DORA 2025 Compliance Readiness Checklist

Testing/resilience must be operationalised: It’s not enough to have policies; you’ll need to design and oversee real-world testing scenarios (e.g., cyber-attack simulation, system failure).

Who and What is in Scope

  • Applies to a broad range of financial entities: banks, insurers, payment institutions, investment firms, crypto-asset service providers, etc. (PwC)
  • Also covers ICT third-party service providers (including those outside the EU) when they supply critical or important functions to covered financial entities. (Digital Operational Resilience Act)
  • Applies to more than 22,000 entities in the EU, according to one estimate. (PwC)
  • Proportionality principle: requirements may be simplified for smaller entities depending on size, nature and risk profile. (Wikipedia)

Key Obligations / Pillars

Here are the core pillars of DORA with the implications you’ll want to watch from a change delivery / product / operational risk perspective:

  1. ICT Risk Management
    • Entities must implement an ICT risk-management framework covering identification, protection, detection, response and recovery from ICT risks. (Baker McKenzie)
    • Risk management must be documented and embedded in governance structures. (DLA Piper)
    • Simplified frameworks may apply for smaller entities under proportionality. (Wikipedia)
  2. Incident Management, Classification & Reporting
    • Major ICT-related incidents must be classified and reported within defined timeframes. (Mayer Brown)
    • Firms must have processes to detect, manage and recover from incidents. (Central Bank of Ireland)
  3. Digital Operational Resilience Testing
    • Regular resilience testing is required, including threat-led penetration testing where applicable. (Baker McKenzie)
    • Testing must be integrated into the risk management framework. (DLA Piper)
  4. ICT Third-Party Risk Management
  5. Information-Sharing Arrangements
    • Entities are encouraged to share cyber threat intelligence and vulnerability information. (EIOPA)

Why This Matters for You (Financial / Product / Change Roles)

Given your background in financial services, change programmes and product oversight, DORA has direct operational implications:

  • Organisations will need gap analyses of ICT resilience, third-party dependencies, and incident reporting frameworks.
  • DORA requirements must be embedded into product lifecycles, vendor management, and change governance.
  • Third-party risk becomes a formalised, continuously monitored control area across all ICT suppliers.
  • Resilience testing must move from policy to real operational simulation (cyber attacks, system failures, etc.).
  • Incident detection and reporting processes must be structured, auditable, and aligned to regulatory timelines.
  • UK-based firms with EU exposure or EU-based vendors will still be impacted due to cross-border operational dependencies.

Key Timelines

  • Application date: 17 January 2025 — firms must be compliant from this point. (Central Bank of Ireland)
  • Supporting technical standards (RTS/ITS) continue to shape implementation requirements.
  • UK regulatory frameworks are aligning in parallel, especially around third-party risk and operational incident reporting.

Risks, Challenges & Strategic Opportunities

  • Risk: Regulatory penalties, supervisory scrutiny, and operational disruption from non-compliance.
  • Challenge: Legacy systems, fragmented data, and complex vendor ecosystems make implementation difficult.
  • Challenge: Ensuring consistent incident classification and reporting across large organisations.
  • Opportunity: Building mature operational resilience capabilities strengthens regulatory posture and business continuity.
  • Opportunity: Strong DORA implementation can become a competitive differentiator in regulated markets.

 

Share the Post:

Related Posts