What is DORA? Digital Security in the European Union


In a socio-economic environment where digitization is increasingly important, the security risks faced by financial entities are very different from those of a few years ago. In this regard, the emergence of new technological infrastructures attracts new types of dangers, such as cyber attacks. Therefore, companies are dedicating an increasing budget to protect themselves from these types of threats. The DORA regulation in the European Union aims to harmonize companies in the face of this change.


DORA: The context

DORA stands for the Digital Operational Resilience Act, and it is the EU regulation that aims to standardize how financial entities manage digital risk in finance. This regulation is a consequence of several factors that greatly condition corporate risk management:

  1. Increasing Level of Digitization: Digitization is changing the way companies operate, not only in finance but in any other sector. While it has significant advantages, it also translates into new risks. Aspects such as cyberattacks or dependence on technologies need attention, not only to protect customer data but also to prevent service interruptions, fraud, etc.
  2. High Level of Globalization: In developed countries, international relations between companies in any sector are very common and positive. However, the current level of interdependence can lead to cascading reactions that are not always positive. In the 2008 financial crisis, for example, globalization was one of the reasons for the rapid spread of problems. In more isolated economies, these situations could have been contained with much less damage.
  3. Dependence on ICT Services: Lastly, closely related to the previous point, is the dependence on Information and Communication Technologies (ICT). The outsourcing of such services and the lack of regulation of associated risks hinder the resilience of any company when these services fail.

For all the above, the creation of a common regulatory framework like DORA can help companies manage certain risks more securely. While it doesn’t eliminate the existence of risks, it significantly limits their scope and impact.

Scope and affected entities

The DORA regulation does not aim to regulate European companies but to protect the resilience of companies operating within the EU. Therefore, regardless of their fiscal domicile, companies will be affected as long as they operate within the EU territory. However, not all companies fall under the scope of DORA. In principle, the regulation is specifically directed at entities in the financial sector. This includes banks, insurers, fintech companies, asset management firms, etc.

However, we have already discussed the dependence of these companies on ICT services. Therefore, all companies that provide these types of services are also affected. Thus, information technology (IT) companies, cloud service providers, electronic payment services, and other digital service companies are also within the scope of DORA.

By covering both types of entities, the scope of the regulation protects the entire service provisioning chain. From digital and technological services to the final financial service, the entire chain is covered by the same regulation. This facilitates compliance with obligations and enhances the resilience of the entire financial sector.

DORA goals

Although we have already mentioned the main objective of DORA, we can break down this objective into 4 basic focuses:

  1. Enhance the operational resilience of the EU financial sector: This is the main objective. DORA aims to ensure that financial entities have robust processes and systems to withstand and respond to any type of digitally originated problem. These include threats such as cyber attacks, computer failures, and other situations.
  2. Increase customer data protection: As a complement to the General Data Protection Regulation (GDPR), DORA requires financial entities to implement cybersecurity measures to safeguard customer data and prevent data breaches.
  3. Standardize conditions in the EU: With a common regulatory framework, companies operating in the EU will have equal rules and requirements. This step is essential in an international and cross-sector market like that of the European Union.
  4. Reinforce the role of authorities: With this regulation, national and European supervisors will have greater competencies in terms of supervision. This reinforces their role in detecting and addressing risks related to digital resilience.

This regulation, therefore, complements and updates a series of regulations developed in the EU (GDPR, PSD) with the aim of identifying and addressing various risks in the financial sector. While financial entities are initially the most affected, they will not be the only ones. It is expected that multiple regulations of this type will be developed in the coming years for other sectors. Thus, the goal is to encompass all industries with systemic importance in society.

Requirements and obligations

DORA imposes a set of requirements on financial entities operating within the EU, aiming to enhance their digital resilience. These obligations encompass both risk management frameworks and transparency/testing methodologies. The obligations can be grouped into the following categories:

  1. Establishment of a Management Framework:
    • Development of a management framework.
  2. Definition of Protocols and Procedures:
    • Definition of protocols and procedures to address all identified risks.
  3. Implementation of Cybersecurity Measures:
    • Implementation of adequate and proportional cybersecurity measures to potential threats.
  4. Conducting Tests:
    • Conducting tests, including mapping and testing of services, processes, and IT systems.
    • Development of a continuity test to ensure the company’s resilience during service interruptions.
    • Testing resilience plans and providing training for employees.
  5. Ensuring Transparency and Appropriate Governance:
    • Notification of any incident jeopardizing the company’s activity.
    • Clear definition of operational responsibility and resilience lines.
    • Monitoring the value chain, with a focus on risks associated with outsourcing services, ensuring periodic follow-ups.

To meet these requirements, entities must adapt new practices and procedures within their IT systems. In essence, the consequences of these requirements are as described below.


DORA was published by the European Parliament on December 14, 2022. However, its effective implementation won’t occur until January 17, 2025, by which all affected companies must have completed their adaptation. Thus, a two-year period is granted for entities and authorities to make the necessary changes.

Beyond the penalty regime foreseen for entities failing to comply with this Regulation, other types of consequences in case of non-compliance should be considered. These range from the imposition of corrective measures to the withdrawal of the authorization to operate. Therefore, like any other regulation, it is crucial for companies to comply and make an effort to adapt.

In the end, it is about creating a common framework that helps protect entities from any kind of threat to their computer systems. However, there is no doubt that this regulation will require a significant adaptation effort. Let’s delve into it in more detail.

Consequences for entities

As with the implementation of any new regulation, DORA will have a significant impact on the companies to which it applies. Firstly, these companies will need to invest a substantial amount of time and resources in developing the corresponding risk management measures.

Moreover, given the changing environment and strong technological component, companies might be compelled to establish a specific area to handle such issues, involving the hiring and training of personnel. The obligation to manage certain technical risks could also affect how companies interact with their customers.

On the positive side, the implementation of DORA can be highly beneficial for companies. Better management of risks and threats to resilience is something valued by any company. Therefore, despite the associated costs, companies are likely to benefit in the long run overall.

Consequences for authorities

For regulators, there are also significant consequences. This regulation implies new competencies in terms of supervision and monitoring. Additionally, not all companies may be aware of the types of threats and risks they face. Therefore, regulators will have a dual role: on the one hand, guiding companies, and on the other, being equipped to understand and incorporate all emerging threats. Given the rapidly changing environment, the management of risks and threats must be dynamic.

It is also important to consider the integration of this regulation with other similar ones. All regulations should be complementary and not contradictory to facilitate their proper implementation. Lastly, the regulation should be designed to have the least possible impact on companies’ business. While adaptation efforts will depend on each company, regulations should be defined in a way that does not pose a barrier to regular business development. Otherwise, it will impede economic growth.


In conclusion, the regulations defined in DORA aim to protect companies in the financial sector from digital threats and risks. The increasing digitization of the economy, coupled with emerging threats to customer data, is the primary driver of this regulation. Its obligations provide companies in the financial sector with a standardized framework for risk management. Furthermore, by covering the entire value chain, it also focuses on TIC service providers.

This regulation represents a significant adaptation effort for all companies. However, it allows them to enhance their resilience against certain threats. Therefore, it is crucial for companies to adapt while minimizing the impact on business development. In this way, both companies and regulators will achieve their objectives.

Related articles

Investor guide: 3 ways to invest in cryptocurrencies

When we talk about investing in cryptocurrencies like Bitcoin, many concepts come to mind. Among them, volatility, exchanges, etc., and we trust that the benefits will outweigh the risks. In this regard, authorities such as the CNMV and the BdE warned of the risks of investing in Bitcoin, due to the strong revaluations experienced. In […]

Learn More
inflation rate

Savings handbook: Are cryptos good as store of value?

Since their conception in 2008, we have heard that cryptocurrencies and specially Bitcoin as an authentic store of value. However, this function has been historically exclusive for fiat money. In this post we will define what is a store of value and how much the cryptocurrencies fit in its definition. Additionally, we will analyse the […]

Learn More

The use of cash and the digitization of the economy

In recent years, the emergence of cryptocurrencies has highlighted a trend that had been developing for some time. Society is using less and less cash, and it’s no longer the preferred means of payment for consumers. Therefore, we will conduct a retrospective analysis to examine how we arrived at this situation and what scenarios may […]

Learn More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.