage
Achieve DORA readiness with Trustlinks
Trustlinks translates the complexity of DORA requirements into practical, guided actions your team can follow:
Start with a clear, structured, and intuitive setup aligned with DORA requirements, including predefined controls, policy templates and documentation guidance.
This helps your company to get started quickly without needing deep compliance expertise. No guessing, everything is laid out in a clear, logical flow so your team knows exactly where to begin.
Get ready for DORA
If you have questions about Trustlinks or want to explore how our platform supports your compliance work, contact us and our team will be happy to help.
Frequently asked questions about DORA readiness
What is the Digital Operational Resilience Act (DORA)?
The Digital Operational Resilience Act (DORA) is an EU regulation that strengthens how financial entities manage ICT risk, respond to incidents and ensure digital operational resilience across the financial sector.
Who must comply with DORA?
DORA applies to a wide range of EU financial entities, including banks, insurers, investment firms, payment institutions and crypto-asset service providers. It also affects ICT service providers that support critical or important functions.
When does DORA apply?
DORA became fully applicable on 17 January 2025. From that date, covered financial entities must meet the regulation’s requirements and be able to demonstrate compliance.
What are the main DORA requirements?
DORA requires organisations to implement ICT risk management frameworks, incident reporting processes, digital operational resilience testing, third-party ICT risk management and strong governance and oversight.
How does DORA affect ICT service providers and suppliers?
Even if they are not financial entities, ICT service providers may be impacted because regulated institutions must assess, monitor and manage the digital resilience of their key technology partners.
Are there sanctions for non-compliance with DORA?
Yes. Non-compliance with DORA can result in supervisory actions, corrective measures and financial penalties under national and EU-level enforcement frameworks.
How can Trustlinks help with DORA compliance?
Trustlinks helps organisations structure DORA requirements into guided workflows, manage ICT risks and third-party oversight, maintain documentation and generate clear, audit-ready reports.
