This website uses cookies

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.

Our privacy statement:

Blogs / 

DORA officially applicable

IT, Privacy & Cybersecurity

30 January 2025

Written by

Jeroen van Helden

Blog Image

As of January 17, 2025, financial entities must comply with the cybersecurity obligations in the Digital Operational Resilience Act (DORA). On the same date, various guidelines from supervisory authorities that overlap with DORA have been withdrawn. DORA aims to make the European financial sector as a whole digitally operationally resilient.

A lex specialis for the financial sector 

DORA is a regulation adopted by the Union legislator simultaneously with the NIS2 directive. While NIS2, in short, applies to all medium-sized or large organizations considered critical infrastructure, DORA applies to financial service providers, regardless of their size or scope. In case of overlap between NIS2 and DORA, the obligations in DORA take precedence.

Level 1 and Level 2 

DORA (level 1) gives the Commission the authority to establish lower-level regulations. These lower-level (level 2) regulations specify how financial entities must comply with certain obligations in DORA. Level 2 regulations are prepared by the European supervisory authorities (EBA, EIOPA, ESMA). Some of the level 2 regulations have already been established by the Commission. Another part is known in draft form but has not yet been formally established by the Commission and is therefore not yet applicable.

ICT risk management 

Under DORA, financial entities must comply with various obligations, including:

  • They must have a solid, comprehensive, and well-documented ICT risk management framework. This framework must consist of strategies, policies, procedures, protocols, and tools necessary to adequately protect data and ICT assets, including relevant physical infrastructure, against ICT risks. 
  • They must have an incident management process, register ICT-related incidents, and report serious ICT-related incidents to the supervisor and customers. 
  • They must have a solid and comprehensive program for testing their digital operational resilience. Certain categories of financial entities may also be required to perform additional advanced tests in the form of Thread Led Penetration Testing (TLPT). 
  • They must have a policy for managing ICT risks in outsourcing and perform a risk analysis and due diligence for each outsourcing. 
  • Contracts with ICT service providers must meet certain substantive requirements. 

Training obligation 

Directors of financial entities are also required to actively maintain their knowledge and skills in the field of cybersecurity, including by attending appropriate training. In this context, we offer a 1-day in-company training together with Secura, the DORA boardroom training.

Questions? 

Would you like to know more about DORA or are you interested in our DORA boardroom training? Contact Jeroen van Helden, IT, Privacy & Cybersecurity Lawyer. We would be happy to tell you more.

Newsletter

Would you like to receive a monthly overview of updates and blogs in your mailbox? Click here to subscribe to the newsletter!