top of page
Search

What Is DORA (EU) and How Financial Companies Can Prepare for ICT Risk Management Requirements

  • ESKA ITeam
  • Mar 11
  • 12 min read

If you operate in the financial sector in Europe or work with EU-based clients, you’ve likely heard about DORA (Digital Operational Resilience Act).

But here’s the key question:

Is DORA just another compliance checkbox or a real business risk if ignored?

The answer is simple: DORA is not just compliance. It’s about your company’s ability to survive cyber incidents.


In this article, we’ll explain:

  • What DORA is in simple terms

  • Who it applies to

  • What ICT risk management actually means

  • And how to prepare without overcomplicating the process



What Is DORA (EU)?


The Digital Operational Resilience Act (DORA) is a regulatory framework introduced by the European Union to fundamentally strengthen how financial organizations manage technology risks and ensure business continuity in the digital era.


At its core, DORA addresses a simple but critical problem: modern financial services are heavily dependent on IT systems, cloud infrastructure, and third-party providers — and any disruption in these components can immediately impact operations, customers, and financial stability.

Unlike traditional cybersecurity regulations that focus mainly on protecting data, DORA shifts the focus toward operational resilience. This means organizations are expected not only to prevent incidents but also to remain functional during disruptions and recover quickly afterward.


In practical terms, DORA requires financial entities to build systems and processes that enable them to:

  • Withstand cyberattacks and system failures, ensuring that critical services remain available even under adverse conditions. This includes protection against ransomware, DDoS attacks, insider threats, and infrastructure outages.

  • Continue operations during disruptions, whether caused by internal failures or external factors such as vendor outages or supply chain incidents. For example, if a cloud provider experiences downtime, the organization must have mechanisms in place to maintain service availability.

  • Recover quickly and effectively from incidents, minimizing downtime, financial losses, and reputational damage. This involves having tested backup systems, disaster recovery plans, and clearly defined incident response procedures.


What makes DORA particularly important is that it introduces a unified and enforceable standard across the EU. Previously, financial institutions often had to comply with fragmented national regulations. DORA consolidates these expectations into a single framework, making compliance both more structured and more demanding.


The regulation officially entered into force in January 2023, giving organizations a transition period to adapt their processes, technologies, and governance structures. Full compliance is required by January 2025, and regulators are expected to actively assess whether companies can demonstrate real operational resilience — not just documented policies.


Who Must Comply with DORA?


One of the most significant aspects of DORA is its broad scope. It applies not only to traditional financial institutions but also to the entire ecosystem that supports them.

  • Banks, which rely on complex IT infrastructures to deliver core financial services such as payments, lending, and account management.

  • Payment institutions and fintech companies, including those offering digital wallets, payment gateways, and online transaction processing. These organizations are often highly technology-driven and therefore particularly exposed to ICT risks.

  • E-money institutions, which manage electronic funds and require high availability and security of their systems.

  • Investment firms, where system downtime or data integrity issues can directly impact trading operations and client assets.

  • Insurance companies, which increasingly depend on digital platforms for underwriting, claims processing, and customer interactions.

  • Crypto-asset service providers, a rapidly growing sector that introduces additional technological complexity and risk exposure.


However, DORA goes even further by explicitly including:

  • ICT third-party providers, such as cloud service providers, SaaS platforms, data analytics services, and managed IT service vendors.

This is a crucial shift in regulatory thinking. In modern financial ecosystems, many critical functions are outsourced, meaning that operational resilience depends not only on the financial institution itself but also on its suppliers.


Even if your company is not a financial institution, you may still be subject to DORA requirements if you provide services to one.

For example, if you offer:

  • Cloud hosting

  • Payment processing infrastructure

  • Security monitoring (SOC/SIEM)

  • SaaS platforms used by financial clients - you are considered part of the financial entity’s operational chain. As a result, your clients may require you to demonstrate compliance with DORA-related controls, include specific security clauses in contracts, and undergo regular assessments.


This effectively extends DORA’s impact far beyond the financial sector, making it highly relevant for technology companies, cybersecurity providers, and managed service providers working with EU-based clients.



What Is ICT Risk Management Under DORA?


DORA introduces strict requirements for managing ICT (Information and Communication Technology) risks.

In simple terms, this means:

You must understand, monitor, and control all risks related to your IT systems, vendors, and data.

Under DORA, ICT includes everything that supports your digital operations, such as:

  • Servers (on-premise or cloud-based)

  • Endpoints (laptops, mobile devices)

  • Applications (internal systems, SaaS platforms)

  • Networks and communication systems

  • Databases and data storage

  • APIs and integrations between systems

  • Cloud environments (AWS, Azure, etc.)

  • Third-party services and vendors

In a financial company, ICT is essentially the backbone of the business. Payment processing, customer onboarding, trading systems, fraud detection - all of these depend on ICT components.


The concept of ICT risk management is central to understanding DORA requirements, but in practice it is often interpreted too narrowly or reduced to IT security.


ICT risk describes the possibility that these technologies fail, are disrupted, or are compromised. This may be caused by cyberattacks, human error, system misconfigurations, software vulnerabilities, or failures of external providers such as cloud or SaaS platforms. The key aspect is not the event itself, but its impact on business operations. Even a short outage or a minor breach can lead to financial losses, regulatory consequences, or loss of customer trust.


ICT risk management, in this context, is the structured and continuous process of working with these risks. It includes understanding what systems exist, identifying where vulnerabilities and dependencies are, evaluating potential impact, and implementing controls that reduce the likelihood or consequences of incidents. It also requires ongoing monitoring and the ability to respond and recover when something goes wrong.

Under DORA, this process cannot be informal or fragmented. It must be organized, documented, and consistently applied across the organization, including internal systems and third-party services.


Core Components of ICT Risk Management


Risk Identification

You need a clear understanding of what you actually have: systems, services, integrations, vendors — and where the weak points are. If you don’t see your full environment, you’re not managing risk, you’re guessing.


Protection

This is your baseline defense: access control, segmentation, endpoint protection, policies. The goal is not to eliminate all risk, but to make attacks harder and limit potential damage.


Detection

Even with good protection, incidents will happen. Detection is about spotting them early — through monitoring, logs, and alerting. The faster you detect, the меньше impact.


Response

This is how you act when something goes wrong. Who does what, how fast, and based on which plan. Without a clear response process, even a small incident can turn into a major problem.


Recovery

This is your ability to restore operations. Backups, disaster recovery, business continuity — everything that allows you to get back to normal quickly and avoid long downtime.




Key DORA Requirements You Can’t Ignore


1. ICT Risk Management Framework

Organizations must implement a documented and continuously updated ICT risk management framework that clearly defines how risks are identified, assessed, and controlled across the business.

The framework consists of the following components:

  • Policies and procedures that formally describe how ICT risks are managed across the organization.

  • An asset inventory that provides a complete and up-to-date view of all systems, applications, and dependencies.

  • Risk assessment processes that allow the organization to evaluate threats, vulnerabilities, and potential business impact.

  • A governance structure that defines roles, responsibilities, and decision-making authority.


2. Incident Reporting

DORA establishes strict requirements for incident reporting, which means organizations must be able to detect, classify, and report incidents within defined regulatory timelines.

An effective incident reporting process is built on the following elements:

  • A defined incident classification model that helps determine the severity and impact of each incident.

  • Formal reporting procedures that ensure incidents are documented and reported according to regulatory requirements.

  • Clear communication channels that support both internal coordination and external reporting to regulators.

Failure to report incidents properly can lead to regulatory penalties and increased scrutiny.


3. Digital Operational Resilience Testing

Organizations must regularly test their systems and controls to ensure they can withstand real-world threats and disruptions.

A comprehensive testing approach includes:

  • Vulnerability assessments that identify weaknesses in systems and configurations.

  • Penetration testing that simulates attacks to evaluate how systems can be exploited.

  • Threat-led penetration testing (TLPT) that replicates advanced attacker behavior to test real operational resilience.


4. Third-Party Risk Management

DORA requires organizations to manage risks introduced by vendors and service providers as part of their overall ICT environment.

A structured third-party risk management approach includes:

  • Assessing vendors before onboarding to ensure they meet security and resilience requirements.

  • Continuously monitoring vendors to detect changes in their risk profile over time.

  • Including security requirements in contracts to enforce accountability and minimum standards.

Even when services are outsourced, the financial organization remains responsible for the associated risks.


5. Governance and Accountability

DORA assigns responsibility for ICT risk management to senior management, making it a core business responsibility rather than only a technical function.

Effective governance is built on the following principles:

  • Board-level involvement to ensure oversight and alignment with business objectives.

  • Clearly defined responsibilities across teams and leadership roles.

  • Regular reporting that provides visibility into risks, incidents, and overall resilience.



How Financial Companies Can Prepare for DORA


Conduct a Gap Assessment

Preparation for DORA should begin with a gap assessment that compares the organization’s current practices with regulatory expectations. The purpose of this exercise is to understand where the company already meets the requirements and where important gaps still exist.


The assessment usually covers the following areas:

  • Policies, because the organization needs to understand whether its internal rules and documented procedures actually reflect DORA requirements.

  • Technologies, because existing security and monitoring tools may not provide the visibility or resilience that DORA expects.

  • Processes, because regulators will look not only at documents, but also at how incident handling, escalation, and recovery work in practice.

  • Vendor management, because third-party dependencies are a major part of DORA and often one of the weakest areas in many companies.


Build or Update the ICT Risk Management Framework

Once the gaps are identified, the next task is to build or update the ICT risk management framework so that it reflects both the company’s real operating model and the requirements of DORA. In many cases, organizations do not need to create everything from zero, because existing standards can already provide a strong starting point.

The framework can be based on recognized standards such as:

  • ISO 27001, which helps structure information security governance, policies, controls, and risk treatment.

  • NIST CSF, which provides a practical model for identifying, protecting, detecting, responding to, and recovering from cyber risks.

These standards are useful as a foundation, but they still need to be adapted to DORA, especially in areas such as resilience, third-party oversight, incident reporting, and operational testing.


Gain Visibility Into the ICT Environment

An organization cannot manage ICT risk effectively if it does not have a clear understanding of its own environment. Visibility is necessary to identify critical assets, understand dependencies, and detect where failures or attacks may occur.


This visibility should include the following elements:

  • Asset inventory, because the company must know which systems, applications, endpoints, and services support its operations.

  • Network visibility, because it is important to understand how systems communicate, where sensitive connections exist, and where abnormal activity may appear.

  • Log collection, because investigation, detection, and incident reporting depend on reliable technical evidence from across the environment.


This is also the point where SIEM and XDR solutions become highly relevant, since they help centralize visibility and support faster detection of threats or failures.


Implement Monitoring and Detection Capabilities

DORA expects organizations to continuously monitor their environment and detect incidents before they escalate into larger disruptions. Detection is not just about having alerts turned on; it is about creating an operational capability that can identify suspicious behavior and trigger the right action.


This capability is usually built around several core components:

  • SIEM, because centralized log analysis helps identify patterns, anomalies, and potential incidents across multiple systems.

  • SOC, whether internal or outsourced, because monitoring tools need people and processes behind them in order to investigate alerts and make response decisions.

  • Alerting and correlation mechanisms, because isolated events may look harmless on their own, while correlated signals often reveal real attacks or operational failures.

Without proper monitoring and detection, an organization may only discover an incident after customers, regulators, or business operations are already affected.


Strengthen Incident Response

DORA requires organizations not only to detect incidents, but also to handle them in a structured and timely manner. A weak response process often turns a manageable issue into a major business disruption.


A strong incident response capability is usually built around the following elements:

  • An Incident Response Plan, because the organization needs a documented approach for how different types of incidents should be handled.

  • Defined roles and responsibilities, because every team must know who makes decisions, who investigates, who communicates, and who leads the response effort.

  • Communication scenarios, because incidents often require timely communication with leadership, employees, clients, regulators, and sometimes third parties.

The goal of incident response is not only to stop the incident, but also to reduce business impact, support reporting obligations, and restore control as quickly as possible.


Review Third-Party Risks

Third-party risk is one of the most important topics under DORA, since financial organizations often rely on external providers for cloud services, infrastructure, software, data processing, and cybersecurity operations. Because of this, vendor-related weaknesses can quickly become business-critical problems.


A structured vendor risk management program usually includes:

  • Risk classification, because not all vendors create the same level of exposure and critical providers need more oversight.

  • Security questionnaires and assessments, because the organization must understand whether a vendor’s controls and resilience measures are actually adequate.

  • Contract clauses, because security expectations, reporting obligations, and accountability should be clearly defined in legal agreements.

  • Continuous monitoring, because vendor risk does not stay static and can change over time due to incidents, new services, or changes in the provider’s environment.

Under DORA, outsourcing a service does not outsource responsibility, which is why this area deserves particular attention.


Perform Regular Testing

DORA expects organizations to regularly test their resilience rather than assume that controls will work when needed. Testing is what turns written procedures and technical safeguards into something that can be validated in practice.


A practical testing program normally includes:

  • Annual penetration testing, because it helps identify how real attackers could exploit weaknesses in systems or applications.

  • Vulnerability scanning, because regular scanning helps detect known technical weaknesses before they are abused.

  • Red Team exercises for more mature organizations, because these simulations test how well the organization can detect and respond to realistic, multi-stage attack scenarios.


Regular testing gives management a more honest picture of the company’s resilience and helps prove that security controls are not only documented, but actually effective.



Common Mistakes Companies Make


Many organizations approach DORA incorrectly, focusing on formal compliance instead of real resilience. The following mistakes are among the most common:

  • Treating DORA as a “document-only” compliance, because companies often create policies and frameworks on paper but do not implement them in real operations or test how they work in practice.

  • Ignoring third-party risks, because organizations rely on vendors but fail to properly assess, monitor, or control the risks introduced by those providers.

  • No real monitoring (just tools, no process), because companies deploy SIEM or security tools but do not establish a functioning process for analyzing alerts and responding to incidents.

  • Weak incident response readiness, because response plans either do not exist or are not tested, which leads to confusion and delays during real incidents.

  • Lack of management involvement, because leadership treats cybersecurity as a technical issue instead of a business risk, resulting in weak governance and poor decision-making.

These are exactly the types of gaps regulators will focus on during assessments.



Business Benefits of DORA (Beyond Compliance)


DORA should not be seen only as a regulatory burden, because it also creates clear business advantages when implemented correctly.

It helps organizations achieve the following outcomes:

  • Reduced downtime, because resilient systems and tested processes allow operations to continue even during disruptions.

  • Lower financial losses from incidents, because faster detection and response minimize the impact of cyberattacks or system failures.

  • Increased customer trust, because clients are more likely to work with organizations that can demonstrate stability and security.

  • Stronger position in EU partnerships and contracts, because DORA readiness becomes a competitive advantage when working with regulated entities.

  • Higher overall cybersecurity maturity, because structured risk management improves visibility, control, and decision-making across the organization.


How We Help Financial Companies Become DORA-Ready


At ESKA Security, we support financial companies in building practical and effective DORA compliance, focusing not only on documentation but on real operational resilience.

Our services cover the full preparation process:

  • DORA readiness assessment (Gap Assessment), which helps identify where your current setup does not meet regulatory expectations.

  • Development of ICT risk management frameworks, aligned with DORA requirements and adapted to your business model.

  • Implementation of SIEM and SOC solutions, which provide continuous monitoring and detection capabilities.

  • Penetration testing, which validates your security posture and identifies real-world vulnerabilities.

  • vCISO services, which ensure ongoing governance, risk management, and compliance support at the management level.

Whether you are a startup or a growing fintech company, the approach is adapted to your stage, resources, and business priorities.


FAQ


What is DORA in simple terms?

DORA is an EU regulation that requires financial companies to manage IT risks and remain operational during cyber incidents.


Who needs to comply with DORA?

Financial institutions and ICT service providers working with them in the EU.


When does DORA apply?

Full compliance is required by January 2025.


Is DORA similar to ISO 27001?

Yes, but DORA is mandatory and focuses specifically on operational resilience.


What is ICT risk management?

It is the process of identifying, controlling, and monitoring risks related to IT systems and digital operations.

 
 
 

Comments

bottom of page