DORA
Our services include:
- DORA GAP Analysis & Recommendations.
- DORA Implementation & Verification.
- Internal audit against the DORA Regulation.
- Training for the board or executive management on DORA.
Download our DORA Internal Audit Service
DORA Internal Audit ServiceDownload our DORA Guide
DORA – step by stepDigital Operational Resilience Act (DORA)
Digital Operational Resilience Act (DORA) is an EU regulation that entered into force on January 17, 2025, and aims to strengthen digital resilience in the financial sector. With increasing cyber threats and a growing reliance on digital infrastructure, DORA is crucial to ensuring that banks, insurance companies, payment institutions, and other financial actors can manage, withstand, and recover from ICT-related incidents.
What is DORA and who is covered by the regulation?
Digital Operational Resilience Act (DORA) is an EU regulation aimed at creating a harmonized framework for managing ICT-related risks in the financial sector. The goal is to mitigate digital incidents and ensure that Europe’s financial sector can maintain resilient operations.
DORA entails that:
Financial entities must comply with uniform requirements for the security of their networks and information systems.
All entities must be able to withstand, respond to, and recover from various types of ICT-related disruptions and threats.
Who is covered?
DORA applies to a wide range of organizations, including:
Credit institutions and payment institutions
Central counterparties and trading venues
Insurance and reinsurance companies
Credit rating agencies
Other financial entities
Third-party ICT providers (e.g., cloud services and other critical suppliers)
The five pillars of DORA
The regulation consists of 64 articles, with the relevant parts for financial entities and ICT providers divided into five pillars:
ICT risk management (Articles 5–16)
Incident management, classification, and reporting (Articles 17–23)
Testing of digital operational resilience (Articles 24–27)
Management of ICT third-party risks (Articles 28–30)
Information sharing (Article 45 – voluntary)
These pillars are supplemented by regulatory and implementing technical standards (RTS/ITS), which clarify and complement the regulation’s requirements.
What does DORA mean in practice?
To maintain control over ICT risks, financial entities need to:
Have comprehensive capabilities to enable strong and effective risk management.
Implement mechanisms and policies to identify, manage, and report major incidents to the competent authority (e.g., the Financial Supervisory Authority in Sweden).
Ensure that policies are in place for testing ICT systems, controls, and processes.
Establish procedures for managing third-party risks.
DORA is a true game-changer in how the financial sector approaches operational resilience. It requires a broader perspective on resilience and the development of new, sophisticated capabilities.
With the right approach, DORA can help to:
Improve the ability to manage ICT risks.
Deepen the understanding of the business impact of operational disruptions, including at management level.
Create security by ensuring that measures are in place following security tests.
Include third-party providers in risk management and establish holistic control over ICT-related operational risks.
What does the principle of proportionality mean?
DORA contains a principle of proportionality, which means that the rules must be implemented in proportion to each organization’s:
Size and risk profile
Nature and scope of services
Complexity of operations
This means that smaller entities – for example, micro, small, and medium-sized enterprises – are not required to meet all of the regulation’s obligations. The most advanced requirements, such as Threat-Led Penetration Testing (TLPT), apply only to the largest and most significant financial entities.
What do organizations need to do to achieve DORA compliance?
Building digital operational resilience is not only about technical solutions and regulations, but also about:
Awareness and knowledge across the entire organization
Continuous improvement in processes and routines
The responsibility of management and the board for ICT risks and continuity
According to DORA, the board of a financial entity is required to have sufficient expertise in risk management and information security, as well as to take overall responsibility for the organization’s resilience.
Recommended first steps:
Conduct a gap and maturity assessment based on DORA’s final requirements (Level 1) and the regulatory/implementing technical standards (ITS/RTS, Level 2).
Focus in particular on strengthening:
Governance of ICT risks, including methodology and identification of critical functions.
Maturity in the collection and analysis of incident and threat data.
Scenario-based security testing.
Identification and mapping of ICT third-party providers.
The ability to monitor, analyze, and manage third-party risks.
How can Seadot Cybersecurity help?
At Seadot Cybersecurity, we have experience and expertise in governance, risk management, incident and continuity management, third-party risks, and other relevant areas. We have supported several clients on their journey toward regulatory compliance. Our experienced compliance experts can assist in identifying where capability, resource, and expertise gaps currently exist in order to achieve an effective implementation period.
Ready to take the next step?
Do you have questions or want to know more about how Seadot can help your organization?
We are ready to support you in strengthening your information security.
Contact us
Email:
info@seadot.se
For general inquiries
Emma Stewén, Deputy CEO
emma@seadot.se
+46 76 601 15 10
For questions about our services