menu close NewsContact Us search close
Global Site close
  • Americas
  • Asia Pacific
  • Europe
  • Middle East and Africa
ArgentinaArubaBarbadosBoliviaBrazilCanadaCayman IslandsChileColombiaCosta RicaCuracaoEl SalvadorGuatemalaHondurasMexicoParaguayPeruPuerto RicoSaint MartinSurinameUnited StatesUruguayVenezuela
AustraliaCambodiaChinaHawaiiHong KongIndiaIndonesiaJapanMacauMalaysiaMaldivesMongoliaMyanmarNew ZealandPakistanPhilippinesSingaporeSouth KoreaSri LankaTaiwanThailandVietnam
AlbaniaAndorraArmeniaAustriaAzerbaijanBelgiumBulgariaCroatiaCyprusCzech RepublicDenmarkEstoniaFinlandFranceGeorgiaGermanyGreeceHungaryIrelandItalyKazakhstanLatviaLithuaniaLuxembourgMaltaMoldovaNetherlandsNorwayPolandPortugalRomaniaSerbiaSlovakiaSloveniaSpainSwedenSwitzerlandTajikistanTurkeyUkraineUnited KingdomUzbekistan
AlgeriaBahrainEgyptGhanaJordanKenyaKuwaitLebanonLiberiaMauritiusMoroccoMozambiqueNigeriaOmanQatarSaudi ArabiaSenegalSierra LeoneSouth AfricaTanzaniaTogoTunisiaUgandaUnited Arab EmiratesYemen
Services
close Services
Tax
Services
Sectors
close Sectors
Sectors
Insights
close Insights
Insights
About Us
close About Us
About Us
Careers
close Careers
Careers
NewsContact Us
search close
home Insights
A map of the European Union overlaid with a large padlock icon

Understanding the Digital Operational Resilience Act (DORA) and how it impacts your business

Ricky Asher, Senior Marketing Manager
04/02/2025
A map of the European Union overlaid with a large padlock icon

In an era where digital infrastructure forms the backbone of financial services, the European Union has introduced the Digital Operational Resilience Act (DORA). This legislation, which officially came into force on 16 January 2023, is fully applicable from 17 January 2025. Its purpose is clear: to bolster the resilience of financial entities in the face of significant operational disruptions, particularly those arising from cyber incidents.

What is DORA?

DORA is a comprehensive regulation aimed at enhancing the digital operational resilience of financial entities across the EU. It introduces standards for managing information and communication technology (ICT) risks, ensuring that financial institutions are better equipped to withstand and recover from digital threats. The legislation applies to a diverse array of financial entities, including banks, insurance companies, investment firms and crypto asset service providers, as well as critical ICT third-party service providers that support the sector.

Why is DORA necessary?

The financial sector is increasingly reliant on technology and external tech providers to deliver its services. While this reliance brings innovation and efficiency, it also introduces vulnerabilities. Cyber-attacks or ICT failures can disrupt operations, with potential ripple effects across other businesses, industries and even the broader economy. Recognising these risks, DORA seeks to create a unified approach to managing ICT risks, ensuring that financial entities and their service providers can operate securely and efficiently in a digital-first landscape.

Key areas covered by DORA

To address the challenges posed by ICT risks, DORA sets out specific requirements across several critical areas:

  1. ICT risk management: Financial entities must implement a comprehensive ICT risk management framework. This framework should identify, monitor and mitigate risks effectively, with regular reviews and internal audits to ensure ongoing effectiveness.
  2. ICT third-party risk management: Given the reliance on external service providers, DORA mandates robust monitoring and oversight of these third-party relationships. Entities must establish clear contractual provisions with ICT providers and maintain a detailed registry documenting all agreements.
  3. Digital operational resilience testing: Financial institutions are required to conduct regular digital resilience tests. These include advanced assessments such as threat-led penetration testing (TLPT) to identify and address vulnerabilities proactively.
  4. ICT incident reporting: Entities must develop processes to detect and respond to ICT-related incidents. Major operational or security-related events must be promptly reported to relevant supervisory authorities, ensuring transparency and accountability.
  5. Information sharing: While not mandatory, DORA encourages financial entities to exchange information and intelligence about cyber threats. This collaborative approach can enhance sector-wide resilience by enabling entities to learn from each other’s experiences.

What should businesses do to prepare?

With DORA’s full application date approaching, financial entities must act now to align with its requirements. Key steps include:

  • Developing a robust ICT risk management framework: Establish and maintain processes for identifying, monitoring, and mitigating ICT risks, with regular updates to keep pace with evolving threats.
  • Strengthening third-party risk management: Review contracts with ICT providers, ensure compliance with DORA’s provisions, and maintain detailed records of all third-party arrangements.
  • Implementing resilience testing programs: Plan and conduct regular testing to assess and enhance your digital resilience capabilities.
  • Streamlining incident reporting mechanisms: Build clear workflows for identifying, addressing and reporting ICT-related incidents.
  • Fostering information sharing: Engage with industry peers to exchange insights on cyber threats and best practices.

Conclusion

The Digital Operational Resilience Act represents a significant step in safeguarding the EU’s financial sector against digital disruptions. By prioritising ICT risk management and fostering collaboration between financial entities and regulators, DORA ensures that businesses can navigate the complexities of a digital-first world with confidence. For financial entities, the time to act is now—the resilience of their operations and the trust of their customers depend on it.

How can Crowe help?

Crowe’s experience in DORA, operational resilience, and supplier risk management—combined with our pragmatic and progressive ethos—empowers organisations to address all aspects of resilience. Our holistic approach helps organisations navigate complex challenges and unlock significant value.

With the implementation deadline now passed, it’s essential for organisations to review their compliance, embed activities into business as usual, and address any key areas for improvement.

Our Consulting team takes a pragmatic approach to simplify the complexities of DORA, helping you meet its requirements in a practical and proportionate way that strengthens resilience.

Contact Alan Davidson or Julie Monaghan for a consultation to explore how we can help you optimise your resilience journey.

Contact us:

Consulting services
Consulting Partner Shane McQuillan Crowe Ireland
Shane McQuillan
Partner, Consulting
+353 86 044 2084
View profile
Alan Davidson, Partner
Alan Davidson
Partner, Risk Consulting
+353 86 836 6662
View profile
Consulting services

Stay connected

Sign up to stay connected and receive updates and insights directly into your inbox.