The European Union’s Digital Operational Resilience Act, aka DORA, entered into force in January 2023, and as of January 17, 2025, will become fully applicable, with operational mandates live. The law, designed to revolutionize how the digital infrastructure of financial financial institutions is managed, covers a variety of cybersecurity and privacy areas, primarily including Information and Communication Technology (ICT) risk management, third-party risk management, incident response, and information sharing. 

What is DORA?

The Digital Operational Resilience Act establishes a comprehensive set of requirements for financial entities to strengthen their technological risk management. The regulation compels organizations to develop more modern and sophisticated strategies for identifying, mitigating, and responding to potential digital disruptions, from implementing rigorous data governance protocols and creating detailed incident response mechanisms to establishing systematic testing procedures to test and uncover possible vulnerabilities.

Given the immense amount of sensitive data the Financial Sector handles every minute of every day, the industry faces nearly unmatched privacy and cybersecurity threats. DORA aims to serve as a critical response to this reality, recognizing that digital resilience is now essential to operations.

How did DORA come to be?

Back in 2020, amidst rising cyber attacks and data breaches, the European Systemic Risk Board (ESRB) endeavored to study systemic cyber risk in the European Union’s financial sector. The report the ESRB published discovered that risks primarily arose from developments in how modern networks operate, including vulnerabilities such as the high level of interconnectedness across financial organizations, ease of connections across third-party supplies, and the resulting chance that these vulnerabilities could lead to a domino effect in case of a sophisticated cyber attack.

In the aftermath of the report, the EU created DORA. DORA will be enforced within the financial sector regardless of what any member state does and some EU countries may have more restrictive conditions applied. 

While the scope of DORA focuses on traditional financial institutions, it also will cover third-party ICT service providers to create a holistic approach to digital operational resilience. That means DORA will attempt to bring comprehensive risk management into the present-day, featuring mandatory incident reporting and response mechanisms, more rigorous and proactive testing requirements, and expanded oversight. 

TLDR: Who Must Comply with DORA?

• Financial institutions
• Banks
• Insurance companies
• Investment firms
• Payment service providers
• ICT third-party service providers
• Information-sharing platforms
• Financial institution infrastructure providers

DORA Compliance Requirements

Covered entities must establish and upkeep:

• ICT Risk Management Framework
• Advanced Data Governance Operations
• Testing and Operational Resilience Procedures
• Risk Assessment & Management for Third-party vendors
• Incident Reporting and Response Procedures 

These new requirements are not brand new, merely updated and more rigorous versions of what in most cases already exists in the financial sector and beyond, but heightened compliance stakes means data security, privacy, and protection will become paramount in 2025 and beyond.

New, comprehensive frameworks for ICT risk management, operational resilience protocols, and incident response and reporting will require clear roles, a more refined cybersecurity strategy, and regular check-ins and tests to verify protocols are working as intended. 

A more nuanced challenge will be incorporating these requirements into existing compliance frameworks organizations have in place for regulation like the GDPR, the EU’s chief data protection law. 

Navigating DORA through Data Mapping

Given the unfathomable size of data stacks and the evolving complexities of both managing data governance and potential cyber attacks, any organization that needs to comply with the Digital Operational Resilience Act is going to need two key things:

• A comprehensive, continuous data map
• A single source of data truth within the org

Why a data map? It accomplishes continuous monitoring, a collaborative data environment, and a baseline for record-keeping to help provide either quick and easy or deep, analytical oversight depending on the situation. 

If you have the right data mapping capabilities, such as on the MineOS platform, your organization’s data map can serve as a single source of truth. This allows cybersecurity, IT, legal, compliance, and privacy teams to all understand the scope of data processing and collection with the org, as well as providing a snapshot of the third-party vendors connected to your data flows.

Armed with this information and visibility, updating existing GDPR-compliant data infrastructure to incorporate new risk management and operational resilience procedures will be much more doable than if you were operating without a comprehensive data map. 

Interested in seeing how MineOS’ data discovery uncovers up to 95% of your data sources, leading to more thorough third party vendor tracking and risk assessment? Book a call here to see the system in action.