DORA Regulation and Its Consequences
The DORA Regulation ( Digital Operational Resilience Act ) is an EU-wide regulation that aims to strengthen the digital operational resilience of financial companies. It was adopted on December 14, 2022, and came into force in January 2023. Companies are required to implement the regulation's requirements from January 2025.
Compliance with DORA is a crucial step for financial institutions to ensure compliance and minimize cyber risks in the long term.
Who is affected by the DORA directive
DORA regulation applies to all financial institutions in the European Economic Area. These include, among others:
- Credit and payment institutions,
- Insurance companies and brokers,
- Investment firms,
- Account information service providers,
- E-money institutions,
- Crypto-asset service providers,
- Management companies,
- Rating agencies,
- Securitization repositories,
- Institutions for occupational retirement provision
- and many other companies.
In some cases, IT service providers (e.g., cloud providers) of these companies are also affected by the DORA regulation. Across the EU, the requirements of DORA apply to more than 22,000 organizations.
Five pillars of DORA
1) DORA ICT risk management
DORA mandates the establishment of a central control system for identifying, assessing and mitigating ICT-related risks.
With Athereon GRC, you identify and assess risks according to a standardized risk management process. You create links to assets, vulnerabilities, and measures via a central control system.
2) Reporting of ICT incidents
Under DORA, there is an obligation to monitor and report relevant IT disruptions or cyberattacks to the responsible authorities.
Athereon GRC supports you in the documentation, classification and handling of security incidents, including escalation mechanisms, root cause analysis and reporting functions.
3) Resilience and continuity management
DORA also requires regular tests such as scenario and penetration tests to ensure the stability of IT systems.
Athereon GRC creates helpful diagrams of BCM processes for you to ensure critical business processes and emergency procedures in accordance with ISO 22301.
4) ICT third-party risks
Under DORA, the management of risks by third-party providers through due diligence checks, contracts and exit strategies is mandatory.
With Athereon GRC, you can integrate service providers into the risk and control system, including evaluation and monitoring of outsourced ICT services.
5) Information exchange
DORA also aims to promote cooperation and exchange on cyber threats to strengthen collective resilience.
Athereon GRC optimizes auditability and governance thanks to its audit-proof documentation, management-level reporting, audit trails, and support in creating DORA-compliant reports for regulatory authorities.
Deadline for implementation
Following the adoption of the directive, companies were tasked with fully implementing the requirements of the DORA regulation by January 17, 2025. The extended deadline for submitting the information registers to BaFin expired on April 28, 2025.
In December 2024, a further law was passed to expand the scope of DORA. The institutions and organizations added under this legislation to the DORA directive have until January 1, 2027, to implement the requirements. Until then, the expiring requirements of BAIT apply to them.
Consequences of failing to implement DORA regulation
Financial penalties
Supervisory authorities such as BaFin can impose fines, the amount of which varies depending on the severity of the violation. Specific sanctions are regulated in the respective national legislation and can amount to up to 10% of the company's total annual turnover.
Business operations restrictions
In cases of serious or persistent violations, regulatory authorities may restrict the operation of the company concerned or prohibit the use of certain IT systems.
Reputational damage
Non-compliance can damage the trust of customers, partners and investors and have long-term effects on a company's market position.
Increased cyber risk
Without DORA-compliant safeguards, companies are more vulnerable to cyberattacks and IT disruptions, which can lead to data loss, financial losses, and other regulatory consequences.
Conclusion
The DORA directive is an EU-wide regulation designed to strengthen the digital operational resilience of the entire financial sector, affecting more than 22,000 organizations. Its implementation in 2025, or at the latest by 2027, presents significant challenges, but also the opportunity for improved compliance across the entire financial industry in a world of increasingly complex cyber risks.
Athereon GRC offers comprehensive solutions to support companies in implementing and complying with the DORA regulation. Through tailored consulting and proven strategies, Athereon GRC enables organizations to sustainably strengthen their digital operational resilience.
Book a free consultation appointment today.
