Digitization and technical innovation create plenty of opportunities for the financial industry, but they certainly also entail risks. To curb these risks, the European Union has designed regulations to increase the digital resilience of this important sector: the Digital Operational Resilience Act (DORA).

The Dutch Authority for the Financial Markets (AFM) expects this regulation, which the European Council is currently discussing, to enter into force at the end of 2022 or early 2023. But what exactly does DORA mean? What does the EU law mean for companies active in the financial industry? And how can these companies prepare for the new legislation? Read on for the answers to these pressing questions.

What is DORA?

With DORA, the EU aims to create a unified legislative framework in the field of cybersecurity in the financial sector. At present, the rules in this area are fragmented or limited. Sometimes rules only apply at the national level or there are no rules at all, leading to inconsistency in regulations between different EU Member States. The consequence? More cyber risks and unnecessary costs for financial institutions, but also uncertainty about the rules that apply in certain countries or regions.

The European Commission (EC) has formulated three main objectives for DORA:

  • Harmonize the fragmented rules on digital resilience in the EU.
  • Create a basic framework for financial organizations for which there are no regulations yet. This gives those companies clarity and reduces the chance of cyber risks or compliance problems.
  • Better risk mitigation. This is done by largely outsourcing core cybersecurity tasks to external service providers (third parties) who are specialized in the matter.

What is the impact of DORA for Financial Institutions?

DORA sets requirements for financial organizations in the field of IT risk management, IT incidents and periodic testing of digital resilience. The regulations take into account the size, risk profile and systemic importance of an organization. DORA therefore places higher demands on security awareness and demands more from financial organizations when it comes to cyber risks.

How to prepare your organisation for DORA

Although the law will most likely not come into effect until the end of this year or early next year, financial institutions would do well to prepare for the implementation of the new European rules. This can be done, for example, by critically charting your current security landscape and comparing it to the goals and content of DORA. This way you can quickly see the impact of the new regulations on your organization. Good gap assessments show you where the shoe pinches and where you still need to invest in more digital maturity and extra security. It is especially important not to wait too long with the implementation: now is the time to carefully prepare and get things started.


Can you use the expertise of a specialist when preparing for DORA? Then you have come to the right place at INTERMEDIATE. You can approach us for interim professionals who would like to help you make preparations for the new legislation. Interested?

Feel free to contact us.

This article was only a brief overview about DORA. However, we will certainly be writing more about these important regulation in the near future. This article was written by Remco Spruyt.