Stay updated by subscribing to our newsletter.
© 2025 Leave a Mark Consulting Group ApS
CVR: 39411458
DORA is an EU regulation that imposes stricter cybersecurity requirements on financial institutions and their IT and technology providers.
Curious whether your organization meets DORA requirements? Keep reading to get an overview of the regulation’s key obligations and our approach to implementation.
DORA (Digital Operational Resilience Act) was adopted by the European Union on 28 November 2022 and entered into force on 17 January 2025, after a two-year implementation phase. As a key component of the EU’s financial cyber resilience strategy, DORA applies to financial entities as well as their essential ICT service providers.
DORA aims to strengthen the ability of financial institutions to endure, manage, and recover from major ICT disruptions. While similar in intent to NIS2, DORA is tailored to the financial sector, addressing its unique operational and technological dependencies.
DORA was created to strengthen the digital and operational resilience of the financial sector. The regulation is designed to ensure that financial institutions and their technology providers are better equipped to prevent, withstand, and respond to cyber threats and system disruptions. The overarching goal is to safeguard the stability of the financial system through robust ICT risk management and response capabilities.
Enhancing cybersecurity and reducing organizations’ digital vulnerabilities
Minimizing the risk of severe and costly cyberattacks
Streamlining and standardizing incident reporting and response procedures
Promoting a risk-based approach to cybersecurity through continuous evaluation
Strengthening collaboration and information sharing among stakeholders across the EU
Increasing trust in financial entities through clear documentation and regulatory compliance
DORA applies to a wide range of financial entities and their ICT service providers, including but not limited to:
Credit institutions, investment firms, and payment institutions
Electronic money institutions
Insurance and pension companies
Central securities depositories and credit rating agencies
Providers of services related to crypto-assets
Crowdfunding service providers
Third-party providers of IT security services and cloud solutions
The Digital Operational Resilience Act (DORA) builds upon and expands existing regulatory requirements by introducing new obligations for the organizations it covers. Even organizations with prior compliance experience at the national or international level may find that DORA introduces new and broader requirements that demand renewed attention.
To meet the requirements of the regulation, it is essential for financial organizations to recognize the need for digital and operational resilience. Regardless of the organization’s current maturity level, it is important to initiate — or intensify — efforts to build this resilience. A good starting point is to conduct a GAP analysis to identify discrepancies between existing processes and the requirements set forth in the DORA regulation.
At Leave a Mark, we have experience implementing multiple security standards alongside DORA.
Should you need advice or assistance with the implementation, you're welcome to contact us via the link below or call us directly for a non-binding consultation on +45 535 27000
We begin by analyzing how the DORA regulation specifically impacts your organization. Through workshops and a review of existing documentation, we identify the obligations that apply to you. We then carry out a GAP analysis to determine the difference between your current level of cybersecurity and the requirements set by DORA.
Drawing on the findings from the analysis, we establish a structured risk management framework. This includes identifying systems, processes, and interdependencies, and evaluating their operational resilience. We then create tailored policies and procedures to manage risks proactively and reactively in alignment with DORA’s expectations.
A key requirement of the regulation is to carry out foundational testing of digital operational resilience through Threat-Led Penetration Testing (TLPT). These tests are designed to assess the organization’s infrastructure by uncovering and exploiting vulnerabilities, mimicking the techniques and objectives of actual threat actors.
DORA introduces stricter requirements for the oversight of external service providers. Based on risk assessments of these vendors, appropriate controls must be established, and security and oversight obligations must be embedded into both existing and future contracts. We help you gain a clear overview of your supply chain and implement risk-based monitoring of your critical ICT providers.
We implement clear procedures for documenting and reporting major incidents — both internally and externally. This includes establishing communication channels, documentation formats, and timelines that comply with DORA’s requirements for rapid and structured reporting.
Cybersecurity is not solely an internal discipline. That’s why we also advise on how to establish effective policies and practices for receiving and sharing relevant threat intelligence — both within your organization and in collaboration with industry networks and public authorities.
© 2025 Leave a Mark Consulting Group ApS
CVR: 39411458
