DORA in practice: Obstacles and recommendations for companies

The EU regulation aims to improve the cyber resilience of the financial sector through uniform and binding requirements

[datensicherheit.de, 03/18/2025] The Digital Operational Resilience Act (DORA) has been in force since January 17, 2025. The EU regulation aims to improve the cyber resilience of the financial sector through uniform and binding requirements. It affects not only banks, insurance companies and investment companies, but also IT service providers that provide critical infrastructure for these institutions.

However, two months of practice show that even after the implementation deadline, banks, insurance companies and capital managers still have a lot to do. Individual reporting deadlines have been postponed, requirements have been specified late in some cases and many service provider contracts have not yet been updated. Due to the complexity of the new requirements, they run the risk of not implementing the directive in a compliant manner. The integration into existing compliance processes, the management of IT third-party risks and the implementation of robust reporting processes are particularly challenging.

Ari Albertini, CEO von FTAPI, Bild: FTAPI

DORA: Challenging companies

According to the BSI report The State of IT Security in Germany in 2024, 120 cyberattacks on companies in the financial and insurance sector were reported last year – almost double the figure for 2023, when 61 incidents were registered. This development shows that the threat situation for the financial sector continues to escalate and that increased protective measures are more urgent than ever. Banks, insurance companies and their IT service providers are increasingly being targeted by cyber criminals, which underlines the need for robust security strategies.

To address these challenges, DORA defines requirements in several key fields, including IT risk management, reporting obligations, operational resilience testing and the management of third-party IT providers. The aim of the regulation is to make financial companies more resilient to cyberattacks and to establish a uniform security strategy in the EU. However, implementation often proves to be complex.

Five obstacles and possible solutions

1. Optimize reporting processes and response times: Companies must report cyber attacks to the relevant supervisory authority within 24 hours. In practice, however, there is often a lack of clear internal processes. One solution is to implement automated detection systems that identify attacks at an early stage and generate standardized reports.
   Manage IT third-party risks effectively: Financial companies remain responsible for the security of their IT service providers. Many have not yet established end-to-end risk assessments. Contractually defined security requirements and regular audits help to ensure the compliance of external providers.
2. Realistically test crisis management: DORA requires practical stress tests to check cyber resilience. However, there is often a lack of realistic scenarios. Companies should carry out regular simulations and ensure that their emergency plans are aligned with their overall strategy.
3. Integrate DORA into existing compliance frameworks: Many companies already rely on NIS-2, ISO 27001 or BSI IT-Grundschutz. One challenge is the seamless integration of DORA without unnecessary duplicate structures. Harmonizing existing processes with the new requirements reduces the administrative effort and facilitates implementation.
4. Ensuring secure data transfer and encryption: DORA demands robust security measures for the digital exchange of sensitive information. In practice, however, many companies still rely on outdated transmission methods such as unencrypted emails or insecure file transfer solutions. One solution is the use of end-to-end encrypted platforms that not only offer DORA-compliant security, but also guarantee the integrity and traceability of data.

DORA as an opportunity for Europe’s digital sovereignty

“DORA is a decisive step for Europe’s digital sovereignty. The regulation not only ensures uniform security standards, but also strengthens the financial sector’s resilience to cyber attacks”, says Ari Albertini, CEO of FTAPI. “Companies that invest in resilient and secure structures now will benefit from greater trust and regulatory certainty in the long term”.

With DORA, the EU is setting new standards for cyber resilience – and requires companies to take a proactive approach. Those who act early not only minimize risks and regulatory hurdles, but also secure long-term competitive advantages in an increasingly digitalized financial world.

Further information on this topic:

datensicherheit.de, 21.01.2025
DORA: Europas neue Cyber-Sicherheitsverordnung stellt nicht nur den Finanzsektor vor Herausforderungen