The new DORA EU regulation comes into force: What companies need to do now!
What is the Digital Operational Resilience Act (DORA)?
DORA (Digital Operational Resilience Act) is an EU regulation (EU) 2022/2554. It requires financial institutions and relevant service providers to systematically build digital resilience to cyberattacks and ICT incidents. The regulation sets out requirements for governance, risk management, testing procedures, outsourcing regulations, and a harmonized reporting system.
In Germany, BaFin acts as the central reporting hub for information and communication technology (ICT) incidents. Additional Level 2 legal acts (including RTS) specify detailed requirements for processes and thresholds.
What does the DORA EU regulation regulate?
The DORA EU Regulation establishes uniform, binding rules for the security of network and information systems in financial companies.
The core elements are: ICT risk management (including backup & recovery), reporting requirements for serious ICT incidents, digital resilience testing, management of third-party ICT service providers including contractual requirements, and an EU-wide supervisory framework for critical ICT services.
When does the DORA EU regulation come into force?
The application of the DORA EU Regulation, known as Level 1, began on January 17, 2025. The European supervisory authorities (EBA, EIOPA, and ESMA) and BaFin are supporting the implementation with guidelines, technical standards, and national processes. This establishes the regulatory framework – but for companies, this is only the beginning of a comprehensive transformation.
How are DORA and NIS related?
DORA is sector-specific (financial sector) and directly applicable as a regulation. NIS2 is a directive with a broader, cross-sector focus on cybersecurity. It is implemented nationally. Both legal acts are interlinked: DORA refers to cooperation with NIS structures, and they complement each other in terms of content.
The DORA EU regulation affects these organizations
The DORA EU Regulation applies broadly across the financial industry: Including credit institutions, payment and e-money institutions, investment firms, trading venues, central securities depositories, central counterparties, (re)insurers, insurance intermediaries, occupational pension institutions, data provision services, and (depending on their activities) crypto service providers – and for third-party ICT service providers (including potentially critical providers).
In Germany, the Financial Market Digitalization Act (FinmadiG) will include additional institutions from January 1, 2027.
Roadmap: What will happen after the regulation comes into force
In the coming months and years, further details will follow that financial companies will be required to implement. In particular, it is important to note the so-called Level 2 legal acts:
The European supervisory authorities continuously publish regulatory standards such as the Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS). These contain specific requirements for risk management, reporting obligations, and test scenarios.
In 2025 and 2026, the focus will be on the practical implementation of these detailed regulations. Financial companies and third-party ICT service providers will have to consistently adapt their internal processes, systems, and contracts. At the same time, test phases and audits are planned, during which supervisory authorities will check compliance with the requirements.
Another important milestone is January 1, 2027: From this date onwards, the scope of application will be expanded by the German Financial Market Digitalization Act (FinmadiG), meaning that additional financial institutions and organizations will fall under the DORA regulation. It is therefore crucial for the companies affected to make preparations in good time.
Your roadmap should therefore include the following steps:
- Immediate measures: Perform a gap analysis, adapt governance structures, and clarify responsibilities.
- Medium term (2025–2026): Implement RTS/ITS in concrete policies, set up the information register for third-party service providers, test resilience mechanisms, and adapt incident management.
- Long term (from 2027): Consider expanding the scope of application, include additional areas, and establish continuous compliance checks.
Immediate priorities for your company
A key first step in implementing the DORA EU Regulation is the DORA gap analysis followed by a roadmap. This involves systematically comparing your existing standards – such as BAIT, KAIT, or ZAIT – with the requirements of the regulation. The identified gaps are used to create an action plan that clearly assigns responsibilities and forms the basis for structured implementation:
1. Sharpen governance:
Companies must ensure that responsibilities for ICT risks are clearly defined. This includes defining resilience key performance indicators (KPIs) that make it measurable. At the same time, transparent reporting channels should be established so that relevant information about risks, incidents, and measures can reach the executive board level at any time and be decided there.
2. Standardize risk management:
A key objective is to take a holistic approach to risk management within the company. This means that IT security and business continuity management (BCM) must no longer be treated as separate entities, but must be understood and operated as an integrated system.
All risks, whether technical (e.g., cyber threats, system failures) or business-related (e.g., process interruptions, dependencies on service providers), are assessed uniformly and managed in joint processes. This ensures that emergency plans, security measures, and recovery strategies are not developed in isolation, but are coordinated with each other.
3. Report incidents:
Establish processes for detection, classification, escalation, and compliance with reporting deadlines (including communication technology crisis procedures). Companies are obliged to set up effective incident management.
It is particularly important to comply with reporting deadlines to the supervisory authorities. Crisis communication procedures, especially via digital channels, must also be planned in advance and tested regularly so that a quick and structured response can be made in an emergency.
4. Third-party service providers & information registers:
Contracts must be consistently adapted to DORA, for example through clear audit and access rights and defined exit scenarios. In addition, the regulation requires a complete information register that documents all outsourced functions, including their criticality. This enables companies to maintain an overview of dependencies and risks in their cooperation with external partners at all times.
5. Testing resilience & deriving measures:
This includes internal controls, technical reviews and, for particularly critical units, threat-led penetration tests (TLPT). The results of these tests are not an end in themselves, but must be consistently translated into concrete measures to improve resilience in the long term.
6. Create documentation & evidence
Finally, the DORA EU Regulation requires consistent testing of digital resilience. These tests should be planned early on for the relevant units and included in the annual calendar in order to strengthen against cyberattacks and thus enhance cybersecurity in the long term.
This includes comprehensive documentation of all relevant processes, measures, and results. Documents must be available for presentation to supervisory authorities at any time. At the same time, internal guidelines should be continuously updated to take into account changes in regulatory stipulations, new risks, and technical developments.
What sanctions can a violation entail?
DORA is more than just a framework with recommendations: It contains binding obligations, and failure to comply with them can have significant consequences. Both financial companies and third-party ICT service providers must therefore expect significant sanctions if they violate the requirements.
For financial companies, the following applies: Member States shall determine appropriate administrative sanctions and remedial measures. Supervisors may, among other things, issue orders and publish violations. The exact fines are regulated at the national level and must be effective, proportionate, and dissuasive.
For critical third-party service providers, the EU lead supervisory authority may impose periodic penalty payments of up to 1% of average worldwide daily turnover (per day, max. 6 months) and order service restrictions in the event of serious risks.
DORA practical example: Cyberattack in online banking
The Digital Operational Resilience Act (DORA) requires financial companies to secure their digital systems against failures, attacks, and data misuse. CIAM (Customer Identity & Access Management) supports these requirements technically by providing secure and traceable customer access. Features such as multi-factor authentication, risk-based authentication, consent management, and audit trails directly contribute to cyber resilience, access security, and compliance.
In short, CIAM is not a DORA objective in itself, but a key technical tool for implementing the security and stability of digital customer services required by DORA.
The initial situation
Let´s imagine a financial company falls victim to a ransomware attack. The online banking system fails completely and customer data and access details are potentially at risk.
Response in accordance with the DORA EU Regulation
Risk management analyzes
- the technical damage to affected systems
- the recovery times
- and security gaps.
Business continuity management (BCM) examines the business consequences:
- customer communication
- alternative channels
- regulatory reporting stipulations.
In accordance to this, the emergency plans contain technical and organizational procedures to ensure operations and compliance.
The role of a (C)IAM
- Multi-factor authentication and fraud detection make unauthorized access more difficult.
- Bot net detection blocks automated attacks.
- Central identity and access management enables rapid classification of compromised accounts and secure restoration of user access.
- Continous reporting and auditing enables complete traceability of access permissions, detects anomalies, and supprts recovery processes.
Benefits in the DORA context
cidaas (C)IAM strengthens digital resilience:
- Protection against attacks through modern identity and access solutions.
- Stable and secure customer channels, even in a crisis.
- Compliance with the stipulations of the DORA EU regulation through integrated security and reporting processes.
DORA EU Regulation and cidaas – Identity, resilience, and compliance combined
The DORA EU Regulation addresses digital resilience in the financial sector in a holistic manner. This means that measures for authentication, access control, and identity management are becoming increasingly important from a strategic perspective.
A (C)IAM platform such as cidaas can play a key role here: It enables secure, standards-based management of digital identities across all channels, thereby strengthening risk management and reliability within the company.
cidaas relies on established standards such as OAuth 2.0 and OpenID Connect, combined with multi-factor authentication, fraud detection, and botnet detection to identify and block unauthorized access at an early stage.
cidaas offers particular advantages for financial companies that have to meet additional requirements from PSD2, NIS, or other regulatory stipulations in addition to the DORA EU regulation:
It supports both compliance and a positive customer experience without conflicting with security and data integrity requirements.
In addition, cidaas can help to securely protect third-party service provider interfaces – an important component of DORA when dealing with outsourced ICT functions. A central identity platform allows for more transparent control over which users, systems, or partners are allowed to access critical resources. This makes it possible to classify and report incidents more efficiently.
cidaas strengthens your company’s digital resilience by implementing modern authentication technical requirements while supporting compliance with the DORA EU regulation – a synergy effect of strength, regulation, and operational security.