Digital Operational Resilience Act (DORA) News & Updates April 2025
Published on 16/04/2025
Those that are unfamiliar with DORA may be unsure on what it actually is. Well DORA, which stands for the Digital Operational Resilience Act is a major EU-level legislation which aims to improve and elevate the operational resilience of financial entities across Europe, ensuring that they can withstand, respond to, and recover from a wide range of ICT-related disruptions and threats.
The Digital Operational Resilience Act officially came into force on the 17th of January 2025. Since it arrival, DORA has transformed the approach of European financial entities towards risk mitigation and business continuity.
Interestingly, whilst DORA may be an EU legislation, it still impacts non-EU based organisations supplying to the EU or working with an EU supplier. Such organisations must comply with DORA.
As we move through April 2025, several significant developments have emerged regarding the EU's Digital Operational Resilience Act (DORA).
Here’s a summary of last month’s DORA news:
There has been an increase in online resources clarifying DORA's timeline. DORA's rules apply to both new ICT outsourcing and existing contracts predating January 17, 2025, when DORA was enforced.
While DORA focuses on IT security and operational resilience in the financial sector, GDPR focuses on personal data protection. Non-compliance with DORA could result in fines up to 2% of an organization's annual turnover, similar to GDPR's enforcement.
The complexity of compliance measures has led many organisations to explore automation tools. Automated compliance tools, which saw a 120% year-on-year growth in 2024, are likely to become more popular for DORA compliance.
To read our full March blog update, click here.
It’s been a busy period for DORA with the European Commission playing a key role in shaping the current DORA landscape:
A major update on DORA involves the European Commission adopting a Delegated Regulation supplementing DORA with regulatory technical standards (RTS) on the subcontracting of ICT services. These standards outline various elements that financial entities must carefully consider and evaluate when allowing third-party providers to subcontract ICT services that support critical functions. This move aims to improve the oversight and management of subcontracting chains, ensuring robust risk assessment practices.
The European Commission also announced the regulatory technical standards (RTS) on specifying the criteria for determining how the Joint Examination Team (JET) is formed. This team will be significantly involved in overseeing the implementation of DORA.
The European Union has also published key technical standards under DORA, detailing the content and timelines for reporting major ICT-related incidents and voluntary notifications of significant cyber threats2. These standards are designed to streamline incident reporting processes, ensuring timely and accurate communication of critical information.
The European Union published key technical standards for DORA. These standards outline the timelines for reporting major ICT-related incidents. These standards will support the incident reporting process to be more streamlined.
April has been an important month for the Digital Operational Resilience Act, with significant strides made in regulatory standards. This progress showcases the EU's commitment to improving the operational resilience and continuity of its finance sector. To learn more, please don’t hesitate to get in touch with our team.