As financial data grows rapidly in volume and complexity, banking & finance firms are pushed to adopt new methods to store and manage sensitive data efficiently.
Initially, many firms relied on traditional on-prem systems. Later, some adopted a cloud-based approach to manage data while others went on with a hybrid approach combining both on-prem and cloud. These methods enabled scalable, fast, and cost-effective data handling.
On the downside - along with making many aspects easier in finance, the chances of confidential data being exposed and compromised systems also increased. This was primarily due to the increased attack surface because of data going outside the internal network – due to cloud adoption.
Without strong and reliable data protection, the financial ecosystem becomes fragile, putting consumer trust, business stability, and overall economic growth at risk.
The European union established compliance regulations to ensure that data is not only stored effectively, but also protected, monitored, and handled responsibly. Frameworks such as GDPR, NIS2, and DORA ensure data security for their citizens and a stabilized economy.
What is DORA?
The European Union (EU) implemented a compliance mandate regulation called DORA which stands for Digital Operational Resilience Act aiming at strengthening the IT security and operational resilience of financial entities. It was enforced on the 17th of January, 2025.
What is the focus of DORA?
DORA requires banks and other entities in the financial sector to ensure cyber resilience and can help the sector to withstand, respond and recover from breaches. The main goals of the DORA regulation are to ensure:
- Protection of the customer data
- Services continue despite cyberattacks and system failure
- Firms detect and report major ICT-related incidents
What organizational and technical areas are within the scope of DORA?
DORA covers both technical and governance areas of financial organizations, addressing everything from IT infrastructure and security operations to third party vendor oversight and executive accountability. By including third party ICT vendors in its scope, DORA ensures that the external partners meet resilience standards along with the financial institutions. The inclusion makes it one of the most comprehensive and robust regulatory frameworks in the financial sector.
What are the financial entities and providers covered by DORA?
The entities in the financial sector that come under the scope of DORA include
- Credit rating agencies
- Payment and e-money institutions
- Investment firms
- Crypto-asset service providers
- Commercial and cooperative banks
- Insurance and reinsurance companies
The infrastructure entities and external ICT providers that support financial institutions are required to comply with DORA along with the organizations in the financial sector to maintain digital operational resilience. Some of them include
- Trading venues
- Crowdfunding platforms
- Benchmark administrators
- Cloud service providers
- Software vendors
- Cybersecurity firms
- Data centers
- Managed Service Providers (MSPs)
What are the foundational pillars of DORA for digital resilience?
DORA’s structure is built around five core pillars. These pillars help financial institutions to identify, manage, and mitigate ICT risks. The detailed description of each pillar is given below:
1. ICT Risk Management
This requirement is to ensure that a comprehensive internal framework is in action in accordance with the size and complexity of the firm to identify, manage, and monitor ICT risks across different operations.
What it deals with:
- Maintenance of an inventory related to all ICT systems
- Setup of detailed continuity planning
- Regular ICT audits in organizations
- Integration of security controls
- Continuous monitoring and detection of risks
- Maintenance of backup and restoration testing
2. ICT-related Incident Response
The financial entities must have structured processes to monitor, detect, manage, report, and share information about ICT-related incidents. The goal is to minimize disruption and maintain operational resilience in organizations at the time of cyberattacks, system failures, and third-party outages.
What it deals with:
- Detection and containment of ICT incidents
- Minimize impact on clients, markets, and operations
- Report major incidents within strict frameworks
- Use of incidents for continuous development
3. Digital Operational Resilience Testing
To ensure that financial firms regularly conduct tests on ICT systems, processes and controls with real-world scenarios regarding data security to detect vulnerabilities, set up response defense mechanisms, and maintain business continuity.
What it deals with:
- Penetration testing to test defenses
- Cross-functional coordination while testing
- Maintain detailed test plans and results
- Report critical findings to supervisory authority
4. ICT Third-party Risk
The aim is to identify, assess, manage, and monitor risks arising from the dependencies on third-party ICT service providers, those involved with critical functions specifically.
What it deals with:
- Inventory of all third-party providers and services used
- Contractual requirements with ICT providers
- Business continuity and exit strategies
- Risk assessment and centralized oversight
5. Information Sharing
To ensure the promotion of collaborative cyber resilience by allowing financial entities to share information on cyberthreats, vulnerabilities, and such risk factors with each other in a secure way. This aspect is designed to strengthen defenses in a collective manner across all financial entities in Europe.
What it deals with:
- Engagement of entities in information sharing communities
- Confidentiality agreements and non-disclosure arrangements
How will non-compliance with DORA affect the financial sector?
Financial entities within the EU face many problems when they are not compliant with DORA. Some of the consequences are mentioned below:
1. Administrative fines
Regulatory authorities in the EU can impose financial penalties on the organizations in case of breaches as it stresses the security strength of the data stored within the firms.
2. Restrictive measures
Regulators revoke licenses or authorizations of an entity, restrict critical operations that involve non-compliant ICT systems, and impose temporary bans on entities using certain third-party providers to eliminate risks.
3. Reputational damage
This has a major impact on the trust customers hold, confidence in investors, strength of partnerships, and the firm’s reputation and image in the market.
4. Increased regulatory scrutiny
Non-compliance would result in frequent audits, comprehensive vulnerability checks, on-site inspections, and many more obligations. The entities would be required to implement the remediation plans within the strict deadlines provided to ensure data safety.
5. Liability of senior management
The management body of the respective entity is held accountable for oversight of operational resilience.
Differences between DORA and other regulatory compliances
The table given below highlights how DORA differs from other regulatory acts across focus, entities, and risk-related aspects.
| Aspect | DORA | NIS2 | GDPR |
|---|---|---|---|
| Primary Focus | ICT resilience, digital operational continuity, and risk containment | Cybersecurity posture and resilience of critical digital infrastructure | Protection of personal data and privacy rights |
| Target Entities | Financial firms, third-party ICT service providers | Operators of significant services such as health, finance, and cloud providers | Any organization that deals with personal data of EU citizens |
| ICT Risk Management | Mandatory and extensive including comprehensive frameworks and monitoring | Mandatory security policies, access control, risk-based measures | Focus is limited to ensuring that personal data is safe |
| Third-party Risk Management | Strict oversight towards operational resilience, conduct risk assessments, contracts, audits, and exit plans | Required to secure supply chain and vendor controls | Only for data processors (limited to privacy-related terms) |
| Incident Reporting | Mandatory tiered reporting to financial regulations with described timelines | Report significant cyber incidents quickly to mitigate the loss and manage the incident | Mandatory to report personal data breaches within 72 hours |
| Testing Requirements | Required to conduct threat-led penetration testing, disaster recovery (DR) drills, and resilience testing | Not strictly required, but testing is expected to mitigate the risks | Not required |
In the era where a huge portion of the data is stored in a digital form, including confidential details related to significant sectors such as finance, DORA not only helps in securing the data but also makes sure that there is operational continuity and a detailed risk management process setup in case of a data breach. DORA helps maintain long-term trust and operational resilience between entities and plays a major role in ICT risk management within the financial sector.
How Securden Unified PAM helps organizations align with DORA?
Securden Unified PAM helps organizations in the financial sector to comply with DORA by continuously assessing risks of privileged access in the ICT sector.
It helps enforce the principle of least privilege by limiting access to sensitive banking information and allocating access only when legitimate requirements arise. The risks associated with third-party providers can be handled with the aid of vendor access monitoring critical systems securely.
Privileged user activity can be monitored for anomalous behavior, and business continuity is ensured with high availability, and automated backups.
![What is Cloud PAM? [Definition, Features, Benefits, and Factors to Choose the Right One]](/images/cloud-pam/cloud-pam-blog-image.webp)
