Skip to main content
TRECCERT GmbH logoTRECCERT GmbH logo

DORA Takes Full Effect: A Milestone in Digital Operational Resilience

January 17, 2025, marks a transformative moment for the European financial sector as the Digital Operational Resilience Act (DORA) officially applies. This regulation represents a significant leap forward in ensuring the stability and security of Europe’s financial system against the challenges of the digital age. Financial entities must now comply with a harmonized set of rules to withstand, recover from, and adapt to ICT-related disruptions.

January 17, 2025, marks a transformative moment for the European financial sector as the Digital Operational Resilience Act (DORA) officially applies. This regulation represents a significant leap forward in ensuring the stability and security of Europe’s financial system against the challenges of the digital age. Financial entities must now comply with a harmonized set of rules to withstand, recover from, and adapt to ICT-related disruptions.

This article provides a comprehensive overview of DORA’s status, detailing what has been finalized, what remains pending, and its impact on financial institutions.

What is DORA?

DORA is not just a regulation—it is a framework for strengthening the digital resilience of financial entities (EIOPA). It introduces standardized requirements for managing ICT risks, responding to cyber threats, and ensuring continuity in financial services. The regulation encompasses:

  • Regulatory Technical Standards (RTS): Detailed rules to implement DORA effectively (Official Journal of the EU).
  • Implementation Technical Standards (ITS): Templates and formats for compliance and reporting (EIOPA).
  • Guidelines: Supplementary documentation to support consistent application (EIOPA).

 

Key DORA Components Already Finalized

  1. Regulation (EU) 2022/2554 (December 2022):
    The foundational DORA regulation provides a comprehensive framework for ICT risk management across financial entities and third-party ICT providers (EU Official Journal).
  2. ICT Risk Management Delegated Regulation (EU) 2024/1774 (March 2024):
    Establishes the requirements for governance, tools, and processes to manage ICT risks effectively (EIOPA).
  3. ICT Services Policies Delegated Regulation (EU) 2024/1773 (April 2024):
    Defines the content of policies regarding contracts and risk management for critical ICT services (EIOPA).
  4. ICT Incident Classification Delegated Regulation (EU) 2024/1772 (May 2024):
    Provides criteria for classifying and reporting major ICT incidents and cyber threats (EIOPA).
  5. Information Register Implementing Regulation (EU) 2024/2956 (September 2024):
    Introduces templates and standards for maintaining an information register to ensure compliance and oversight (EIOPA).

 

What Remains Pending?

Despite the progress, several key RTS and guidelines remain under development:

  1. Templates for ICT Incident Reporting:
    Standardized forms for reporting incidents are still under review (EIOPA).
  2. RTS on Subcontracting:
    While the Joint Final Report on Draft RTS for Subcontracting was published on July 26, 2024, it remains a draft until adopted by the European Commission (EIOPA).
  3. RTS on Threat-Led Penetration Testing (TLPT):
    The framework for penetration tests simulating cyberattacks to assess resilience is in draft form (EIOPA).
  4. Guidelines on Costs and Losses of ICT Incidents:
    Methodologies to calculate and report the financial impact of ICT incidents are still being developed (EIOPA).

 

What This Means for Financial Entities

As of today, financial institutions must comply with the finalized components of DORA, including implementing robust ICT risk management frameworks, maintaining incident registers, and adhering to standards for ICT service contracts. However, they must also prepare for the pending RTS and guidelines, as these will fill critical gaps in areas like incident reporting and penetration testing.

 

Looking Ahead

The European Supervisory Authorities (EBA, EIOPA, and ESMA) continue to work on the outstanding RTS and guidelines. Financial entities should stay informed, monitor updates, and ensure readiness to integrate these requirements into their operational practices once adopted.

DORA’s full implementation will not only enhance resilience but also foster trust in the digital infrastructure underpinning Europe’s financial system, ensuring stability in an increasingly interconnected world.

 

TRECCERT: Supporting DORA Implementation with Specialized Training

For professionals and organizations seeking to navigate the complexities of the Digital Operational Resilience Act (DORA), TRECCERT offers a variety of training and certification programs. These programs are designed to help individuals build a deep understanding of DORA’s requirements and implement them effectively.


DORA Essentials

Training

The DORA Essentials program introduces participants to the fundamental principles of DORA. It covers key areas such as ICT risk management, incident reporting, resilience testing, and third-party risk management. This program is ideal for individuals seeking a comprehensive understanding of DORA’s requirements.

Certification

Professionals who complete the DORA Essentials training or already possess foundational knowledge can validate their expertise through TRECCERT’s certification exam. This certification highlights their capability to apply DORA principles in practical settings.

 

DORA for Executives

Training

DORA for Executives is designed for decision-makers and leaders, offering a strategic overview of DORA’s objectives and requirements. It provides insights into managing compliance and enhancing organizational digital resilience at an executive level.

Certification

Executives can attest to their understanding of DORA by earning a certification, demonstrating their ability to guide their organizations toward compliance and resilience.

 

Future Development

TRECCERT is actively working to expand its offerings with more specific programs. These upcoming programs aim to address the evolving needs of professionals in the financial and ICT sectors.

 

Why TRECCERT?

TRECCERT’s training and certification programs provide flexible, practical learning opportunities. Whether you want to gain foundational knowledge, demonstrate your expertise, or lead your organization through compliance, TRECCERT ensures you are well-equipped to meet the challenges of digital operational resilience.