With the EU Digital Operational Resilience Act (DORA) now in effect, operational resilience is both a regulatory requirement and a strategic necessity. All technology, cyber, and risk leaders across financial services must prioritize operational resilience programs to: 

  • Ensure continuity of services by maintaining delivery of critical services to customers during disruptions. 
  • Maintain financial and reputational stability by reducing the risk of significant financial losses and reputational damage. 
  • Develop proactive response plans to minimize the impact of disruptions and recover effectively. 
  • Meet evolving regulatory demands for operational resilience by adhering to DORA and the Finance Conduct Authority’s (FCA) operational resilience guidelines. Additionally, continue to consider existing U.S. regulations, such as the FFIEC BCM Handbook, FINRA Rule 4370, and the NCUA’s BCP Guidance. 

Here’s where to begin. 

Understanding DORA 

DORA is a comprehensive legislative framework designed to enhance the digital operational resilience of financial entities within the EU and U.S. entities with operations in the EU. It addresses the increasing dependence on technology and the associated risks, ensuring financial institutions can withstand severe operational disruptions. 

DORA’s key focus areas are: 

  1. Information and Communication Technology (ICT) risk management framework: Establishing a governance and control framework to manage information and communication technology (ICT) risks effectively. 
  2. ICT-related incident management process: Implementing processes for managing ICT-related incidents, including timely regulatory notifications. 
  3. Digital operational resilience testing: Conducting regular testing, including threat-led penetration testing, to evaluate digital operational resilience. 
  4. Managing ICT third-party risk: Managing risks associated with critical ICT service providers. 
  5. Information-sharing arrangements: Fostering collaboration within trusted communities to share cyber-threat information and intelligence. 

Below is a breakdown of key information organizations must know:

Financial InstitutionsCritical ICT Providers
TimelineEntered into force January 16, 2023; applies as of January 17, 2025Entered into force January 16, 2023; applies as of January 17, 2025
Applicability– Credit institutions (banks)
– Payment and electronic money institutions
– Insurance and reinsurance companies
– Investment firms
– Investment fund managers
– Central securities depositories
– Crypto-asset service providers

For U.S. Entities: While DORA is an EU regulation, U.S. organizations that offer financial services within the EU or provide third-party services to EU financial services companies are impacted.		Any entities providing critical ICT services within the EU:

– Cloud service providers
– Data center providers
– Software vendors
– Application providers
– Payment service providers
Penalties– Organizations may face fines of up to 2% of their annual global revenue.
– Individuals can also be held accountable under DORA, with penalties of up to €1 million for non-compliance.		Up to 1% of their worldwide annual revenue, and the amount of the fine depends on the number of days the service provider was not compliant.

A Strategic Approach to Implementing DORA 

To comply with DORA, our team has developed the following checklist to help risk management leaders:  

  1. Set up governance and oversight: Assign a steering committee and program manager for DORA compliance, defining clear roles and responsibilities. 
  2. Conduct a gap analysis: Evaluate current ICT risk management and operational resilience practices against DORA requirements. 
  3. Identify critical functions and assets: Prioritize assets and services based on their impact on customers and operations. 
  4. Implement ICT risk management practices: Establish monitoring and reporting mechanisms for risk and incident management. 
  5. Enhance incident response and recovery: Develop and test incident response plans that comply with DORA’s reporting requirements. 
  6. Strengthen third-party risk management: Conduct due diligence on ICT third-party providers to ensure compliance with DORA. 
  7. Establish monitoring and reporting processes: Set up tools and metrics to continuously monitor ICT systems’ performance and risks. 
  8. Perform regular testing and assessments: Conduct penetration testing, disaster recovery tests, and resilience exercises for critical systems. 
  9. Train and educate staff: Foster a culture of resilience and awareness across all levels of the organization. 
  10. Engage regulators and maintain documentation: Maintain comprehensive documentation of compliance efforts and establish open communication with supervisory authorities. 

Explore expert Risk Management solutions that solve real-world problems

Understand emerging threats, changing regulations, and evolving technologies – then formulate actionable, pragmatic strategies to reduce risk across the enterprise.

Risk transformation begins here

Overcome Common Challenges and Remain Ahead of the Operational Resilience Curve 

Financial institutions often face several challenges in achieving operational resilience, especially as regulatory and market demands evolve. Fortunately, these barriers are expected and can be proactively addressed. 

  • Interconnected risk domains: The interconnected nature of operational risk programs (cyber, third-party, privacy) can complicate risk assessments. It’s imperative, however, that operational risk programs cohesively integrate with other risk programs in support of enterprise objectives. Without a unified approach, siloed risk management efforts may lead to gaps in oversight and an incomplete understanding of systematic vulnerabilities. 
  • Regulatory gaps: Rapidly evolving regulations require systematic gap analysis and remediation planning. Failure to stay ahead of these changes can result in compliance violations, penalties, and operational inefficiencies as organizations scramble to retrofit their resilience frameworks. 
  • Environmental visibility: To combat increasing complexity, organizations need a clear view of their critical processes, impact tolerances, and third-party dependencies. Limited visibility into these elements can hinder an organization’s ability to proactively manage disruptions and can increase exposure to operational failures. 

By aligning with DORA and other regulatory frameworks, financial institutions can enhance their ability to manage digital operational risks, ensuring they remain resilient in the face of disruptions.  

For expert support understanding and adapting to new compliance rules, contact CrossCountry Consulting

Connect with an expert

Mike Pugliese

Business Transformation and Banking & Capital Markets

See Bio

Contributing authors

Zachary Elliot

Gilbert Chua

Thomas Addelman

Stephanie Mendolia

Rahul Balani