Understanding DORA: What Financial Institutions and Businesses Need to Know

The Digital Operational Resilience Act (DORA) is a new EU regulation aimed at strengthening cybersecurity and resilience in the financial sector. Coming into full effect on 17 January 2025, DORA sets out strict requirements to ensure financial institutions and their ICT service providers can withstand and respond to cyber threats and operational disruptions.

The Importance of Connectivity in Digital Resilience

In today’s interconnected financial landscape, connectivity is the backbone of digital resilience. Banks, payment providers, and trading platforms depend on uninterrupted network access to deliver real-time services, facilitate transactions, and prevent operational failures. DORA recognises this by requiring institutions to ensure secure, stable, and resilient connectivity, reducing the risk of downtime due to cyber incidents or infrastructure vulnerabilities.

DORA requires businesses to have dual, diverse connectivity, which means in the real world a minimum of two connections coming into a premises form diverse locations.  This means that you must have two providers or two different delivering mechanism (fibre and fixed wireless being the best options), entering your premises from different locations.

Who is Affected?

DORA applies to a broad range of entities, including banks, insurers, asset managers, payment providers, and even third-party ICT service providers such as cloud computing and cybersecurity firms. Companies operating within or providing services to the EU’s financial sector must comply.

Key Requirements

• ICT Risk Management – Firms must implement robust risk management frameworks to detect, mitigate, and recover from cyber incidents.
• Incident Reporting – Cybersecurity breaches must be reported within 24 hours, with a detailed analysis provided within 72 hours.
• Resilience Testing – Organisations must conduct regular cybersecurity assessments, including penetration testing and live response exercises.
• Third-Party Oversight – Companies must ensure ICT suppliers comply with DORA’s security standards and risk management protocols.
• Ensuring Network & Infrastructure Resilience – Financial institutions must safeguard their connectivity infrastructure to prevent service disruptions and ensure seamless financial operations and the only way to achieve this is by having dual and diverse connections coming into every premises
• Regulatory Supervision – Financial regulators will have increased authority to enforce compliance, impose penalties, and audit digital resilience strategies.

What Should Businesses Do Now?

• Assess current cybersecurity and network infrastructure to identify vulnerabilities.
• Check do you have dual and diverse connections
• Enhance risk management and incident response protocols.
• Review contracts with ICT providers to ensure compliance with both cybersecurity and connectivity requirements.
• Invest in secure and redundant network solutions to minimise the risk of operational disruptions.
• Engage with regulators and industry bodies for guidance.