MDR · 6 MIN READ · PIERRE NOEL · NOV 18, 2025 · TAGS: Guidance
TL;DR
- The Digital Operations Resilience Act is a new comprehensive cybersecurity standard for financial entities in the European Union
- Any third-party organisations working with these businesses will also be required to comply
- We’ve yet to see penalties enforced for non-compliance, so it’s better to get ready now and prevent future fines
Like most sensible people, you probably keep your most valuable physical assets stashed under lock and key. But how do you protect your digital assets?
A strong cybersecurity posture will do most of the heavy lifting. But not all organisations can differentiate their managed detection and response (MDR) from their managed security service provider (MSSP). And that’s okay—until it’s not.
Financial entities, in particular, require comprehensive cybersecurity standards to keep their customers’ data and capital safe. That’s where the Digital Operations Resilience Act (DORA) comes in.
This new regulation requires financial bodies and their associated third parties to build and maintain strong cyber defences. But what exactly does that mean?
If you’re not quite up to speed on DORA, we’ve got you covered. Let’s unpack what the regulation says, why it’s so important, and the critical steps businesses can take to stay compliant.
What is the DORA regulation?
The Digital Operational Resilience Act (DORA) is a European Union regulation designed to enhance cyber hygiene across the entire financial environment. It came into force on January 17, 2025, marking the end of a two-year transition period for financial entities to get to grips with the legislation and implement its measures.
“But what’s the point?”
It’s this: DORA aims to create a single, harmonised framework for managing cyber risks in banks, private wealth management firms, insurance brokers and more. Most of the banks were already compliant—but for other categories on that list, cybersecurity has historically been less of a priority.
Once swotted up and compliant with DORA’s terms, financial entities should be equipped to withstand, respond to, and recover from all types of information and communication technology (ICT) disruptions and threats. Sounds like our kind of world.
The five pillars of DORA compliance
If you have a Bachelor of Laws and a week of free time to spare, the unabridged DORA terms can be read in this 79-page document, dense with all the obligations, clauses, and legalese your heart could desire. But if you’re searching for the TL;DR, here’s our take.
DORA comprises five key pillars:
- ICT risk management: This focuses on the establishment of a robust framework for managing risk. It encompasses both technology and governance-based policies, controls, and procedures.
- Incident reporting: There are new requirements for how firms detect, manage, and report on significant ICT-related incidents. DORA establishes clear processes for classifying incidents and strict reporting timelines to alert the relevant authorities.
- Digital operational resilience testing: DORA introduces mandatory testing requirements, including threat-led penetration testing—an advanced form of security assessment that emulates real-world threat scenarios—for the most critical financial bodies.
- Managing third-party ICT risk: The regulation’s scope extends to any third parties providing digital services to financial entities. Organisations must assess and monitor risks associated with their supply chain for digital resilience and security.
- Information sharing: Although not technically mandated by DORA, there are provisions to encourage intelligence sharing between financial bodies, with a view to improving the sector’s collective defences.
Which organisations are affected?
That’s a fair number of brand-new guardrails, and you’ll need to know whether they apply to your organisation.
DORA is enforceable for a wide range of financial entities operating in the European Union, including: banks, payment providers, insurance brokers, investment and private wealth management firms, crypto-asset service providers, crowdfunding organisations, credit rating agencies, and trading venues.
Third parties providing critical ICT services to financial entities in the EU must also comply with the regulations. These include: cloud computing service providers, software providers, data centres, and hosting partners.
Financial entities based in the UK or elsewhere must also comply with DORA if they operate in EU markets.
In time, we expect some version of DORA will be extended beyond the EU and deployed on a global scale. Many international financial regulators already demand similar provisions from companies in the sector—it’s only a matter of time before they’re globally enforced.
What does DORA mean for businesses?
So, what’s all the fuss about? Will your organisation need to change tack in light of DORA? Let’s review.
Starting at the top, banks are usually perceived as the most secure organisations of all. They’ve long been subject to stringent regulations, such as those imposed by the UK’s Financial Conduct Authority.
Other entities, such as private equity firms, advisors, and insurance brokers, have historically been less regulated—and may be overwhelmed by DORA’s wide scope and technical requirements.
Cybersecurity awareness is one area organisations will be challenged by. Leaders must ensure that employees are sufficiently educated on cybersecurity, with ongoing training and awareness of best practices across the organisation.
Organisations will also need full visibility of their digital portfolio. Many financial entities, even banks, lack detailed knowledge of what systems they have, where data resides, which machines can access the internet, and so on.
DORA mandates full understanding. This is because of the service level agreement to rapidly report significant incidents. Entities are generally given 24 hours from detection to notify the relevant authorities, 72 hours to share an intermediate report on the impact and planned recovery measures, and 30 days to file the final report detailing root cause analysis, learnings, and the resolution.
Significant investment in technology, personnel, and training is required to implement DORA’s terms, which may be challenging for smaller providers. A side effect of DORA is that all third-party suppliers to financial entities are subject to the same security requirements.
This creates a far-reaching domino effect that impacts many organisations providing services in the EU.
It’s complex to assess and align third parties with new contractual requirements. For example, any software organisation or intermediary wanting to do business with HSBC will need to demonstrate DORA compliance. While they may not be affected by DORA in their own organisation, they’ll be subject to its terms when trading with firms that are.
As for the future of DORA, we expect future updates will likely impose guidelines around AI—particularly concerning how systems handle confidential financial information.
What are the DORA penalties?
You might be wondering what happens to organisations that fail to comply with DORA. At the time of publishing, we’re wondering the same thing.
As stipulated by the regulations, financial penalties are in place to deter organisations from failing to update cybersecurity defences or falling short of incident reporting standards. For example, non-compliant insurance brokers could be fined up to 2% of their annual global turnover.
Administrative and even criminal penalties are possible for serious or repeat offenders. Regulators may impose new cybersecurity measures or suspend licences in the event of multiple infractions.
Criminal charges against board-level leaders, while unlikely, can be enacted in severe cases. Gross negligence may incur executive liability and potential imprisonment.
However, the effectiveness of these penalties in deterring non-compliance remains to be seen. There haven’t been any significant fines issued—yet—leading some organisations to take a “wait and see” approach to DORA.
We believe it’s only a matter of time before an organisation is fined for flagrant DORA non-compliance. Regulations like GDPR were successful because non-compliant parties were hit with large fines very quickly after the rules were introduced. The whole world realised they needed to pay attention to data privacy.
Other historical regulations that should have had an impact have seen less success, as no penalties were handed out. If and when board-level directors are penalised, we’ll see a rush of firms implementing DORA-mandated measures.
How to get compliant with DORA
For firms to get compliant across the board, many will have to introduce the cybersecurity and reporting measures larger banks use. For example, risk management approaches may need to be renewed to include risk assessments, gap analysis, and policy development that aligns with DORA requirements. Others will need to upgrade their incident response strategies, factoring in response planning, managed detection and response (MDR), and crisis management strategies.
Another key dimension is resilience testing. Organisations can benefit from carrying out specialised vulnerability assessments and tabletop exercises that train executives to face specific incident scenarios. These measures can help organisations identify potential hazards—such as cyber threats, data leaks, and system outages—and reduce their likelihood and potential impact.
How Expel can help
Expel supports DORA compliance by providing continuous, 24×7 monitoring and enhanced visibility for organisations. Our platform ingests information from a variety of cloud sources, including Google Cloud, AWS, and Microsoft Azure to provide round-the-clock, 360-degree visibility.
Whether a threat targets your cloud, endpoints, network, or SaaS apps, we’ve got your back. But beyond monitoring, we can intervene when an attack happens. We investigate, contain, and support your recovery from a threat—usually in about 20 minutes.
As a third-party service provider to financial services entities, Expel has also prepared contractual supplements that align with the relevant tiered requirements under DORA.
Turn compliance into a competitive advantage. Find out more about our managed detection and response services to get started on your journey to DORA compliance.
