DORA in practice: what it really means today for financial institutions and their IT suppliers

The Digital Operational Resilience Act, known as DORA, has fundamentally transformed the approach to digital resilience in the financial sector. It is not merely another piece of IT regulation. DORA establishes a single European framework for ICT risk management, incident response, operational resilience testing and the oversight of relationships with ICT suppliers.

Why DORA was established

Today, the financial sector is vitally dependent on information and communication technologies. Banks, payment institutions, securities dealers, insurance companies and other regulated entities provide services via digital systems, cloud solutions, outsourcing and complex supply chains. When ICT infrastructure fails, it is not merely a technical issue. It can lead to service outages, breaches of regulatory obligations, infringements of clients’ rights, and reputational and financial losses. This is precisely why DORA harmonises digital operational resilience rules across the EU financial sector and complements the existing fragmented framework.

Who is affected by DORA

DORA has a relatively broad scope. It applies to a large proportion of regulated financial entities, including credit and payment institutions, electronic money institutions, investment firms, fund managers, insurance undertakings, reinsurance undertakings, crowdfunding platforms, certain entities operating in the field of crypto-assets, and third-party ICT service providers to the extent specified in the Regulation. It is important to note that small or micro-entities are not automatically exempt from the scope of DORA; the size of the company is relevant more to the extent and nature of certain obligations than to applicability itself.

DORA is not just about cybersecurity

A common mistake is to view DORA solely as a security or IT regulation. In reality, it is a much broader regulatory framework. DORA is built on several pillars: ICT risk management, ICT incident management and reporting, digital operational resilience testing, management of risks associated with third-party ICT providers, sharing of information on cyber threats, and oversight of critical ICT providers. From a management perspective, therefore, it is not just about technical measures, but also about the allocation of responsibilities, decision-making processes, the preparation of internal documentation and crisis scenarios, and the contractual framework for relationships with suppliers.

Which obligations are most important in practice

  • ICT risk management framework. A financial institution must have internal management and control measures in place, along with effective policies, procedures, protocols and tools that enable ICT risks to be identified, managed, monitored and continuously updated. The governing body is not merely a passive recipient of reports; DORA explicitly places management in the role of an approving and accountable body. This means that the matter cannot be relegated solely to the IT department or an external provider.
  • Management and reporting of ICT incidents. Entities must be able to record and classify incidents and, where appropriate, report them to the relevant authorities. In addition to the technical handling of the incident itself, a high-quality internal process is also essential: who assesses the incident, who decides on its classification, who communicates with the regulator, and how the corrective measures taken are documented. DORA thus elevates incident management from an ad hoc response to a regulator-driven process.
  • Digital operational resilience testing. It is not enough to claim that systems are secure; a financial institution must continuously verify its resilience. Depending on the nature and size of the institution, this may involve a range of tests, from routine checks to more advanced testing. In practical terms, this means that security and operational documentation must correspond to the actual functioning of the company, rather than existing merely ‘on paper’.
  • Third-party risk management. DORA places particular emphasis on relationships with ICT suppliers, especially where they support critical or important functions. It is not enough to select suppliers on a one-off basis; financial institutions must be able to continuously assess their risks, contractually address key rights and obligations, and maintain clear records of these relationships. It is precisely here that, in practice, it often becomes apparent that the biggest problem lies not in cybersecurity itself, but in outdated contracts, incomplete records and unclear mapping of critical functions.

What DORA means for management and the legal department

From a legal and compliance perspective, DORA is primarily a governance project. It requires that responsible management be clearly designated, that approved policies, crisis and recovery plans, reporting rules, training for senior staff, and appropriately drafted contractual documentation with ICT providers be in place. For in-house lawyers and compliance teams, this means they must integrate regulation, outsourcing, cybersecurity, business continuity and the internal control system into a single functional whole. It is no longer sufficient to have separate ‘IT policies’, ‘outsourcing policies’ and several contract addenda if there is no substantive link between them.

The most common weaknesses in practice

In practice, the main problem is often that companies have not precisely identified the critical and important functions supported by ICT, are unable to link incident management with regulatory reporting, do not have testable crisis scenarios in place, and underestimate the contractual and record-keeping aspects of outsourcing. It is equally problematic when management formally “takes note” of ICT risks but does not, in reality, exercise active oversight over them. DORA, however, is based on the premise that digital operational resilience is part of the proper management of a financial institution, not an isolated technical discipline.

Conclusion

DORA has not merely introduced new obligations. It has also set a new standard for regulatory expectations. A financial institution must be able to demonstrate that it truly understands its ICT risks, that it can respond to incidents, that it tests the resilience of its systems, that it has its ICT suppliers under control, and that the company’s management actively makes decisions on these matters. For part of the market, this represents a fundamental cultural shift. For those who started early and approached DORA as a governance and resilience project, it can, on the contrary, be a competitive advantage: greater operational stability, better preparedness for incidents, and stronger trust from both clients and regulatory authorities.

Related articles

Corporate Relocation: How to relocate a company safely

16. 04. 2026

Corporate Relocation: How to relocate a company safely

Read article

How to protect your grant from application through to final audit

01. 04. 2026

How to protect your grant from application through to final audit

Read article

AIFMD II in the Czech Republic: implementation into the ZISIF, key changes and what lies ahead for fund managers

19. 03. 2026

AIFMD II in the Czech Republic: implementation into the ZISIF, key changes and what lies ahead for fund managers

Read article

Temporary agency work in 2026: stricter rules, increased inspections and what users face

19. 03. 2026

Temporary agency work in 2026: stricter rules, increased inspections and what users face

Read article

Do you need advice?

Let's meet