Business

DORA Regulation Explanation and What It Means For Your Business

Internxt

8 min read
DORA regulation

DORA is a recent addition to EU regulations designed to help businesses in the finance industry increase their security by monitoring and preventing cyberattacks by monitoring, identifying, and reacting to incidents that could threaten financial data.

Throughout this article, we will explain the DORA regulation, who does the DORA regulation apply to, and how to help gain DORA compliance via implementing new security protocols and secure third-party services.

Table of contents

What is the DORA regulation?

​The Digital Operational Resilience Act (DORA) is a European Union regulation designed to increase, improve, and maximise financial entities' security and operational resilience within the EU.

The EU parliament officially designated DORA as Regulation (EU) 2022/2554. The EU parliament voted in favour of the regulation in November 2022, and it was formally adopted by the EU in January 2023 before being fully implemented by companies on January 17, 2025.

Since then, the DORA EU regulation has established a universal framework to manage and mitigate IT risks such as ransomware, malware, data breaches, or service disruptions within the financial landscape.

Who does the DORA regulation apply to?

The DORA regulation applies to the following financial sector organizations and critical third-party service providers that support them.

Financial institutions

Below are the financial institutions DORA regulations apply to, as they are businesses or organizations involved in economic activities such as:

  • Banks and credit institutions: Retail, commercial, and investment banks.
  • Insurance companies: Life and non-life insurers.
  • Pension funds: Companies that manage pension schemes.
  • Payment institutions: Including those providing payment services and e-money services.
  • Investment firms: Brokerages, asset managers, and other investment-related services.
  • Trading venues: Exchanges and multilateral trading facilities.
  • Central counterparties (CCPs): Organizations that manage financial derivatives transactions.
  • Crypto-asset service providers: Institutions involved in cryptocurrency trading, custodial services, and exchanges.
Internxt Object Storage is an affordable solution to store large scale data

Third-party service providers

DORA regulations may also extend to other sectors that are crucial in maintaining the financial system's stability through their services or infrastructure, which include:

  • Cloud providers: Any company that offers cloud storage, computing services, and infrastructure to financial institutions.
  • IT service providers: Including those who manage data centers, software development, cybersecurity, and networking.
  • Outsourcing partners: Providers of outsourced services essential to the operations of financial institutions, such as customer support, compliance, and administration.

DORA regulation summary: Five key principles

In this DORA regulation summary, these five key principles can help you reach compliance.

ICT risk management

Organizations must create a system to identify and assess risks that could significantly impact their operations. Risks that fit this criteria include: cyberattacks such as ransomware or malware, natural disasters that could crash servers, or human error causing accidental data leaks.

Recommended actions to prevent these risks include:

  1. Taking actions to identify and respond to vulnerabilities and infrastructure misconfigurations, which, if exploited, could impact and disrupt operations.
  2. Selecting and maintaining tools with the necessary capabilities to support company operations.
  3. Design and automate methods to continuously identify potential cyberthreats related to business operations and IT systems.

ICT incident management

The ICT incident management principle means organizations must have the tools, processes, and policies to monitor, identify, resolve, and report incidents to senior management and regulatory authorities such as the European Banking Authority (EBA) or other relevant EU financial regulators.

DORA regulation requirements to meet incident management response include the following:

  • Report incidents to authorities, including those that impact business continuity or financial stability.
  • Classify incidents or threats based on the number of affected clients, transactions affected, duration of the incident, and data losses.
  • Reporting exposures to authorities is voluntary.
  • Meet the deadline for reports of the incident, which are broken down as the initial notification, intermediate report, and the final report once the root cause analysis has been completed.

Information sharing agreements

Another aspect of the DORA EU regulation is the requirement that organizations share information, intelligence, cyber threats, and vulnerabilities with financial institutions and authorities.

Internxt green cloud computing

This encourages collaboration with institutions and helps gather an understanding of the evolving technologies in cybersecurity to help improve, prepare, and respond to these threats.

Managing third-party risks

Financial institutions often need to rely on third-party vendors for critical services such as security applications and cloud infrastructures. Working with third parties is often unavoidable, so the DORA EU regulation emphasizes the importance of managing the potential risks of these third parties.

Managing and mitigating the risks of third-party providers ensures that they don’t become a burden or risk to a company's overall security posture. Financial institutions can achieve this by assessing the risks of the third-party service and establishing DORA contractual requirements related to information sharing and incident reporting.

Digital operational resilience testing

Organizations must assess their preparedness for handling cyber-related incidents to identify weaknesses, deficiencies, and gaps in resilience.

DORA offers these tests for resilience and security training.

  • Open-source analysis
  • Source code reviews
  • Scenario tests
  • Compatibility tests
  • Performance tests
  • End-to-end tests
  • Penetration testing (at least every three years)

Requirements of the DORA framework

DORA’s articles can be classified into three categories:

  1. Definition: Describes terms and the scope of the act.
  2. Governance: Addresses organizational policies and procedures for information and communication technology (ICT) risks.
  3. Technical: Specifies technical requirements for ICT systems within an organization.
DORA Framework
Definition
GENERAL PROVISIONS
General terms and scope of the act
Technical
ICT RISK MANAGEMENT
Establish ICT risk and security management
ICT INCIDENT MANAGEMENT
Standardize incident management, classification, and reporting
DIGITAL OPERATIONAL RESILIENCE TESTING
Establish a technical program focused on threat-based testing
Governance
MANAGING ICT THIRD-PARTY RISK
Policy and guidelines about registering and assessing ICT service providers
INFORMATION SHARING ARRANGEMENTS
Guidelines about sharing information on cyber threats and vulnerabilities
COMPETENT AUTHORITIES
Outline of the responsibilities and power of overseeing authorities

Source: Dynatrace

DORA regulation best practices

As DORA states, it is management’s responsibility to oversee and ensure that the company remains secure, stable, and protected against disruptions or cyberattacks.

Although this can be challenging, with the proper guidelines, tools, and monitoring, your management can lead a safe and secure company with an emphasis on privacy that helps meet DORA EU regulations.

Establish a zero-trust policy

Zero trust is rapidly becoming the new standard for a business's cybersecurity policy to protect against data breaches, which reached almost $5 million in 2024.

Zero trust moves away from the traditional security model, which never asked for verification for users or devices in a network, also known as the castle-and-moat approach.

However, this approach has huge risks. If a hacker gained access to the network or one device, they could carry out lateral attacks to steal information and destroy whole networks.

Internxt post quantum encryption

Instead, zero-trust relies on the concept of least privilege and trusts no user or device unless they verify their credentials to access everything, whether they have accessed this information before or not.

Therefore, zero trust can be implemented into your DORA regulation policies to continuously verify third-party software, check for potential exposure, and inform management as soon as possible. It will also help employees strengthen their cybersecurity and prevent accidental data leaks.

Learn more about zero trust

Exposure management

Security testing and posture management are necessary, but the battle to protect your company relies on constantly monitoring your environments for exposures, then assessing their potential impact.

Exposure management improves prioritization and prevents vulnerabilities and misconfigurations from turning into a data breach.

Conduct threat hunts

Regular hunting for potential threats is the only way to uncover and patch application exposures.

This is especially true for zero-day attacks, in which a hacker spots a vulnerability the company hasn’t noticed and allows the hacker to carry out the attack. Zero-day attacks can vary, but they typically involve inserting malicious code into the network or software.

The term zero-day is used due to the severity of these attacks, as companies are in immediate danger and must act to fix security issues immediately.

Learn more about zero-day exploits

How Internxt can help you achieve DORA compliance

As with any business, staying up to date and aware of compliance or regulatory bodies can be overwhelming, as it requires a deep technical expertise and resources to implement properly.  

Furthermore, larger organizations also face challenges of managing private or hybrid cloud models due to advanced security protocols to follow, and avoiding data leaks or service disruptions when migrating their data to the cloud. To help migrate your data, read our article on cloud migration strategies.

For your business cloud storage needs, you can protect sensitive business or customer information with Internxt for business or S3 object storage.

Internxt Drive for Business offers:

  • Post quantum and zero-knowledge encrypted cloud storage, 2TB/user up to 100 users
  • Secure, encrypted file sharing
  • Remote session monitoring
  • Access logs
  • Includes VPN & Antivirus
  • GDPR logs

Next, Internxt also offers S3 object storage which includes

  • €7/TB/month, pay only for the storage you need
  • Zero ingress & egress fees
  • AWS S3 and IAM API compatible
  • Up to 80% cheaper than AWS, Azure, or Google Cloud
  • End-to-end encryption
  • Data redundancy for quick file recovery

All of Internxt’s services are open-source and GDPR compliant, meaning you can have peace of mind that your data is protected, which the open-source community can verify.

To get started with Internxt for business, visit our website to purchase a plan. If you want more information about how Internxt can help you with your next cloud storage solution, you can also request a call with a member of our sales team.

The future of DORA regulation

Looking at the DORA regulation post-2025, it will add more stringent enforcement to ensure continuous compliance, such as regularly testing IT and third-party integrations, reporting and auditing incidents, and taking the necessary risks to manage vendors proactively.

Subscribe to Internxt for more information about what’s happening in the security and online privacy world, and trust our cloud storage, VPN, and Antivirus to protect you from cyberthreats.

Protect your privacy with Internxt