DORA in Focus: Building Resilience for the Next Wave of Digital Finance

In today’s financial sector, disruptions can spread with alarming speed, from a power outage that ceases digital payments to a sudden bank run spurred by online withdrawals. These incidents stress that resilience is not just a regulatory demand but the foundation for maintaining trust in money and the stability of the wider economy (Cipollone, 2025). 

The Digital Operational Resilience Act (DORA) is an EU regulation designed to heighten the capacity of financial institutions to cope with digital disruptions. Since 17 January 2025, the rules have required financial players, from banks to insurers, to be prepared to handle ICT disruptions like cyberattacks or system breakdowns and to recover from them effectively (Digital Operational Resilience Act (DORA), n.d.).  

DORA extends beyond financial institutions themselves; it also reaches their technology providers to reinforce resilience across the whole ecosystem. In this post, we will explore what DORA is, its main requirements, challenges for companies, real-world costs and benefits from compliance, and how it is influencing Europe’s digital finance and cybersecurity prospects. 

The Essentials of DORA

As finance becomes intricately integrated with technology, even a single outage or cyberattack can quickly ripple through payment systems, cross-border transactions, and entire markets. DORA responds to this reality by setting a unified EU framework that shifts resilience from being a bunch of national rules to a shared accountability. It spans both financial institutions - such as banks, insurers, investment firms, payment and e-money institutions, crypto-asset providers, fund managers, and market infrastructures - and critical ICT providers like cloud platforms, data centers, software vendors, and analytics firms whose disruption could threaten financial stability. Overall, DORA establishes a single framework for digital operational resilience across 20 categories of financial entities (EIOPA, 2023). 

Five Pillars of DORA

DORA’s framework is defined by five main pillars, outlined in the following points (Haynes, 2025): 

As EIOPA (2023) illustrates, when a major ICT incident occurs, financial institutions must first report it to their relevant national authority. From there the information is passed on to a wider network of European and national bodies. This includes the European Supervisory Authorities (EBA, ESMA, or EIOPA), the European Central Bank, resolution authorities, and other competent supervisors such as those under NIS2. Thus, ENISA, the EU Agency for Cybersecurity, provides technical input, while host-country regulators are informed if the incident has implications across borders. Based on the same source, the timeline for DORA implementation is as follows: 

• 16 January 2023: DORA enters into force. 

• 17 January 2024: First wave of policy standards is published. 

• 17 July 2024: Second wave of policy standards released, alongside the Delegated Act on Oversight. 

• 17 January 2025: DORA becomes applicable to financial institutions and ICT providers. 

• From 2025 onwards: The European Supervisory Authorities (ESAs) begin oversight activities, including the designation of critical third-party providers (CTPPs). 

Challenges of Implementing DORA

In this section, we will identify three prominent challenges of adopting the framework based on findings of Buttigieg and Zimmermann (2024) and complement them with a practical use case from Cifci (2024): 

1. DORA promises one digital resilience rulebook, yet how it applies still lies at the discretion of national supervisors. In simple terms, the regulation finds its foothold with the proportionality principle, such that requirements are proportionate and dependent on the size, complexity, and risks of a firm. Although DORA regulation ensures a consistent set of rules, it does not guarantee itself consistent supervisory practices and thus requires effective coordination across European and national authorities to function properly. 

The tight timeline makes this harder. Many detailed standards were published only shortly before DORA took effect, leaving National Competent Authorities (NCAs) and financial entities little time to adjust. The timing also puts pressure on the European Supervisory Authorities (ESAs), whose role is to coordinate consistency in supervision across the EU such that it does not lag behind the regulation’s design.  

2. DORA requires NCAs to build their own systems for two key tasks: handling reports of major ICT-related incidents and cyber threats, and collecting annual Registers of Information (RoI) on third-party ICT providers. These reports must then be transmitted by NCAs to the ESAs, the ECB, and other designated authorities, whereas annual RoIs are passed to the Oversight Forum. Since all 27 Member States must build their own solutions - and the ESAs may need separate systems too - the result is a fragmented and costly patchwork. A feasibility report on a single EU reporting hub is due by January 2025, but by then, NCAs will already need to have systems in place. The authors note that more centralisation should be considered in the future, including for the RoI, which is not covered by that report. 

3. The third challenge stated concerns coordination, cooperation, and fragmentation in the oversight framework. DORA sets up a shared system for supervising critical ICT third-party providers, with EU bodies like the ESAs coordinating oversight, whereas national supervisors remain the main point of contact for financial institutions. This division makes consistency hard to achieve, especially since providers such as cloud firms usually serve the entire financial sector, not just one part of it. A fully centralized EU authority was considered but rejected due to cost and because these providers also operate outside finance. That said, effective oversight now depends on how well many different actors can cooperate.  

Practical Use Case (based on Cifci, 2024)

Financial institutions point out that complying with DORA requires significant investments in people, technology, and time. This includes hiring staff, investing in tools, and relying on third-party consultants. It is worth to note that the work is not about starting from scratch - it’s about adapting existing frameworks. To manage the load, an organization can broke the process into smaller projects, focusing first on the riskiest areas, and carry out gap analyses to identify weaknesses. This shows that for many firms, the main challenge is finding enough resources and aligning internal teams to make it happen. 

Beyond resources, another key challenge for institutions is said to be understanding and interpreting DORA’s requirements in practice. As the author shows, compliance is not only about investing money or staff but also about ensuring clarity across departments. To address this, organizations can rely on internal experts, organize workshops, and develop training programs so that employees at all levels understand their roles. In order to secure responsibilities and keep the organization aligned with DORA’s evolving expectations, documents must be reviewed and updated regularly. 

The Cost and Value of DORA

Short-Term Compliance Costs and Challenges 

Boehm & Schneider (2024) reveal that DORA compliance is far from cheap - many institutions budgeted €5 - 15 million just for initial planning and gap assessment, with full implementation expenses often five to ten times higher. In one large financial group, the total DORA program spend is nearly €100 million (covering program management and technology controls upgrades). Moreover, according to the source, about 70% of institutions surveyed expect permanently higher running costs for IT and control functions as a result of meeting DORA requirements.  

Brownlow Davies (2025), cited in CSO, notes that smaller firms often turn to outside providers for tasks like testing, monitoring, and compliance: “While this can reduce the internal staffing burden, it adds recurring costs and potential risks associated with vendor reliance.”.

Long-Term Benefits and Cost Savings Figures 

Despite the considerable compliance effort, DORA is expected to bring lasting benefits for individual institutions and the stability of the EU financial system.

Real-world examples show substantial gains in cyber defense. One European payment processor established a DORA-aligned testing program and remediated 37 critical vulnerabilities before they could be exploited, while cutting system recovery time by 65% during cyberattack simulations (Regulation, 2025b). Similarly, a mid-sized asset manager enhanced its incident monitoring under DORA and reduced its mean time to detect security incidents from 18 hours to just 22 minutes, according to the source. Furthermore, avoiding a single major cyber incident can save millions, given that the average data breach cost was around $4.8 million in 2024, according to Zieber (2024). By staying in compliance, firms ward off heavy regulatory penalties: DORA allows fines “of up to 2% of global annual turnover” (Maman Ibrahim, 2025, para. 8). 

Generally speaking, the benefit of DORA lies in greater stability and integrity of the financial system, which benefits consumers, investors, and the economy.  

Building on DORA: Digital Finance Laws and Cybersecurity Initiatives in the EU 

DORA is expected to be a foundation on which subsequent digital finance laws are built. Notably, DORA is considered lex specialis to the broader NIS2 Directive (the general EU cybersecurity law) - meaning for financial sector cybersecurity, DORA’s specific rules override NIS2’s generic requirements (Rumigny & Rumigny, 2025). One of the biggest 2023 developments was the European Commission’s proposal for a digital euro, a central bank digital currency for the Eurozone. Under the proposal, private-sector intermediaries (banks and payment service providers, or PSPs) distributing the digital euro would fall under DORA’s regime and “need to abide by DORA when they distribute the digital euro.” (EUROPEAN COMMISSION, 2023, p. 87). This means firms providing digital euro wallets or payment services must meet DORA’s stringent ICT risk management, incident reporting, and testing requirements. 

In June 2023, the Commission proposed a Payment Services Directive 3 (PSD3) and a parallel Payment Services Regulation (PSR) to update the rules for payment providers. Crucially, the draft laws explicitly tie into DORA’s framework. They call for payment institutions to implement robust security and operational risk controls “aligning with the provisions for ICT risk management in DORA” (EY, 2023). In fact, PSD3 would require applicants for a payments license to “uphold a high level of digital operational resilience as defined by DORA” (EY, 2023). This integration means that once PSD3/PSR take effect (expected around 2025–2026), compliance will effectively demand adherence to DORA-level resilience. Thus, we see that DORA’s approach is becoming the baseline across financial regulation.  

Alongside DORA, the EU has also advanced broader cybersecurity laws - such as updates to the Cybersecurity Act, the Cyber Solidarity Act, and the Cyber Resilience Act - that strengthen the wider resilience framework financial institutions now operate in (Crowell & Moring, 2023). 

Suggestions for Future Research 

One forward-looking consideration is how DORA will interface with new tech-focused regulations like the EU Artificial Intelligence Act. The AI Act will impose risk controls on AI systems, some of which will be used in financial services (e.g., AI trading algorithms or credit scoring). Financial regulators may need to issue guidance on how AI-related failures or attacks should be handled under DORA’s framework. Similarly, as fintech innovation accelerates (blockchain, DeFi, etc.), regulators might need to update or clarify DORA’s application. Can a regulation like DORA, designed for stability, keep pace with the speed of fintech disruption? 

Final word  

In our article, we’ve unpacked what DORA really means for finance today - its rules, challenges, real-world benefits, and how it’s shaping the future of Europe’s digital financial and cybersecurity landscape. Yet as DORA becomes fully embedded, questions naturally arise: Will its framework be flexible enough to address fast-moving innovations like AI, blockchain, or the digital euro? How will it interact with future regulations such as PSD3 or the Cyber Resilience Act? And will the promise of a harmonized, resilient financial system translate into practice for both large institutions and smaller players? 

What’s clear is that DORA is not the endpoint but part of a broader journey. Its true test will be whether it can keep up with the evolving digital finance world, respond to new threats, and continue serving as a foundation for Europe’s regulatory puzzle in the years ahead. 

References