DORA Decoded: How It Began, Where It Stands, and What’s Next

As the financial sector grows increasingly reliant on digital infrastructure, the need for robust operational resilience has never been greater. The Digital Operational Resilience Act (DORA), formally known as Regulation (EU) 2022/2554, is the European Union’s landmark legislation designed to safeguard the financial ecosystem from information and communication technology (ICT) risks.

In this blog of our DORA series, we examine the origin, current role, and future impact of DORA cyber security—shedding light on how it reshapes operational frameworks across Europe’s financial institutions and technology providers while reinforcing DORA resilience.

A Quick Recap

In our previous blog, we introduced the Digital Operational Resilience Act and outlined its five key pillars. This blog continues the conversation by exploring why DORA was created, its relevance today, and its future trajectory in enabling DORA compliance throughout the EU financial ecosystem.

The Origins of DORA Cyber Regulation

1. Early Concerns from the European Systemic Risk Board

In February 2020, the European Systemic Risk Board (ESRB), along with several EU Member States, voiced concerns about fragmented approaches to third-party risk management among financial entities. The ESRB recognised that cyber risks were becoming a major source of systemic risk—a single cyber incident had the potential to cascade throughout the financial system.

This early focus on cyber stability laid the foundation for DORA cyber regulation.

2. Launch of the Digital Finance Package

In September 2020, seven months after the ESRB report, the European Commission unveiled its Digital Finance Package, aimed to:

• Support innovation in financial services

• Improve consumer access to digital financial products

• Strengthen the financial sector’s resilience
  

A key component of the package was the draft of DORA, which aimed to bring uniform oversight to traditional financial firms and modern ICT service providers, reinforcing DORA compliance across the board.

DORA in the Present: A Hot Topic in Cyber Security

Today, DORA cyber security has become central in Europe’s broader strategy for crisis resilience. It is now mentioned alongside other safety priorities like public health, food systems, and critical infrastructure.

Why? Because cyber threats are no longer IT-only problems—they represent geopolitical, economic, and societal risks. The Digital Operational Resilience Act (DORA) addresses these challenges head-on, aiming to create a comprehensive ICT risk management framework for financial entities and third-party providers.

DORA doesn’t only impact banks and insurance companies. It also regulates cloud service providers, data analytics companies, fintechs, and software vendors, recognising their role in the financial value chain.

DORA Compliance: Future Vision and Harmonisation

Previously, ICT risk rules were scattered across frameworks like:

• MiFID II

• CRD IV

• AIFMD
  

These varied by institution type and country, resulting in gaps. DORA compliance resolves this by creating unified ICT governance, risk oversight, and incident response protocols for all financial institutions and ICT providers across the EU.

From January 2025, DORA will be directly applicable in all EU Member States—no national adoption required.

Key Features of DORA’s Harmonised Framework

• ICT Risk Management (DORA Compliance)

• Incident Reporting

• Digital Operational Resilience Testing

• Third-Party Risk Management

• Information Sharing
  

Together, these promote end-to-end DORA resilience.

Relationship with Other Regulations

To ensure alignment, Directive (EU) 2022/2556 (Amending Directive) was adopted alongside DORA to update older laws. Additionally, DORA complements the NIS Directive, though it takes precedence in case of overlap.

In upcoming blogs, we’ll examine how the Digital Resilience Operational Act aligns and contrasts with other global regulations.

Conclusion: DORA Cyber Security as a Strategic Imperative

The DORA Act EU is more than a compliance formality—it is a strategic framework that reinforces the future of financial cyber resilience. It standardises how financial institutions and their providers prepare for and handle ICT disruptions, including third-party and cloud failures.

For organisations like Accorp, aligning with the DORA Act 2022 ensures your operations remain trusted and secure in an increasingly interconnected digital world, all while maintaining robust business continuity backed by sound DORA cyber principles.