DORA Regulation: a new standard for Digital Operational Resilience in the European financial sector

What is the DORA Regulation?

This new EU regulation defines a comprehensive regulatory framework for ICT risk management in the financial sector.
Its main objective is to harmonise existing ICT risk management regulations in the various EU Member States, creating a uniform and consistent approach across the Union.

DORA focuses on cyber resilience, i.e. the ability of companies to prevent, respond to and recover from cybersecurity incidents. This includes protecting networks and information systems, managing ICT risks, reporting incidents, performing resilience tests and managing third-party services.

To whom does the DORA regulation apply?

Similar to the GDPR for personal data protection, DORA consolidates and updates the cyber and cloud risk management of companies offering financial services.

It applies to a wide range of financial entities operating in the EU, both traditional and innovative. This includes:

• Credit institutions
• Payment institutions
• Electronic money institutions
• Investment management companies
• Crypto service providers
• Alternative investment funds
• Corporate insurance managers
• Crowdfunding service providers
• Credit rating agencies
• Trade repositories
• Trading venues
• Fintech companies
• Third-party ICT service providers

Importantly, DORA also extends to ICT service providers that support financial entities, such as cloud computing and data centre providers. This underlines how digital operational resilience is not only the responsibility of individual companies, but of the entire financial and IT ecosystem. 

Since this is an EU directive, Switzerland is only partly affected: it must, however, be emphasised that the best practices regulated by DORA constitute a virtuous and useful practice regardless of legal obligations, and should therefore also be implemented by Swiss companies.

Moreover, the dictates of the new framework echo the provisions of FINMA, the Swiss Financial Market Supervisory Authority, i.e. the Swiss body in charge of monitoring the confederation's financial players. 

When did the DORA Regulation enter into force?

The DORA Regulation entered into force on 16 January 2023 and became effective on 17 January 2025.
There are several steps required to fully comply with the DORA requirements: the first step for financial institutions is a self-assessment, to be carried out and reported to the Authority by 30 April 2025.
Adapting their infrastructures and processes to the new regulations is, today, crucial and urgent for businesses: this is why we have organised an in-depth webinar with the experts from Tinext Cloud.

IT and Cloud services required for DORA compliance

A structured approach is essential to cover the four key pillars of DORA compliance that are critical to ensuring the digital operational resilience of the financial sector, namely cyber risk management, incident or attack reporting and notification, operational resilience testing and third-party risk management. 
Let us look in detail at each area and the elements to pay attention to: 

• Cyber risk management, structured in specific steps, as financial entities are required to map the business functions supported by ICT services, identify the most critical ones, assessing threats and implementing security policies, to monitor any anomalous activities and ensure business continuity;
• Reporting and notification of incidents and threats, through constant monitoring of services to assess anomalous events and cyber threats, to be promptly notified to the competent authorities. Criteria considered for notification include the number, geographical location and authority of affected customers, affected transactions, and reputational and economic impacts;
• Digital Operational Resilience Testing: here, the DORA Regulation requires financial players to define and execute a digital operational resilience testing programme annually, in order to assess preparedness in case of incidents and external attacks on ICT systems. For example, penetration tests that mimic the actual tactics of potential attackers are required to identify security holes;
• Third-party risk management, i.e. the fact that ICT service providers are also required to prove their reliability and robustness. Companies must identify their key suppliers, assess them and ensure that they meet the required security standards. Tinext Cloud is, in this sense, a secure, ISO-certified and international standards-compliant provider, already active in supporting global financial players, operating in compliance with FINMA regulation.

To help companies achieve DORA compliance, we offer a range of advanced security services, inspired by industry best practices, so-called Managed Services, including:

• Managed Detection and Response (MDR), malware protection with managed endpoint protection implementation;
• Vulnerability management, services to identify vulnerabilities and simulate intrusions, reducing the attack surface and ensuring system compliance;
• Managed Web Application Protection, customisable web security services to protect applications from cyber attacks;
• Disaster Recovery as a Service (DRaaS) - a service that allows the creation of system replicas between remote sites, for rapid reactivation in the event of an emergency.

Towards a safer digital future: cyber resilience

The DORA regulation is an important step towards improving the digital operational resilience of the European financial sector. By implementing the measures required by the new regulation and adopting advanced security solutions, financial entities can protect their assets, customer data and contribute to the stability of the entire economic system. Tinext Cloud is committed to providing the solutions and support needed to meet the challenges of the future, today.