Print Article

DORA will impact you – it will be like GDPR all over again!!


I want to talk to you about DORA because it will be a hot topic next year [like GDPR but for financial services only], and you and your boards should be talking about it now, if not soon.


  1. How are non-EU organisations relevant to DORA?
    1. The DORA, as an EU regulation, applies directly to EU-based entities.
    2. However, if a non-EU financial institution operates within the borders of the EU, has a subsidiary in the EU, or a non-EU technology firm provides services to an EU-based financial institution, the DORA covers the institution and its supply chain. 
    3. Furthermore, under the DORA, non-EU businesses that provide critical ICT services to EU financial institutions will be required to establish a subsidiary in the EU. 
  2. DORA: What is it?
    1. The Digital Operational Resilience Act (DORA) is a new European framework that embeds a more robust and resilient approach to delivering digital capabilities in Financial Markets.
    2. The framework shifts the focus from guaranteeing firms’ financial soundness to ensuring they can maintain resilient operations through the severe operational disruption caused by cyber security and information and communication technology (ICT) issues.
    3. By introducing a consistent supervisory approach across the relevant sectors, DORA ensures convergence and harmonisation of security and resilience practices across firms operating in the European Union (EU).
  1. Why is DORA relevant?
  1. DORA applies to more than 22,000 financial entities and ICT service providers operating within the EU and the ICT infrastructure supporting them from outside the EU.
  2. The regulation introduces specific and prescriptive requirements for all financial market participants, including (but not limited to) banks, investment firms, insurance undertakings and intermediaries, crypto asset providers, data reporting providers and cloud service providers.
  3. DORA builds on previous industry-specific guidelines to define requirements around
    1. Consistent ICT risk management,
    2. Comprehensive resilience testing capabilities (including threat-led penetration testing); and
    3. Third-party risk management ensures consistent service provision across the entire value chain.
  1. The five critical topics at the centre of DORA are:
    1. ICT Risk Management.
    2. Reporting on ICT-related Incidents.
    3. Digital Operational Resilience Testing.
    4. Management of Third-Party Risk; and
    5. Information and Intelligence Sharing.
  1. The regulation is unique in introducing a Union-wide Oversight Framework on critical ICT third-party providers, as designated by the European Supervisory Authorities (ESAs).
  1. When will DORA be enforced?
  1. DORA entered into force on 16th January 2023. With an implementation period of two years, financial entities will be expected to comply with the regulation by early 2025.

Would you like to learn more? CALL ME



The Team

Meet the team of industry experts behind Comsure

Find out more

Latest News

Keep up to date with the very latest news from Comsure

Find out more


View our latest imagery from our news and work

Find out more


Think we can help you and your business? Chat to us today

Get In Touch

News Disclaimer

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email