top of page
Search

DORA Guide: Key Insights & Compliance Best Practices

  • Writer: The Bluemetrix Team
    The Bluemetrix Team
  • Jul 9
  • 8 min read

Updated: Jul 28

DORA Compliance Best Practices

What is DORA? Your 2025 Guide

DORA (Digital Operational Resilience Act), published as part of the EU Digital Finance Package in 2020, is a landmark regulation focused on strengthening how financial institutions manage digital risks. It ensures that all entities within the financial sector can remain operational and secure in the face of severe ICT-related disruptions, such as cyberattacks, system failures, and third-party outages.



Rather than a patchwork of local rules, DORA sets a unified standard for technological and operational resilience across EU member states. This regulation demands data and compliance leaders in financial services adopt a cultural shift towards data governance, testing, and cybersecurity practices to protect their critical digital infrastructure and services. Financial institutions must comply with the outlined requirements of DORA, especially during periods of heightened stress or disruption.


This article explores the key requirements and obligations under DORA, common challenges, and best practices for achieving compliance ahead of the 2025 enforcement deadline.


 Jump to:



What are the key pillars of DORA?

DORA is built upon with five core pillars, with each focused on a distinct area of digital and operational readiness.


Pillar 1: ICT Governance and Risk Management

This pillar emphasizes the necessity for a strong governance framework with end-to-end ICT risk management. It mandates that institutions' senior leadership implement a well-documented ICT governance and risk management framework, along with review cycles, so they are fully aligned with internal business models.


Pillar 2: Incident Detection and Reporting

DORA requires institutions to detect, classify, and report ICT-related incidents in a structured and timely manner. This includes identifying anomalies, vulnerabilities, and cyber threats that may compromise data confidentiality, system integrity, or operational continuity.


Major ICT-related incidents, defined as events with high adverse impact, must follow a strict reporting timeline:


  • Initial report: Within 24 hours of detection

  • Intermediate report: Within 72 hours, or once business operations resume

  • Final report: Within one month, or the day after full resolution


These reports must follow formats and standards set by the European Supervisory Authorities (ESAs).


Pillar 3: Digital Operational Resilience Testing

Testing is a core component of DORA. Institutions are required to maintain a Digital Operational Resilience Testing Program (DRTP) that validates their preparedness through simulations, assessments, and audits.


At a minimum, this involves:

  • Annual penetration testing and vulnerability assessments

  • Scenario-based simulations

  • For systemically important entities, DORA mandates advanced testing in the form of Threat-Led Penetration Testing (TLPT) every three years, conducted by accredited providers.  


Pillar 4: Oversight of Critical Third-Party ICT Providers

DORA introduces enhanced obligations for institutions that outsource critical ICT functions. Financial entities remain fully responsible for the performance and resilience of their service providers, including any subcontractors.


In the pre-contract phase, firms must assess vendor risks by considering factors such as security capabilities, geographical exposure, and subcontracting chains. Contractually, all ICT arrangements must be formalized in writing and include provisions for performance monitoring, audit access, and exit strategies.


For the post-contract phase, institutions must continuously monitor vendor performance through Service Level Agreements (SLAs), regular reviews, and oversight of downstream subcontractors.


Pillar 5: Threat Intelligence and Information Sharing

Recognizing that cyber risks have become more systemic in a post-ChatGPT and AI-driven world, DORA encourages voluntary threat intelligence sharing among financial entities and ensures all information sharing must comply with confidentiality and data protection obligations.


DORA compliance solution

 

Who does DORA apply to?

DORA primarily applies to a broad range of financial entities operating within the EU, including banks, investment firms, asset management providers, credit or payment institutions, crypto-asset service providers, insurance firms, pension funds, and more. It can also indirectly impact ICT service providers deemed critical to the operations of these entities.


While DORA is an EU regulation, non-EU entities may also be affected. Organisations headquartered outside the EU may still fall under its scope if their operations or ICT infrastructure supports EU-based activities. In some cases, some organisations outside the EU may voluntarily adopt DORA standards for better resilience or operational simplicity.


What are the benefits of implementing DORA?

Implementing DORA with intention delivers far more than compliance. Through our hands-on experience supporting DORA projects and discussions, we’ve seen tangible benefits unfold:  


  • Elevating ICT risk to the boardroom. Where ICT risk was once considered an IT or security function, DORA mandates its integration into enterprise risk management, and with board-level ownership. This shift enables stronger alignment between business strategy and risk posture.

  • Unifying incident response. Many financial institutions previously operated with siloed incident response processes, i.e. IT handled outages, compliance dealt with regulators, and business continuity teams acted reactively. DORA forces firms to unify and automate these workflows.

  • Strengthening third party’s oversight. With accountability extended to third-party providers, institutions are now required to reevaluating contracts, service levels and exit plans. Perhaps cases like the recent Mark & Spencer breach would be less likely today.  

  • Operationalising resilience testing. DORA mandates structured, scenario-based exercises and TLPT. Institutions that embrace this shift find long-term value in operational readiness.

  • Simplifying multi-jurisdictional compliance. For institutions operating across multiple EU jurisdictions, DORA brings regulatory clarity. It reduces the complexity of managing multiple national frameworks.

  • Boosting trust and reputation. Resilience is fast becoming a trust signal. Institutions that meet or exceed DORA expectations can differentiate themselves in the eyes of regulators, partners, and customers.

 

What penalties do financial institutions face for DORA noncompliance?

As of 17 January 2025, DORA is fully enforceable across the EU, requiring all in-scope financial institutions to comply or face significant consequences. Institutions failing to meet the regulation’s requirements—including proper incident reporting, ICT risk governance, and vendor oversight—may incur penalties of up to 2% of average turnover or €10 million, whichever is greater.


Compliance also involves key jurisdiction-specific deadlines. By 30 April 2025, financial entities must report contractual ICT arrangements to national authorities, though some NCAs have imposed earlier deadlines, i.e. France (15 April), Germany (11 April), and Italy (30 April). Proactive alignment with these requirements will be critical to avoiding disruption and demonstrating operational resilience.


Best practices for DORA compliance

Achieving DORA compliance begins with evaluating your current data operational posture and enhancing it through a step-by-step plan that delivers measurable ROI. Let's take a look at some of the technological recommendations from our solution architect team to elevate your data compliance efforts.


Established Enterprise-Wide Governance

We have observed that, as a starting point, effective ICT risk and data governance management begins with the ability to govern data across systems, teams, and jurisdictions. While many institutions already have governance policies in place, DORA requires more than policy documentation. Institutional data leaders must demonstrate that these policies are actively enforced at the system level, with clear oversight, traceability, and accountability.


Our experience suggests that institutions should rely on data automation and governance technologies to embed controls directly into diverse departments or data environments. Operationalizing automated governance means that policies can be consistently applied and monitored in real-time, rather than being managed through fragmented processes or static documentation. By coupling with centralized access controls and audit frameworks, institutions can generate system-level evidence of compliance to support ICT risk management expectations and ensure scalable data governance as data estates grow in complexity and distribution.


Reduce Risk Exposure with Data Tokenization

Under DORA, institutions must minimise the exposure of sensitive data across all environments, including production, testing, and when transferring data to third parties. Tokenization using format-preserving encryption is emerging as the preferred control because it allows for the substitution of critical data elements (CDEs), such as account numbers or personal identifiers, with secure, non-sensitive equivalents. These tokens retain structural integrity by enabling institutions to meet privacy and security mandates while maintaining downstream compatibility.


Experience tells us that adopting tokenization early in the data lifecycle yields better control over compliance posture. In particular, format-preserving encryption combined with data-at-rest protection can satisfy dual encryption mandates found in DORA and similar frameworks like NIS2 and GDPR. This in-place encryption model also integrates seamlessly into existing architecture without overhauling applications or changing users and systems’ current structure.


Most importantly, tokenization facilitates the strengthening of cybersecurity posture by reducing the value of stored data to attackers. Because tokenized data is not considered sensitive under most breach definitions, institutions may also reduce the scope of DORA incident notification requirements.


Remove Customer data from all IT systems testing procedures

One of the key requirements that DORA places on Financial Institutions is the removal of all customer data from systems testing. This means that if you have new features added to a Mobile App or an Online Application, these features cannot be tested on live customer data before they are put live.


From our working experience with regulated institutions, once again, we’ve seen that format-preserving encryption comes to the rescue here, as it enables the creation of an encrypted digital twin copy of live customer data, which will work in the applications in the exact same manner as live data, allowing compliance with the DORA regulations.


By embedding FPE into the testing process, it strikes the right balance: safeguarding customer data without compromising how teams test or validate new features.


Build for Resilience in Hybrid Cloud Environments

Institutions subject to DORA must account for operational resilience across a patchwork of legacy infrastructure and modern cloud environments. Fragmented architectures that feature disconnected access controls, inconsistent recovery plans, and siloed visibility create conditions where ICT risks can propagate quickly. To meet DORA’s expectations, resilience must be designed into the data architecture from the start and implemented with unified failover and disaster recovery strategies to build elasticity into the platform that handle peak loads or incident response.


In our experience, adopting cloud-native platforms is a strategic move, particularly when those platforms can operate easily across both on-premises and cloud environments without exposing sensitive data. By integrating security, tokenization, and backup policies at the platform level, institutions can ensure continuity of service during outages, automate resilience testing, and reduce operational downtime. These capabilities not only align with DORA’s pillar on resilience testing but also help address third-party risk by maintaining control even when parts of the architecture depend on external service providers.


Use Case

To illustrate the best practices and common challenges in implementing DORA, let's examine a real-world use case:


Cloud Migration with DORA in Mind

A leading financial services provider modernizing its core infrastructure to align its cloud migration strategy with DPRA Compliance objectives. The initiative was driven by data security team’s recognition that cloud migration without resilience planning could expose the institution to DORA breach.


From the outset, data tokenization emerged as a central strategy. By replacing sensitive customer and financial data with non-sensitive equivalents, the institution can reduce exposure during storage, testing and development. With additional layer controls, such as row-level access controls, audit logging, and scalable cloud infrastructure, tokenisation has quickly emerged as a point of interest in fulfilling dual encryption for DORA requirements.


This use case highlights the importance of forward-thinking institutions embedding tokenisation and security into compliance as a catalyst for secure and agile transformation.


Bottom line

In conclusion, the rewards of DORA are worth the effort. With DORA now fully enforceable, institutions that treat compliance as a foundation for digital resilience are gaining more than just regulatory clearance, they're accelerating modernization and building long-term trust.


While challenges like legacy infrastructure and fragmented governance remain, data and compliance leaders that take a strategic, cross-functional approach are transforming obligations into competitive advantage.


Want to understand how Bluemetrix fits into your DORA compliance plan? Speak to our experts.

 

bottom of page