top of page

DORA - A major step forward for the digital resilience of financial services

cedricdicesare8




The financial sector is one of the fundamental pillars of the global economy. However, it is also one of the most exposed targets to cyber threats. Ransomware attacks, disruptions to critical infrastructure, and third-party vendor compromises are all growing risks in an interconnected environment.

In this context, the European Union introduced the Digital Operational Resilience Act (DORA). This regulation aims to strengthen the digital operational resilience of financial services across the European Union. Unveiled in 2022, it serves as a strategic response to cybersecurity and business continuity challenges, which have been exacerbated by increasing reliance on digital technologies.

DORA is not merely a regulatory obligation. It is a tool to transform organizational practices, foster proactive governance, and ensure that the European financial sector is prepared to face tomorrow’s digital crises. This article explores the objectives, targeted businesses, benefits, and mechanisms of DORA, while highlighting its key role in enhancing economic stability and stakeholder trust.



1. What is DORA?


DORA, or the Digital Operational Resilience Act, is a legislative framework designed to ensure that financial institutions can withstand and effectively respond to digital disruptions. Unlike fragmented approaches of the past, this regulation introduces a unified and harmonized framework applicable across all EU member states.

DORA extends beyond technological aspects: it also addresses organizational and systemic vulnerabilities. The regulation mandates integrated digital risk management, covering both external threats (cyberattacks, major interruptions) and internal ones (organizational failures, human errors).

This comprehensive approach complements the NIS2 Directive, adopted in 2022, which focuses on the cybersecurity of critical infrastructure in a broader sense. While NIS2 establishes general principles across various sectors, DORA targets the specific needs of financial services, particularly their reliance on critical third-party providers.



2. Comparing DORA, NIS2, ISO 27001, and ISO 22301


Although DORA shares common objectives with NIS2 and international standards like ISO 27001 and ISO 22301, it stands out for its specificity and reinforced legal obligations.



DORA and NIS2 : Complementary frameworks

NIS2 covers a wide range of critical sectors, such as energy, healthcare, and digital infrastructure. In contrast, DORA exclusively targets the financial sector. Where NIS2 emphasizes network cybersecurity, DORA goes further by including operational resilience, notably through regular testing and business continuity planning.


DORA and ISO 27001 : From voluntary standards to legal requirements

ISO 27001 provides a methodological framework for managing information security risks. However, it remains voluntary, whereas DORA imposes mandatory requirements with penalties for non-compliance.



DORA and ISO 22301: Continuity at the heart of resilience

ISO 22301 focuses on business continuity. Drawing inspiration from this standard, DORA mandates the implementation of detailed plans to address crises and ensure rapid recovery of critical operations. These plans must be regularly tested to remain effective against emerging threats.

Aspect

DORA

NIS2

ISO 27001

ISO 22301

Sector Covered

Exclusively financial

Multiple critical sectors

All sectors

All sectors

Legally Mandatory

Yes

Yes

No

No

Business Continuity

Yes

Partial

No

Yes

Resilience Testing

Mandatory

Not specified

Recommended

Mandatory

This synergy between DORA, NIS2, and ISO standards strengthens the robustness of Europe’s critical infrastructure while providing a specific approach for the financial sector.



3. Businesses affected by DORA

DORA targets a wide range of players in the European financial ecosystem. Banks, insurance companies, fund managers, trading platforms, central securities depositories, and payment systems are among the entities directly affected. However, its scope goes further: critical third-party providers, such as cloud service providers, are also included.

The inclusion of these critical third parties marks a significant step forward. In recent years, service interruptions linked to external providers have highlighted the growing dependence of financial institutions on these partners. DORA now mandates proactive management of these relationships.

Financial institutions must not only assess the security of their technology partners but also ensure their ability to maintain service continuity during a crisis. This framework draws directly from the requirements of ISO 22301, which mandates rigorous risk assessment and the integration of partners into continuity plans.



4. Challenges related to emerging technologies

The rapid adoption of emerging technologies, such as cloud computing, AI, and blockchain, is profoundly transforming the financial sector. However, these innovations come with new risks.


Cloud

While essential for hosting critical data and services, increased reliance on external providers can introduce systemic risks. DORA requires institutions to regularly evaluate the resilience of these providers and incorporate failure scenarios into their continuity plans, in line with ISO 22301 principles.


AI

Although AI optimizes processes and detects fraud, it can introduce vulnerabilities, such as algorithm manipulation or bias exploitation. DORA mandates mechanisms to ensure the traceability and robustness of AI systems.


Blockchain

While blockchain offers greater transparency for financial transactions, its integration into existing infrastructures can create vulnerabilities, particularly during interconnections with traditional systems. DORA requires regular audits to ensure the security of these solutions.



5. Costs and Benefits of Compliance with DORA


Costs of compliance

Compliance with DORA requires significant investments, including adapting organizational practices, strengthening digital infrastructures, and integrating continuity and resilience processes. These efforts include:

  • Developing detailed business continuity plans inspired by ISO 22301.

  • Conducting regular resilience tests to assess the institution's ability to handle critical scenarios.

  • Training internal teams to ensure rigorous understanding and execution of the new regulatory requirements.

While these costs are substantial for SMEs and mid-sized companies, DORA includes proportionality mechanisms to adjust requirements based on the size and complexity of the entities involved.


Long-term benefits of DORA

Despite the costs, DORA compliance translates into strategic benefits:

  • Reduced downtime

    Institutions are better prepared to respond to crises, minimizing financial and operational losses.

  • Increased trust

    Customers and partners value organizations that can ensure service continuity, even during cyberattacks or major outages.

  • Improved competitiveness

    DORA-compliant companies position themselves as leaders in cybersecurity and resilience, attracting more clients and investors.



6. Supervision and the role of national and european authorities

DORA establishes a robust supervisory framework based on collaboration between national and European authorities.


European authorities

European institutions such as the European Banking Authority (EBA), European Securities and Markets Authority (ESMA), and European Insurance and Occupational Pensions Authority (EIOPA) play key roles in defining technical standards and overseeing cross-border activities.


National regulators

At the national level, organizations like ACPR in France (Bank of France) provide technical expertise to ensure local implementation of DORA.



Conclusion

DORA represents a significant step forward for the digital resilience of Europe’s financial sector. By integrating rigorous standards like ISO 27001 for risk management and ISO 22301 for business continuity, this regulation offers a comprehensive and coherent approach.

With DORA, financial institutions are better equipped to face digital crises while enhancing their competitiveness and stakeholder trust. Together with frameworks like NIS2 and the oversight of national bodies, DORA lays the foundation for a safer, more stable, and future-oriented European financial ecosystem.

 

4 views0 comments

Comments


bottom of page