DORA Regulation – New requirements for digital resilience in the financial sector from 2025

Digital resilience in the focus of the EU:

What is DORA?

With Regulation (EU) 2022/2554, also known as the Digital Operational Resilience Act (DORA), the European Union is establishing uniform, legally binding requirements for the digital security of financial companies and their ICT service providers for the first time. The aim is to systematically reduce cyber risks and strengthen operational stability in the EU financial system. The regulation was adopted on December 14, 2022, came into force on January 17, 2023 and will be binding from January 17, 2025.

Why was DORA introduced?

Increasing connectivity and reliance on digital systems makes the financial sector vulnerable to cyber-attacks and IT failures. With DORA, the EU is responding to these threats by creating a robust foundation for ICT risk management, incident response and security audits. DORA harmonizes previously disparate national regulatory frameworks, increasing the resilience of the entire European financial market.

Who is specifically affected by the DORA regulation?

DORA applies to financial companies based in the European Economic Area (EEA) and to their internal or external ICT service providers.

The group of obligated parties is broad and includes, among others:

Credit institutions (banks)
Insurance and reinsurance
Payment institutions and e-money institutions
Investment firms and trading venues
Crypto service provider
Investment fund management companies
Rating agencies and securitization registers

In total, around 22,000 companies in the EU, including around 3,600 in Germany, are affected.

The most important requirements from DORA

1. ICT risk management

Companies must implement an effective framework that includes technical and organizational measures for identifying, assessing and handling risks.

2. reporting of serious ICT incidents

DORA requires the immediate reporting of significant IT security incidents to the responsible supervisory authorities.

3. testing digital resilience

Regular resilience tests must be carried out – including Threat-Led Penetration Testing (TLPT) to systematically identify attack surfaces.

4. management of third-party risks

ICT service providers must be contractually controlled, monitored on a risk basis and reported in the event of critical dependencies.

5. exchange of information on threats

DORA promotes the exchange between market participants on cyber threats and attack indicators in order to improve the collective security situation.

The structure of the DORA regulation

The regulation consists of 64 articles, which are divided into nine chapters:

General provisions
ICT risk management
Incident management
Resilience tests
Third-party risk management
Exchange of information
Responsibilities of the authorities
Delegated acts
Transitional and final provisions

In addition, current technical standards (RTS, ITS) are currently being developed by the European supervisory authorities (EBA, EIOPA, ESMA).

DORA and Germany: National implementation via FinmadiG

With the Financial Market Digitization Act (FinmadiG) of December 2024, Germany has integrated DORA into national law. Even institutions that are not actually subject to DORA must implement DORA-compliant requirements if they are subject to the German Banking Act (KWG) fall under the KWG. In future, the Federal Financial Supervisory Authority (BaFin) will act as the central supervisory authority and can even appoint special representatives or withdraw operating licenses in the event of violations.

Proportionality: Simplifications for small institutions

Article 4 of the DORA Regulation defines the principle of proportionality: smaller financial undertakings with a low risk profile can implement simplified measures, in particular with regard to ICT risk management. In this way, these companies are not overburdened, but nevertheless remain obliged to ensure a minimum level of security.

DORA as a milestone for cyber security in the financial sector

The DORA Regulation represents a significant step towards the Europe-wide harmonization of digital security in the financial sector. It provides companies with a clear, legally binding framework for systematically managing digital risks and increasing resilience. Those who are not prepared by January 17, 2025, risk severe sanctions. Companies should therefore act now to make their systems and processes DORA-compliant.

Contact us for your security strategy!

Would you like to make your organization DORA-compliant? We support you in implementing technical requirements, documenting security measures and complying with regulatory obligations – also in the context of C5, ISO 27001 or SOC 2.

E-mail: hello@secaas.it
Phone: +49 69 5060 75080
https://security-as-a-service.io

Secure your company – before it’s too late!

Teile den Beitrag:

Weitere Beiträge:

New obligation for C5 Type 2 certification – What cloud providers in the healthcare sector need to know now

New standards for cloud security in the healthcare sector As digitalization progresses in the healthcare sector, the requirements for data protection and IT security are

Secure Software Development Lifecycle (SSDLC) – How companies integrate security into the development process with ISO 27001 and C5

What is the Secure Software Development Lifecycle (SSDLC)? Challenges of conventional development processes The development of secure software is crucial for the protection of company

Ransomware-as-a-Service (RaaS): How cybercriminals offer attacks as a service

RaaS – cybercrime at the touch of a button RaaS – cybercrime at the touch of a button The threat posed by ransomware has changed

Phishing 2.0: How modern social engineering attacks deceive companies

In today’s digital landscape, phishing attacks phishing attacks are constantly evolving. Modern techniques such as AI-generated texts, deepfake voices and SMS phishing (smishing) significantly increase

Kostenloses Erstgespräch