Navigating DORA: A comprehensive overview of the digital operational resilience act

Preparing Financial Institutions for 2025 DORA Compliance Deadline

Explore our comprehensive analysis of the Digital Operational Resilience Act’s (DORA) impact, implications, and crucial strategies for financial services institutions.

With a compliance deadline of January 17, 2025, DORA mandates a unified framework for digital operational resilience across banks, insurers, asset managers, and their critical ICT service providers. It moves beyond financial and capital resilience to enforce stringent controls over IT infrastructure, business continuity, and cyber incident reporting. 

What Is DORA and Why It Matters for Financial Services 

In the wake of the 2008 financial crisis, the European Commission embarked on a mission to fortify the financial resilience of the EU’s financial services sector. This exploration delves into the evolving regulatory landscape, characterized by increasing complexity and a shift towards holistic business resiliency. Amid this transformation, a significant regulatory initiative takes center stage – the Digital Operational Resilience Act (DORA).

Enacted by the European Parliament in December 2022, DORA applies to: 

• Banks, investment firms, insurers, credit institutions, clearing houses
• ICT providers such as cloud platforms, data centers, SaaS vendors, analytics tools

Even non-EU organizations operating in the EU, such as firms in the UK and US, may fall under DORA’s scope. 

Implications and Actions for Financial Institutions

DORA imposes new responsibilities across five strategic pillars of operational resilience. Financial services firms must now: 

• Conduct detailed ICT risk assessments
• Implement real-time incident reporting mechanisms 
• Govern third-party and cloud service providers under new EU supervision 
• Participate in cyber threat intelligence sharing networks 
• Perform advanced resilience and penetration testing every three years 

The regulation seeks to: 

• Reduce systemic risk from ICT failures 
• Safeguard critical infrastructure from illegal access or service disruption 
• Enable swift recovery from cyber incidents 
• Create a harmonized regulatory environment across EU financial markets

This paper offers a detailed examination of the implications and necessary actions for financial services institutions as they approach the impending deadline for DORA compliance on January 17, 2025. At its core, DORA is designed to consistently address cyber and digital risks across all financial entities, mitigating the growing threat of illegal activities and disruptions to digital services with direct consequences for society and the economy.

This comprehensive analysis unravels the intricacies of DORA, introducing it as a transformative law that requires companies to conduct detailed risk assessments and report any issues promptly. The regulation imposes new responsibilities on EU financial institutions, introducing a framework for direct EU financial regulator supervision of critical ICT service providers. As a catalyst for digital innovation, DORA aims to create a secure environment within the European financial services sector.

New Challenges Introduced by DORA

Navigate the new challenges DORA introduces, emphasizing a formal approach to resiliency, active cyber risk management, rigorous testing and reporting, incident collaboration, and meticulous third-party risk management. While the specifics of monetary penalties for non-compliance are still under development, the document sheds light on potential consequences, leaving room for criminal liability.

Unlike voluntary frameworks or scattered national regulations, DORA enforces a formal and harmonized operational resilience standard. This includes: 

1. Formalized Risk Management – Firms must develop a comprehensive ICT governance strategy, including disaster recovery and business continuity. 
2. Active Cyber Risk Management – Ongoing monitoring, classification, and mitigation of cyber risks are now legally mandated. 
3. Rigorous Resilience Testing – Penetration testing and scenario-based threat simulation -conducted independently – must be performed at least once every three years. 
4. Incident Reporting and Sector Collaboration – Firms must classify, escalate, and report serious digital incidents within set timelines, while collaborating with other institutions to combat systemic cyber threats. 
5. Third-Party and Cloud Risk Governance – ICT service providers are now directly supervised by EU regulators. Contracts, SLAs, and exit clauses must be updated to comply with DORA.

Non-compliance may lead to penalties—including daily fines of up to 1% of global annual turnover for ICT providers.

The Five Pillars of DORA Compliance 

To meet DORA’s 2025 deadline, financial institutions must address the following:

1. ICT Risk Management
   • Establish governance frameworks
   • Classify assets and threats 
   • Define tolerance levels and escalation pathways
2. ICT Incident Reporting
   • Implement structured escalation and classification systems
   • Enable regulator communication workflows 
3. Resilience Testing
   • Conduct threat-led penetration testing (TLPT)
   • Include third-party systems in scope 
   • Secure approval from regulators 
4. Third-Party ICT Risk
   • Maintain supplier registers and dependency mappings
   • Perform annual assessments and contract reviews 
   • Develop robust exit and transition strategies
5. Cyber Threat Intelligence Sharing
   • Join secure sectoral alliances
   • Implement intelligence-sharing protocols 
   • Track internal response documentation 

Strategic Recommendations to Accelerate DORA Readiness 

Capgemini recommends focusing on the following priorities: 

• Strengthen business continuity planning: Prepare for data migrations, failovers, and disaster restoration 
• Map operational dependencies: Identify systems, vendors, and assets essential for resilience 
• Conduct periodic self-assessments: Validate current readiness against DORA’s five pillars

Global Implications of DORA

Notably, the impact of DORA extends beyond EU entities, potentially affecting foreign enterprises operating within the EU, including those from the US and the UK. The document briefly touches on related developments in the UK and the US, highlighting the global implications of this European regulation.

This analysis emphasizes the imperative for organizations to accelerate DORA compliance, providing insights into the five pillars of resilience outlined in the regulation. It underscores the need for a holistic approach to ensure robust business continuity planning, detailed mapping of dependencies, and periodic self-assessments. As January 2025 looms, the adoption of DORA is not just a compliance necessity but an opportunity to fortify operational resilience and foster global innovation in the financial services sector.

Capgemini’s Role in Supporting DORA Compliance

Capgemini brings deep industry knowledge and global experience in regulatory compliance, cybersecurity, and ICT transformation. Our services span:

• Resilience architecture design  
• Cyber incident workflow integration 
• AI-enabled risk analysis 
• Vendor governance and supply chain risk mapping 
• Managed services for testing, monitoring, and regulatory reporting 

Whether you’re preparing for initial DORA assessments or building a long-term operational resilience strategy, Capgemini can accelerate your readiness while minimizing business disruption. 

Download the Full Point of View: DORA Compliance Guide

To dive deeper into DORA’s five compliance pillars, third-party risk mandates, and global implications: