Digital Operational Resilience Act (DORA)

In the past, if a bank’s physical vault was secure, the bank was considered safe. Today, the vault is digital, made of code, cloud servers, and third party software. If any of those digital bricks crumble because of a hacker, a technical glitch, or a cloud outage, the entire financial system can feel the impact.

The Digital Operational Resilience Act (DORA) is an EU regulation designed to ensure that the financial sector can withstand, respond to, and recover from all types of technology related disruptions. While older rules focused mostly on a bank's financial health, DORA focuses on its technical health. It moved from being a set of guidelines to a strictly enforced law across the European Union as of January 2025.

What DORA does

DORA shifts the conversation from how we prevent a cyberattack to how we keep operating during a cyberattack. It creates a single, harmonized rulebook for almost every player in the financial ecosystem, including banks, fintechs, and even the technology providers they rely on.

DORA is built on five core pillars that every firm must address:

1. ICT Risk Management: Firms must have a robust framework to identify and manage digital risks. This is not just an IT problem but a boardroom priority, with senior management held personally accountable for the digital safety of the business.

2. Incident Reporting: If a major digital disruption occurs, firms can no longer keep it quiet. They must follow a strict timeline to report the incident to regulators, sometimes within just a few hours of discovery.

3. Digital Operational Resilience Testing: It is not enough to say you are secure; you have to prove it. DORA mandates regular testing of IT systems. The most critical firms must even undergo Threat-Led Penetration Testing, where specialized ethical hackers simulate real world attacks on their live systems.

4. Third-Party Risk Management: This is a major shift. Financial firms are now legally responsible for the security of the tech companies they hire. If a cloud provider or a software vendor fails, the financial firm is the one held accountable.

5. Information Sharing: DORA encourages firms to share details about cyber threats with each other. By working together and sharing intelligence, the entire financial community becomes harder to target.

Why DORA is a Game Changer for Embedded Finance

For companies offering embedded finance through partners like Solaris, DORA provides a new level of digital insurance. It ensures that the invisible infrastructure behind your financial products is being tested to the highest possible standards.

• Supply Chain Security: Because DORA also applies to Critical Third-Party Providers like major cloud platforms, it closes the gap where a bank was regulated but its tech provider was not.

• Trust as a Product Advantage: In a digital first world, reliability is a feature. Being able to show that your financial services are DORA compliant is a powerful way to build trust with customers who worry about data breaches or system outages.

• End of Fragmentation: Before DORA, a fintech operating in five different EU countries had to follow five different sets of local security rules. Now, there is one clear standard for the entire European market.

The Scope and Responsibility

The scope of DORA is vast, covering over 20 different types of financial entities. This includes traditional credit institutions as well as payment providers, electronic money institutions, and investment firms. It even reaches into the crypto asset space, ensuring that crypto asset service providers meet the same rigorous resilience standards as traditional banks.

One of the most significant changes under DORA is the focus on management oversight. Board members are now expected to have a basic understanding of digital risks. They are required to approve the risk management strategy and stay updated on the threat landscape.

This ensures that digital safety is woven into the business strategy rather than treated as a separate technical task.

Incident Classification and Reporting

Under DORA, not every technical glitch needs to be reported to the national authority, but every incident must be classified. Firms must use specific criteria such as the number of affected users, the duration of the downtime, and the geographical spread of the issue.

If an incident is deemed major, the reporting process begins immediately. This includes an initial notification, followed by an intermediate report, and finally a root cause analysis once the issue is resolved. This level of transparency helps regulators identify systemic risks that might be affecting multiple banks at the same time.

Interesting facts

• Personal Liability: Under DORA, board members cannot simply delegate IT security to a sub-department. They are expected to stay informed about the digital risk landscape and can face significant fines or penalties for negligence.

• The Stress Test for Tech: Just as the LCR tests if a bank has enough cash for a crisis, DORA tests if a bank has enough digital stamina to survive a total system blackout.

• The 2026 Reporting Cycle: As we move through 2026, regulators like BaFin in Germany have shifted from monitoring to active enforcement, with the first major rounds of compliance audits and system checks now in full swing.