Digital Operational Resilience Act Takes Effect in EU

On January 17, 2025, the Digital Operational Resilience Act (DORA) came into force across the European Union, standardizing cybersecurity and digital risk management requirements for all financial institutions, including their critical third-party providers.

Under the Digital Operational Resilience Act, financial institutions across the EU are required to adopt comprehensive measures to manage digital risks and ensure operational continuity, even in the face of significant disruptions to their IT infrastructure.

The DORA extends beyond the narrow concept of cybersecurity, serving as a robust regulatory framework that demands financial institutions demonstrate readiness for any operational disruptions related to information and communications technologies (ICT). Regulators emphasize the following key points:

1. ICT risk management. Banks, insurance companies, investment funds, and other organizations must implement structured policies and processes for ICT risk management, including assessment, prevention, and continuous monitoring of incidents.
2. Third-party oversight. The DORA applies to key ICT service providers, such as cloud service providers, software developers, and outsourcing companies. From 2025, financial organizations may only work with providers that meet information security standards like ISO 27001 and SOC 2.
3. Unified approach to digital resilience. The DORA sets a benchmark for ICT risk management, akin to how the General Data Protection Regulation (GDPR) established a global standard for data protection.
4. Documentation and compliance evidence. Rather than prescribing strict instructions, the DORA requires ongoing monitoring and proof of digital resilience. Organizations must be ready to present documentation at any time, ranging from qualitative recovery time metrics to audit reports on contractor performance.

The DORA aims to streamline the digital environment in the financial sector, minimizing risks and creating a level playing field. For organizations that prepare in advance, the new regulation is expected to be a driver for strengthening operational resilience and reputation. According to PwC, more than 22,000 financial companies and ICT service providers are subject to the DORA.

The new Instant Payments Regulation (IPR) came into force on January 9, 2025, requiring all payment providers in the EU to ensure that incoming credit payments are processed within 10 seconds.