DORA Compliance: What You Need to Know Now That the Deadline Has Passed

TL;DR

DORA became enforceable on January 17, 2025. Financial entities and their ICT service providers must now maintain comprehensive digital resilience frameworks or face regulatory penalties. If your organization hasn't achieved compliance, immediate action is critical.

The Digital Operational Resilience Act (DORA) is a European Union regulation that strengthens the operational resilience of financial entities and their critical ICT service providers. The compliance deadline of January 17, 2025 has passed, meaning regulators can now take enforcement action against non-compliant organizations.

Who Needs to Comply?

DORA applies to a broad range of financial institutions and ICT service providers supporting them. Affected entities include:

• Banks and investment firms
• Insurance companies and pension funds
• Payment institutions and electronic money providers
• Crypto-asset service providers
• ICT third-party service providers supporting financial entities

While DORA has a wide reach, it does not apply to insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries that are classified as micro, small, or medium-sized enterprises.

Even companies outside the EU, such as U.S.-based cloud service providers or cybersecurity firms, may fall under DORA if they support EU financial institutions' operations.

Proportional Compliance Based on Risk Profile

DORA recognizes that not all businesses face the same level of cybersecurity risk. Compliance requirements are not based strictly on company size but rather on the institution’s overall risk exposure and role in the financial ecosystem.

Organizations with lower risk profiles may be able to implement simplified ICT risk management frameworks, while high-risk entities must adhere to more stringent requirements.

The Five Pillars of DORA Compliance

To achieve compliance, organizations must address the following key areas:

1. ICT Risk Management

A well-structured ICT risk management framework is central to DORA compliance. This includes:

• Identifying critical business functions and associated ICT risks
• Implementing security controls to mitigate threats
• Regularly updating policies and processes as new risks emerge

For businesses already pursuing ISO 27001 certification, there is significant overlap between its requirements and DORA, allowing for streamlined implementation. Understanding the ISO 27001 certification process can help you prepare for DORA's requirements more efficiently.

2. Incident Response and Recovery

Organizations must develop an incident response plan to handle disruptions efficiently. This involves:

• Defining procedures for incident detection, containment, and resolution
• Classifying incidents based on impact severity
• Establishing a structured reporting mechanism for regulators

3. Operational Resilience Testing

DORA mandates regular resilience testing to assess the robustness of ICT systems. Testing can be scaled based on company risk exposure and may include:

• Tabletop exercises to simulate cybersecurity incidents
• Vulnerability assessments to identify security gaps
• Disaster recovery drills to verify data backup and system restoration capabilities

4. Third-Party Risk Management

Since many financial entities rely on third-party service providers, DORA requires organizations to:

• Conduct thorough vendor risk assessments
• Include security and resilience clauses in contracts (similar to Data Processing Agreements under GDPR)
• Continuously monitor third-party compliance with regulatory requirements

5. Information Sharing

DORA promotes the exchange of cyber threat intelligence within trusted communities to enhance industry-wide resilience. While not mandatory, information-sharing initiatives can strengthen collective defense against cyber threats.

Key Challenges Organizations Face

Whether you're maintaining compliance or working to achieve it, organizations commonly face these challenges:

• Complex supply chains – Managing multiple ICT dependencies requires extensive mapping and ongoing oversight.
• Low cybersecurity maturity – Companies with limited security programs must implement significant upgrades. Consider using a compliance checklist to identify gaps.
• Manual security processes – Automating cybersecurity workflows enhances efficiency and reduces compliance effort.
• Inefficient incident reporting – Implementing structured and automated reporting mechanisms minimizes regulatory risks.
• Limited DORA expertise – Organizations may need external guidance to interpret and implement regulatory requirements effectively.

Not Yet Compliant? Here's What to Do Now

If your organization hasn't achieved DORA compliance, take immediate action:

1. Assess Your Risk Exposure – Understand the severity of your compliance gap and prioritize accordingly.
2. Conduct a Gap Analysis – Identify specific areas where your ICT risk management falls short of DORA requirements.
3. Develop an Accelerated Roadmap – Create a realistic timeline for achieving compliance with quick wins first.
4. Implement Critical Controls First – Focus on high-impact areas: incident response, third-party risk management, and ICT risk frameworks.
5. Document Everything – Demonstrating good-faith efforts toward compliance may influence regulatory response.
6. Engage Expert Support – Given the urgency, consider working with compliance specialists who can accelerate your path to compliance.

Maintaining Ongoing Compliance

For organizations that achieved compliance by the deadline, the work doesn't stop. DORA requires continuous attention:

• Regular resilience testing – Conduct ongoing assessments and update based on emerging threats.
• Vendor monitoring – Continuously evaluate third-party ICT providers for compliance.
• Incident response drills – Test and refine your response procedures regularly.
• Policy updates – Adapt your frameworks as regulatory guidance evolves.
• Annual reviews – Conduct comprehensive self-audits to maintain compliance posture.

Enforcement and Penalties

With the January 17, 2025 deadline now past, regulators have full authority to enforce DORA requirements. Non-compliant organizations face:

• Regulatory fines of up to 2% of total annual worldwide turnover or 1% of average daily turnover
• Cease-and-desist orders for non-compliant operations
• Potential fines of up to €1,000,000 for individuals and up to €5,000,000 for critical third-party ICT providers
• Reputational damage and loss of business relationships with compliant financial entities

Regulators have indicated they will take a risk-based approach to enforcement, prioritizing the most significant compliance failures. However, this should not be interpreted as leniency; all covered entities are expected to demonstrate compliance.

How Bastion Can Help

Whether you're catching up on DORA compliance or maintaining your existing program, Bastion simplifies the process by offering:

• Gap assessments to identify exactly where your organization stands
• Accelerated compliance programs for organizations that need to achieve compliance quickly
• Ongoing compliance management to maintain your DORA posture over time
• Expert advisory support to address your specific compliance needs

Don't let DORA non-compliance put your organization at risk. Contact Bastion today to strengthen your operational resilience and meet regulatory requirements.