DORA – Digital resilience in the financial sector

The financial sector is one of the most digitized – and therefore most vulnerable – industries in Europe. That is why the EU has introduced the Digital Operational Resilience Act (DORA), a binding set of rules that will apply in full from January 17, 2025 in the EU and from July 1, 2025 in Norway.

Whereas NIS 2 is a directive, DORA is a regulation – which means that the requirements apply directly, without national adaptation.

What does DORA require?

DORA consists of 58 articles and sets a new standard for how financial institutions and their ICT suppliers must work with digital resilience. The regulations cover everything from risk management and governance structure to incident management and continuity plans. It requires regular testing – in some cases advanced penetration testing – and sets clear requirements for how companies follow up and control their suppliers.

In short, DORA makes robustness and documented preparedness a fundamental requirement for conducting financial business in the EU. 

  • ICT risk management – governance structure, roles, and responsibilities.
  • Incident management and reporting – obligation to report all major incidents.
  • Resilience testing – from regular tests to advanced penetration testing (TLPT).
  • Supplier management – requirements for contracts, risk assessment, and monitoring of third-party suppliers.
  • Continuity and recovery – the business must be able to withstand disruptions and quickly resume operations.

More than compliance – a competitive advantage

DORA is not just a requirement – it is an opportunity to strengthen customer confidence and build resilience in a sector that is entirely dependent on digital resilience. Companies that are at the forefront will not only gain security vis-à-vis regulatory authorities, but also a strategic advantage in the market.

DORA

Our solution: Enhanced Security for DORA Compliance

To make the journey easier, we are developing the Enhanced Security for DORA Compliance service. It will provide you with the tools, documentation, and infrastructure you need to meet the requirements on time:
 

  • Audit-ready documentation: Pre-configured audit reports, contingency plans, and risk registers that meet DORA requirements.
  • Resilience by Design: Infrastructure with redundancy, backup, and failover ensures operation even during crises.
  • Data sovereignty: The solution is delivered via EU-based data centers and Orange Business Sovereign Cloud.
  • Integrated testing: We offer everything from vulnerability scanning to Red Team exercises to meet DORA's testing regime.
  • Predictable pricing: A fixed monthly price gives you control over costs and makes budgeting easy.
Orange Business ledende i bransjen

DORA: Why is this urgent?

The timeline has been set, and there is no possibility of postponing DORA. Norwegian financial institutions and their suppliers must be ready by July 2025 – and many are still in the starting blocks.

Do you want to be DORA-ready by 2025? Contact us for a safe and effective path to compliance.

FAQ

  • From January 17, 2025. All institutions must comply with the requirements by then.

  • Almost all financial institutions and their critical ICT suppliers operating in the EU.

  • ICT risk management, incident reporting, resilience testing, continuity planning, and third-party monitoring.

  • Possibly. We can help you assess whether this is mandatory and coordinate with certified Red Teams.

  • Policy templates, audit-ready reports, compliance mapping, and continuity contingency plans.

Follow us