Regulation (EU) 2022/2554, known as DORA – the Digital Operational Resilience Act – represents one of the European Union’s most important reforms in the field of digital operational resilience in the financial sector, and has been applicable to financial institutions since January 17th, 2025. DORA introduced a uniform regulatory framework to strengthen the ability of financial entities to prevent, respond to, and recover from cyber incidents and ICT risks.
DORA was created with the aim of:
- harmonizing rules across the 27 Member States
- reducing systemic digital risk
- strengthening confidence in the European financial system
The regulation has a very broad scope of application: It involves over 20 categories of financial entities (e.g., banks, insurance companies, payment institutions, crypto-asset service providers, etc.) for a total of approximately 22,000 entities, but the real innovation concerns critical third-party ICT service providers, such as cloud providers and strategic technology services.
DORA is built on five main pillars:
- ICT risk management: Financial entities must implement a comprehensive IT risk management framework. Responsibility lies directly with the management body (board of directors).
- ICT incident reporting: DORA introduces a harmonized incident reporting system where operators must promptly notify the competent authorities of major incidents, major cyber attacks, and critical disruptions to ensure a coordinated response across all member states.
- Digital operational resilience testing: Financial institutions must carry out periodic tests (e.g., vulnerability assessments, penetration tests, advanced threat-led penetration testing (TLPT)) with the aim of simulating realistic attack scenarios.
- ICT supplier risk management: One of the most innovative points is the requirement for financial institutions to monitor technology suppliers, include specific contractual clauses, and assess concentration and dependence on critical providers. In addition, “critical” ICT suppliers will be subject to direct European supervision.
- Information sharing: DORA promotes cyber threat intelligence sharing among financial operators in a structured and secure manner.
DORA is integrated with other European regulations such as the NIS2 Directive, the General Data Protection Regulation (GDPR), and the Markets in Crypto-Assets Regulation (MiCA). The goal is to create a consistent regulatory ecosystem for cybersecurity, data protection, and financial stability.
DORA is not just a regulatory obligation, it is a paradigm shift, enabling a move from “formal compliance” to real operational resilience; it goes beyond national approaches to move towards integrated European supervision and, finally, enables a shift from reactive management to true structured prevention of digital risk.
DORA and Product Security Certification
The connection between DORA and product security certification is strategic and operational, as DORA does not introduce mandatory certification for ICT products, but does create a regulatory framework in which certification becomes a very important tool.
European certification of ICT products is governed by the Cyber Security Act (CSA), which established European cybersecurity certification schemes (managed by ENISA).
A product certified according to a European scheme can constitute objective evidence of security, useful for meeting the due diligence obligations required by DORA for suppliers of such services and products.
In practice, DORA requires control, and certification is a tool for demonstrating this.
What atsec can Do for You
atsec has extensive experience in information security and can support European financial entities in achieving compliance with the DORA Regulation.
In particular, the services that atsec can provide in this area are:
- compliance assessment to identify gaps in relation to the requirements of the Regulation;
- support in identifying, implementing, and planning interventions to cover the gaps identified;
- support in defining and implementing key security processes (i.e. risk management, incident management, third-party management, etc.) that comply with the requirements of the Regulation and are customized to the customer’s operational context;
- independent third-party due diligence assessments on client’s critical ICT suppliers;
- independent third-party vulnerability assessments and penetration testing.
For more information, please reach out to info@atsec.com.
