Digital Operational Resilience Act (DORA) News & Updates March 2025
Published on 18/03/2025
A little over 2 months ago, the Digital Operational Resilience Act (DORA) was officially implemented within the EU finance sector. This major EU-level legislation was introduced with the purpose of transforming the finance sector’s level of operational resilience and business continuity.
Over the past couple of months, DORA has been a popular topic of interest, not only within the EU financial sector but also across the world. Interestingly, whilst DORA is an EU legislation, its impact goes beyond this region due to it additionally impacting non-EU based entities that operate in or work with organisations within the EU’s finance sector.
As mentioned in our previous monthly DORA update, a number of renowned international organisations have spoken out about their prioritisation of DORA compliance which has hugely driven awareness around the regulation. Alongside this, it was also identified that some leaders in the IT industry had found the process of complying with DORA to be somewhat difficult. Last month’s DORA updates can be found here.
More online resources are addressing the structure of DORA’s timeline, providing more clarity on this matter. DORA’s rules apply to new ICT outsourcing ang and existing contracts pre-dating 17 January 2025, the date on which DORA was officially enforced. Additionally, there is a transition period of 36 months for existing contracts to be addressed and compliance to be confirmed. This transition period, which will end on 15 January 2028, provides financial entities with time update existing contracts and align them with DORA’s guidelines.
A topic that has been popping up more and more is that of the relationship and synergies between DORA and the General Data Protection Regulation (GDPR). Like DORA, the GDPR is also a major EU-level legislation and was implemented on 25 May 2018.
Interestingly, there are some strong similarities between the two legislations. For example, both aim to ensure data integrity, availability, and confidentiality. Whilst DORA’s primary focus is orientated around IT security and operational resilience in the context of the financial sector, GDPR’s focus is on the protection and security of personal data. GDPR’s impact saw numerous organisations receiving major fines for non-compliance. Could we see a repeat of this with DORA? Ultimately, it’s likely that organisations that don’t comply with DORA will receive fines (up to 2% of an organisation’s annual turnover).
DORA has officially been in full effect for over two months. Within that time, financial entities have been working to align with other regulator frameworks, such as the Cyber Resilience Act (CRA). Like DORA, the CRA aims to elevate and improve the security and operational resilience capabilities of organisations.
The complexity involved with some compliance measures has encouraged numerous organisations to delve into automation tools. Could this prompt a noticeable rise of automation for compliance? Data compliance tools were actually deemed as the fastest growing application last year with a 120% year-on-year growth (OKTA, 2024). With this in mind, it’s possible that automated compliance tools will continue to gain popularity and become incorporated by organisations for DORA compliance.
For over 25 years, we’ve been supporting organisations of all sizes, and from across all industries. Within this time, we’ve established ourselves as leaders in regulatory compliance support. To understand how our team can support you with DORA compliance, please don’t hesitate to get in touch with our team.