DORA: Obligations, Cybersecurity, and Digital Resilience in the Financial Sector

In an increasingly digital world, cybersecurity and operational resilience have become essential priorities for a wide range of organizations. In this context, the DORA Regulation (Digital Operational Resilience Act) of the European Union emerges as a key instrument to ensure the stability and security of digital operations.

This regulation, which entered into force on January 16, 2023, and became fully applicable on January 17, 2025, establishes a regulatory framework that applies not only to financial institutions but also to investment firms, payment service providers, asset managers, crowdfunding platforms, and other organizations linked to the financial system. It also explicitly includes information and communication technology (ICT) service providers that collaborate with these entities, as their role is essential to maintaining the stability and protection of digital activities.

The main objective of DORA is to ensure that all these institutions and their providers can withstand, respond to, and recover from technological incidents, minimizing risks to the financial system as a whole.

Key Obligations

Among DORA’s most notable aspects is the requirement to manage risks related to information and communication technologies. This means organizations must identify the critical assets that support their digital operations, assess potential threats, and implement measures to minimize risks.

Additionally, the regulation requires the implementation of incident reporting mechanisms to notify competent authorities and stakeholders promptly, helping mitigate the impact of any technological disruptions.

Another core pillar of DORA is the obligation to conduct periodic operational resilience testing. These tests—such as cyberattack simulations and vulnerability assessments—are crucial to ensuring systems can resist adverse events and remain operational. The regulation also places strong emphasis on third-party risk management, requiring organizations to actively monitor the cybersecurity standards of their ICT providers.

Strategic Impact

The scope of DORA extends beyond the organizations directly subject to the regulation. Technology service providers play a critical role in compliance, as they are responsible for ensuring the continuity and security of the services they provide to financial entities.

For this reason, DORA implementation represents a strategic challenge that goes beyond simple regulatory compliance. It offers an opportunity to strengthen cybersecurity capabilities and build greater trust among consumers and business partners.

A Safer Ecosystem

DORA marks a significant step toward building a more secure and technologically resilient financial system. Its impact reaches both regulated entities and their technological partners, promoting greater transparency and accountability in digital risk management.

Ultimately, DORA establishes a high standard for cybersecurity and operational resilience, reinforcing the need for all organizations and their technology providers to adopt a proactive approach to digital risk and work together to build a safer, more resilient operating environment.