Digital Operational Resilience Act (DORA) for financial institutions

What changes?

Do you work in finance, or do you provide ICT services to financial institutions? If so, your company must comply with the Digital Operational Resilience Act (DORA).

What is DORA?

DORA is an EU directive that aims to make financial entities less vulnerable to cyber threats and ICT risks. DORA requires these financial organisations to take measures for ICT risk management, security of ICT systems, and reporting ICT-related incidents. This way their digital resilience will be enhanced.

It depends on the size of a business how strict the requirements are. For small businesses and micro-enterprises the requirements will be less strict.

Relation to the NIS2 directive

DORA is complementary to the NIS2 directive. DORA focuses on the financial sector, NIS2 focuses on other critical sectors.

For whom?

DORA applies to:

• financial institutions such as credit institutions, banks, payment services providers, insurance companies, electronic money institutions, and investment firms
• providers of ICT services to financial institutions

When?

DORA is currently being implemented. Financial institutions have until 17 January 2025 to comply with this legislation. From then the Dutch Central Bank (DNB) and the Dutch Authority for the Financial Markets (AFM) will supervise compliance with regulation.