Preparing for DORA – a new challenge for financial entities

22 December 2023

Preparations underway

The Digital Operational Resilience Act (DORA), establishes the European Union’s new regulatory framework for the management of digital risks in financial markets. You can get a PDF of the regulation from the EU commission website. It entered into force in January 2023 and must be applied by financial entities across the EU from 17 January 2025. Needless to say, with only a year left before the deadline to apply the regulation, time is tight for the financial entities preparing for DORA. More than 50 authorities, including national authorities, the European Central Bank and the European Union Agency for Cybersecurity (ENISA), work on the development of the policy products and regulatory technical standards mandated by the DORA. Moreover, businesses across the board are gearing up to support financial entities in implementing the provisions of the regulation.

Ambitious goals in a short timeline

DORA goes beyond the goal of achieving ICT risk management and information security. Instead, it aims to secure digital operational resilience over the entire financial ecosystem. Moreover, this regulation one comes with some hefty financial penalties. For example entities found to be in violation of the Act’s requirements may face fines of up to 2% of their total annual worldwide turnover. In the case of an individual, the maximum fine runs up to EUR 1,000,000. The amount of the fine will depend on the severity of the violation and the financial entity’s cooperation with authorities. DORA’s requirements focus on ensuring the existence of strategies, frameworks, and governing processes to achieve digital operational resilience. This is opposed to the requirements of the European Insurance and Occupational Pensions Authority – EIOPA ICT guidelines, which focus on specifying security controls addressing governing processes in broader terms. From this perspective, DORA is not a replacement for the ICT guidelines, but rather a complement to them.

Key challenges

DORA is a cross-sectoral regulation applying to more than 20 different types of financial entities. Moreover, it also applies to more than 40 competent authorities. Financial institutions preparing for DORA face 5 key challenges:

  • establishing a comprehensive ICT risk management framework:
  • establishing digital operational resilience strategy;
  • creating governance processes for classification and reporting of major ICT-related incidents;
  • living up to increased requirements on digital operational resilience testing;
  • managing third parties in their ICT supply chain.


How can CanaryBit’s Confidential Cloud help your organisation comply with DORA? Canary Bit’s solutions help solve legal and compliance challenges with state of the art cybersecurity technology. For example, the regulation text states in Article 9, paragraph 2 that financial entities shall design, procure and implement ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems, in particular for those supporting critical or important functions, and to maintain high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit. Confidential Cloud is a comprehensive end-to-end data protection toolset for cloud infrastructure security and protection of digital assets throughout their lifecycle. This includes protection of data at rest, in transit, and most novel – in use.


DORA should not be construed as an information security act. Rather, it is a complementary act focused on strategies, frameworks, and governing processes.


2023: more business, more challenges, more success to celebrate

2023: more business, more challenges, more success to celebrate

And just like that, in a blink of an eye, we have found ourselves at the end of yet another year. 2023 meant a lot to CanaryBit: it brought more business and challenges but also set the ground for growth for several years ahead. Let's rewind the year before it ends...

Standardising Confidential Computing

Standardising Confidential Computing

Trusted Execution Environments have been around for a while now and keep evolving. As support for confidential computing is included in more commodity platform, standardising this approach is becoming increasingly important to accelerate updake. This is part one of a...

Enhancing the circularity of electric vehicle batteries

Enhancing the circularity of electric vehicle batteries

REmanufacture, REcycle, REuse and REduce: Mälardalen University is addressing these four main aspects of Circular Economy in a new project enabling circularity of electric batteries. It runs the project in close collaboration with the Swedish industry. The Circul8...