DORA Regulation – New Standards for Digital Operational Resilience in the Financial Sector

The modern financial sector is heavily dependent on Information and Communication Technologies (ICT), which means that any failure, cyberattack, or system disruption can threaten the stability of the entire financial market.

The DORA Regulation introduces uniform digital resilience standards across the entire European Union, enabling financial institutions to respond faster to incidents and mitigate their impact more effectively. New regulations mandate the creation of consistent security processes — from risk management and resilience testing to reporting and information sharing — thereby building the foundations of a modern, secure financial infrastructure.

What is the DORA Regulation?

DORA (Digital Operational Resilience Act) is Regulation (EU) 2022/2554 of the European Parliament and of the Council, which establishes a uniform framework for the digital operational resilience of financial sector entities. Its goal is to ensure that all financial institutions in the European Union are prepared for technological disruptions, cybersecurity incidents, and IT system failures.

Regulation DORA (EU) 2022/2554 was formally adopted in December 2022 and entered into force on January 16, 2023. However, the key date for the financial sector is January 17, 2025. From this day forward, the DORA Regulation is applicable throughout the European Union, meaning that all financial entities and their critical ICT third-party service providers must be in full compliance with the new requirements.

In Poland, the national act ensuring the application of DORA and clarifying supervision matters entered into force on August 7, 2025. This act detailed the competencies of the Polish Financial Supervision Authority (KNF) as the supervisory body, introduced administrative sanctions, and defined national procedures for incident reporting and ICT provider notification.

Why is DORA so important?

In the era of digital transformation, the financial sector relies immensely on technology. A banking system failure, a ransomware attack, or a disruption in key IT services can paralyze an institution's operations and threaten market stability.
DORA aims to prevent this — it unifies digital resilience standards across the European Union. The new rules not only increase the security and stability of financial infrastructure but also build the trust of customers and business partners. For technology companies, especially cloud service providers and fintechs, DORA is also an opportunity — compliance with regulatory requirements confirms their credibility and enables collaboration with the largest financial institutions in Europe.

Who is covered by the DORA Regulation?

DORA covers over 20 categories of financial entities, including:

• banks and credit institutions,
• investment firms and investment fund management companies,
• insurance and reinsurance undertakings,
• payment institutions, fintechs, and credit information bureaus,
• exchange operators, clearing houses, and trading venues,
• crypto-asset service providers,
• cloud service providers and other ICT firms providing services to the financial sector.

Although DORA focuses on the financial sector, it also includes ICT third-party service providers collaborating with financial institutions — especially if these providers are critical to the institutions' operations.

In practice, this means that a technology company providing cloud services, data centers, software (SaaS), or other ICT components may be required to adapt parts of its processes, contracts, oversight, and compliance to support financial sector clients in meeting DORA requirements. In some cases, these companies may also be subject to direct EU oversight.

Who is responsible for DORA implementation in an organization?

The management body of the financial institution is responsible for the full implementation and maintenance of compliance with DORA requirements. This responsibility is direct and cannot be delegated solely to the IT department or external providers.

The Management Board is obligated to:

• define and approve the ICT risk management framework and cybersecurity strategy,
• oversee the implementation and effectiveness of security mechanisms,
• ensure the financial and human resources necessary to meet DORA requirements,
• organize training and build awareness among employees regarding technological risk.

This means that cybersecurity and operational resilience issues become a strategic duty of leadership rather than just a task for technical departments. In practice, DORA requires digital security to be permanently embedded in the organization's management culture.

Key Obligations under DORA

The DORA regulation is based on five pillars of digital resilience that create a comprehensive framework for managing technological risk in the financial sector.

1. ICT Risk Management

This is the foundation of the entire DORA regulation. Every organization is required to implement an integrated ICT risk management system that includes:

• identification, classification, and assessment of all business functions and ICT systems, including critical and important ones,
• mapping dependencies between systems, data, and providers,
• developing information security policies, incident response procedures, and business continuity plans (BCP/DRP),
• regular reviews and updates of security strategies based on changes in the technological environment. In Poland, this obligation is supervised by the Polish Financial Supervision Authority (KNF).

2. ICT Incident Reporting

DORA introduces unified rules for monitoring, classifying, and reporting cybersecurity incidents. Financial institutions must have procedures to:

• categorize incidents (including identifying "major ICT incidents"),
• document and analyze the impact of every event,
• report major incidents to the relevant supervisory authority — in Poland, the KNF — within specified, short deadlines. Reporting takes place via national systems: the DORA Reporting System (SSD) and the KNF CSIRT Incident Handling System.

3. Operational Resilience Testing

Every financial institution must regularly test its ability to operate in crisis situations. DORA mandates digital resilience testing, including:

• penetration tests, scenario-based tests, and vulnerability analyses,
• simulations of system failures, data loss, or cyberattacks,
• assessment of the effectiveness of incident response procedures and BCPs. For systemically important entities, TLPT (Threat-Led Penetration Testing) is mandatory every three years, conducted by independent auditors or specialized red-teaming units.

4. ICT Third-Party Risk Management

DORA places heavy emphasis on managing risks associated with external providers. Every financial institution must:

• maintain a register of all outsourcing agreements, highlighting those involving critical or important functions,
• analyze concentration risk (e.g., relying on a single cloud provider),
• ensure audit rights for the institution and supervisory bodies,
• include clauses in ICT contracts regarding security, reporting, data processing locations, and exit plans. Key technology providers may be subject to direct oversight by the EBA or ESMA.

5. Information Sharing and Cooperation

The final pillar promotes the exchange of cyber threat intelligence between financial institutions, ICT providers, and supervisory authorities. While voluntary, this cooperation is strongly recommended to increase the effectiveness of responses to new types of threats

DORA in Poland – Implementation and National Compliance Oversight

As of January 17, 2025, the DORA Regulation is fully applicable in all European Union member states. In Poland, its implementation is ensured by the Implementing Act of August 7, 2025, which clarifies national rules for supervision and enforcement of the regulations.

According to the Act:

• The Polish Financial Supervision Authority (KNF) serves as the primary supervisory body for the implementation of DORA.
• Administrative and financial sanctions have been introduced for violations of the obligations arising from the regulation.
• Detailed procedures for reporting ICT incidents have been established, along with the mandatory use of national systems: the DORA Reporting System (SSD) and the KNF CSIRT Incident Handling System.
• The provisions have been linked with the requirements of the NIS2 Directive, allowing for consistent digital security management across the country.

Currently, the KNF is already conducting regular supervisory activities, inspections, and educational initiatives to support financial institutions in the process of adapting to DORA requirements. Every organization operating in this sector must be prepared for compliance audits and ongoing reporting of their activities in the area of digital resilience..

How to Prepare Your Organization for Full Compliance?

1. Conduct a Compliance Audit – identify gaps in current systems and policies.
2. Update Policies and Procedures – supplement them with BCP/DRP and reporting duties.
3. Implement an Incident Management System – prepare for rapid detection and KNF reporting.
4. Review IT Vendor Contracts – include exit plans and audit clauses.
5. Organize Training – ensure the board and IT teams understand their ICT risk duties.
6. Regularly Test Digital Resilience – perform technical tests and TLPT where required.

Contact us to learn more about how to prepare your organization for DORA requirements. We will help you implement the new regulations, increase digital resilience, and ensure full compliance with European operational security standards.

Why is DORA not just an obligation, but an opportunity?

While DORA requires significant investments, it is a strategic investment in the security and credibility of the organization. Institutions that successfully adapt gain a competitive advantage, being perceived by clients and partners as secure and reliable market players. DORA enables the building of a security culture where ICT risk management becomes an integral part of the organization's growth strategy.