Exploring DORA

The EU Digital Operational Resilience Act is now in effect, but reports suggest some affected organizations struggled to meet the deadline for compliance and still have not been able to fully comply with the Act. Does DORA apply to your organization? If it does, is it and your cybersecurity team DORA compliant?

Best known as DORA, the Digital Operational Resilience Act is an EU regulation that aims to strengthen the financial sector's cybersecurity resilience. First published back in December 2022, the legislation now applies to Europe’s financial organizations and will also impact those based outside the EU but operating within it, such as financial organizations in the U.K. and U.S.

However, despite a two-year lead time to prepare for its implementation, the January 17, 2025, compliance deadline came and went with some companies both inside and outside the EU not able to fully meet the requirements in time.

What is DORA?

DORA is an EU regulatory framework designed to raise the cybersecurity and operational resilience of the financial sector to a consistent baseline standard across the bloc. As a legal act, DORA is intended to ensure that financial entities and their critical service providers operating in the EU are prepared and equipped to deal with and recover from operational disruptions, particularly those stemming from cybersecurity incidents. ISC2 contributed to the public consultation on the draft regulatory technical standards on behalf of members.

DORA applies to a wide range of organizations and service providers operating in the EU financial sector, including banks, insurance providers, investment bodies, payment processors, cryptocurrency providers and exchanges, as well as critical third-party IT providers servicing the financial sector. As such, it also impacts organizations including cloud service providers, software vendors and platform operators.

DORA’s Key Pillars

DORA can be broken down into five main areas of requirement:

• ICT Risk Management: DORA requires that organizations have frameworks in place to adequately monitor, manage and – most importantly – respond to cybersecurity and ICT incidents and risk factors.
• Incident Reporting: The Act sets down specific requirements for incident reporting and disclosure (in addition to the requirements of wider-ranging legislation such as GDPR), as well as a three-step process and timeline for delivering those reports.
• Resilience Testing: Organizations covered by DORA are required to conduct regular testing of their digital systems, including penetration testing for significant institutions and financial infrastructure providers.
• Supply Chain Risk Management: Monitoring and managing third-party ICT providers (in particular cloud and software services) is a key requirement to ensure your software and services supply chain doesn’t represent an undue risk to the organization and its operations.
• Information Sharing: DORA also mandates a framework for the sharing of cybersecurity threat information among financial organizations to bolster industry-wide resilience. However, it is a voluntary action.

DORA’s Reporting Requirement

Organizations covered by DORA need to comply with a three-step cybersecurity incident reporting process and timeline, namely:

• Initial Notification: This must occur immediately once the organization is aware of a major incident.
• Intermediate Report: A follow-up to add additional information and context as soon as more information is available or on request.
• Final Report: No more than one month after an incident is resolved, the organization must deliver a final document providing a full analysis of the incident, confirmation of the root cause and preventative plans to avoid recurrence.

Perceived Obstacles to DORA Compliance

Despite a two-year lead time to prepare for DORA becoming law, some affected organizations and national governments have struggled to meet the original deadline for full compliance, as well as continuing to struggle in the months that have followed. As of the beginning of April 2025, 13 EU member states had not yet integrated DORA into local legislation.

The reasons for compliance and adoption delays are varied, but some of the challenges highlighted include delays to the regulatory standards documents – some of which remained in draft stage until late into 2024, which created some adoption delays, particularly at an EU member state legislative level.

Other issues have been put down to a lack of awareness around DORA and its requirements, as well as a shortage of skills in-house to deliver against the requirements of DORA. The skills challenge will have been tested for many by the fact that DORA came into force alongside a slew of other EU cybersecurity legislation, including NIS2, the Cyber Resilience Act, the Cyber Solidarity Act and the AI Act. Together, these represent a considerable amount of compliance work to undertake, with elements of differing requirements on shared focus areas.

At an organizational level, cybersecurity, compliance, risk and legal teams must collaborate to achieve this, and some organizations simply don’t have the level of integration and intercommunication in place between these teams that is needed.

Developing Skills for Compliance

As part of ISC2’s public consultation submission, we highlighted the importance of Continuous Professional Development (CPD) within the DORA framework to ensure that individuals in roles related to delivering DORA compliance continue to develop their knowledge and skills in line with emerging cybersecurity threats and technological advancements. Alongside the competency-based framework, ongoing education and training ensures cybersecurity professionals maintain a high standard of operational resilience against evolving cyber threats.

ISC2 provides many options to support members looking to expand their skills base to deal with risk and compliance issues, such as those that fall under the scope of DORA. The CGRC certification is a proven way to demonstrate your knowledge and skills to undertake governance, risk management and regulatory compliance tasks and responsibilities. ISC2 Courses covering practical risk analysis, risk standards, incident management, cybersecurity frameworks and breach response together form a pathway for cybersecurity professionals to develop their skills further to deal with the compliance and reporting needs of DORA and other emerging cybersecurity legislation.

Related Insights

• ISC2 Leads Timely Roundtable on Renewing EU Cybersecurity Strategy
• CGRC – Governance, Risk and Compliance Certification
• ISSMP – Information Systems Security Management Professional