What Is DORA and Who Does It Apply To?

The Digital Operational Resilience Act (DORA, Regulation 2022/2554) entered into force on 16 January 2023, with its provisions becoming applicable from 17 January 2025. DORA establishes uniform requirements for digital operational resilience for financial entities across the European Union.

DORA's scope of application is very broad. It covers:

• Credit institutions (banks).
• Insurance and reinsurance undertakings.
• Investment firms and asset managers.
• Payment institutions and electronic money institutions.
• Crypto-asset service providers (CASPs).
• Central securities depositories and central counterparties.
• Benchmark administrators.
• Credit rating agencies and statutory auditors.
• ICT third-party service providers serving financial entities (including cloud providers, software vendors, and data centre operators).

Smaller entities (micro-enterprises, small payment institutions, small investment firms) are subject to a simplified DORA regime — but are not fully exempt.

Five Pillars of DORA: What Financial Entities Must Implement

DORA organises requirements around five thematic areas:

• ICT risk management (Art. 5–16): Financial entities must have a comprehensive ICT risk management framework with clearly defined roles (the management body bears direct responsibility). Asset mapping, information asset classification, and regular risk reviews are required.
• ICT incident management (Art. 17–23): Mandatory implementation of processes for detecting, classifying, and reporting incidents. Major ICT incidents must be reported to the competent supervisory authority within strict deadlines: an initial report within 4 hours of classification (max 24h of detection), followed by intermediate and final reports.
• Digital operational resilience testing (Art. 24–27): Annual basic testing (vulnerability assessments, infrastructure scanning) for all entities. Advanced Threat-Led Penetration Testing (TLPT) every three years for significant entities.
• ICT third-party risk management (Art. 28–44): A register of all ICT contracts, concentration risk assessment, key contractual clauses (audit rights, security requirements, business continuity plans). Critical ICT providers are subject to direct oversight by the ESAs (EBA, EIOPA, ESMA).
• Information sharing (Art. 45): Voluntary but encouraged participation in cyber threat information-sharing arrangements.

Financial Websites and DORA: Specific Requirements

DORA is not a website regulation, but financial compliance has a direct bearing on what a financial entity communicates on its website — and how. The following areas require particular attention:

1. ICT Security Policy and Its Communication

DORA requires financial entities to have and publish (internally, and where appropriate externally) their ICT security policies. In practice, a financial entity's website should contain or link to:

• Information security policy — or at least a publicly available summary, referencing applicable standards (e.g., ISO 27001, NIST).
• Vulnerability disclosure policy (Responsible Disclosure / VDP) — a contact point for external security researchers reporting vulnerabilities. This is a best practice recommended by ENISA.
• Security Operations Centre (SOC) contact or security@[domain] — an address for reporting security incidents.

2. ICT Incident Transparency

Art. 19 of DORA obliges financial entities to notify clients of major ICT incidents where the incident affects or may affect the financial interests of clients. In practice, this requires a crisis communications procedure covering the website — for example, a system status page or a dedicated security communications section.

A status page (e.g., status.companyname.com or a section on the main website) should enable:

• Communication of the current service status (including outages).
• An archive of historical incidents.
• A description of remediation actions taken — which is important for demonstrating compliance.

3. Privacy Policy and Cookie Requirements

A financial entity's website combines DORA requirements with GDPR and ePrivacy Directive obligations. The privacy policy should additionally address:

• Processing of personal data in the context of ICT incident management (logs, audit trails, incident reports to supervisory authorities).
• Data transfers to ICT providers (cloud, software) — both within the EU and to third countries (Art. 46 GDPR).
• A description of the technical security measures used to protect client data (encryption, pseudonymisation).

4. Website Availability and Business Continuity

A financial entity's website is often its primary channel of contact with clients. DORA requires financial entities to ensure the continuity of ICT systems — which includes the availability of the website and web applications. In practice, this requires:

• A Business Continuity Plan (BCP) covering the website.
• Redundant hosting environments (multi-region CDN, failover DNS).
• Regular website recovery tests after failure (part of the digital resilience testing required by DORA).
• Defined and tested Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for the website.

5. ICT Supplier Risk Management: What Financial Entities Must Disclose

DORA Art. 28 requires financial entities to maintain a register of all ICT contracts. While the register need not be public, the website should be consistent with it — if the entity uses third-party services (e.g., hosting, CRM, chatbot), this must be reflected in the privacy policy and cookie policy.

If a financial entity uses a cloud provider to deliver services to clients (e.g., online banking on AWS or Azure), DORA requires ensuring that the contract with the provider contains:

• Audit and inspection rights for the financial entity and supervisory authorities.
• Security and availability clauses.
• Contingency plans and contract exit procedures.

DORA Supervisory Authorities in the EU

At the national level, each Member State designates a competent authority for DORA supervision — for banks this is typically the national banking regulator, for insurance firms the insurance regulator, and so forth. At the European level, oversight of critical ICT providers is conducted by the European Supervisory Authorities (EBA for banking, EIOPA for insurance, ESMA for capital markets). Financial entities must report major ICT incidents to their national competent authority, which in turn notifies ENISA and the relevant ESA.

Getting Started: Priority Actions for Financial Entities

• Conduct an inventory of all ICT suppliers (hosting, CRM, payments, email, analytics) and assess the risk of each.
• Verify that ICT supplier contracts contain the clauses required by DORA (Art. 30).
• Update your privacy policy and GDPR documentation to address ICT-related aspects.
• Implement or update ICT incident management procedures, including reporting timelines to the supervisory authority.
• Ensure the entity's website contains ICT security information and a contact channel for vulnerability disclosures.
• Plan annual web infrastructure vulnerability tests as part of the digital resilience testing programme required by DORA.