The Digital Operations Resilience Act (DORA): What Legal Teams Need to Know About Compliance
The Digital Operations Resilience Act (DORA) went into effect in the EU in January 2025. Learn what financial organizations must do to comply with its five pillars—and what legal teams need to update in contracts.
Receive the latest updates on growth and AI workflows in your inbox every week
In June 2018, hackers successfully diverted traffic from British Airways’ website to a duplicate site, stealing data and credit card details from nearly 500,000 customers. The airline paid $26 million in fines for failing to protect the data of their customers.
This is one of the largest data breaches in Europe ever recorded. But new legislation from the European Union promises that it won’t happen again.
This, alongside other major data breaches—like the ransomware attack on Travelex in 2020 that ultimately forced the company into administration, or cyber theft of more than $2 million in unauthorized transactions from Tesco Bank in 2016—could have been prevented had the organizations implemented security and compliance structures outlined in the Digital Operations Resilience Act (DORA), which went into effect in the European Union in January 2025.
It establishes five pillars of compliance that includes risk management, incident response and reporting, digital operational resilience testing, third-party risk management, and information sharing. In this post, we’ll cover each pillar so your legal team understands exactly what’s required for your team with this new legislation, and how that’s different from previous regulations.
Here’s what legal teams need to know about maintaining compliance with DORA:
What is the Digital Operations Resilience Act (DORA)?
The Digital Operations Resilience Act (DORA) is a set of EU financial regulations that address information and computer technology (ICT) risks, including measures for protection, detection, containment, recovery, and repair.
Specifically, DORA fills in the legal gaps left by previous regulations like ISO 27001, SOC2, and GDPR in terms of handling sensitive financial data and transactions. “DORA is now the EU’s binding rule for ICT risk and cyber-resilience in finance, sitting alongside GDPR for data protection and NIS 2 for critical infrastructure security,” says Ethan Heller, GRC Subject Matter Expert at security and compliance platform Vanta. “DORA harmonizes sector specific laws by adding a single set of operational resilience obligations that now apply to both financial entities and their critical technology providers.”
How DORA changes security and compliance for financial institutions
In the past, each organization was in charge of their own security measures. But DORA creates a uniform network of security and compliance practices that ensure the safety of the entire financial system.
The impetus for this additional set of regulations came from the increased threat of cyberattack, both in terms of frequency and sophistication. In the finance world, cyberattack threatens not just the individual customers or a single organization, but its impact can ripple across global markets. “Localized cyber incidents could quickly spread from any of the approximately 22 000 Union financial entities to the entire financial system, unhindered by geographical boundaries,” reads the introduction of the law. “Despite Union and national targeted policy and legislative initiatives, ICT risk continues to pose a challenge to the operational resilience, performance and stability of the Union financial system.”
This makes security not just limited to IT teams. “DORA goes all the way up to the board of directors, who must now approve and review a documented digital operational resilience strategy, making cyber risk a standing agenda item going forward,” says Heller. “This puts a real focus on cyber risk on the entire organization, including performing regular internal audits at least on an annual basis.”
Before DORA, most financial institutions covered operational risks by allocating a set amount of capital to offset potential losses from incidents like these. DORA reaffirms that security and compliance isn’t just about the amount of capital set aside “just in case,” but a set of practices that ensure organizations are ready for these kinds of disruptions—and can recover quickly from them if they do happen.
DORA’s five pillars of compliance: What financial organizations need to know
DORA covers five pillars for your compliance efforts: Risk management, incident response and reporting, digital operations testing, third-party risk management, and information sharing. Says Heller, “The most important aspect of DORA is that organizations must now develop a robust, dedicated function for managing ICT-related risks. This includes an incident management process that effectively detects, mitigates, and communicates incidents.”
If the worst does happen, DORA requires you to move fast. You’ll need to be ready. “DORA dictates strict timelines when it comes to incident response procedures, especially when it comes to reporting,” says Heller. “Organizations must ensure they can meet these strict timelines, making performing incident response tabletop exercises critical. Everyone needs to know their role in preventing and responding to a major incident.”
| Pillar | What It Means | Action Items |
| Risk Management | Preventing cybersecurity attacks before they happen | Maintaining a live risk register that is reviewed on a frequent basis (such as quarterly) Security/operations teams running patch, backup, and access checks against the risk appetite set by the Board of Directors. Internal audits on the organization’s DORA compliance on at least an annual basis. |
| Incident Response and Reporting | Strict guidelines for response and reporting when incidents do occur | Security operation center (SOC) analysts should classify every security or availability event against DORA’s severity taxonomy. If an incident is deemed to be “major,” the organization must file an initial report to the national competent authority within “end of business day + 24 hours,” followed by intermediate and final reports and a post-incident review. |
| Digital Operational Resilience Testing | Continual monitoring and testing of security systems | Data breach/cyberattack exercises must occur at least every 3 years. Vulnerability scans should run continuously, with findings fed into the risk register to be prioritized and solved. |
| Third-Party Risk Management | Monitoring third-party providers and establishing safeguards within contractual obligations | Organizations must keep a live register of all ICT providers, noting criticality and exit plans going forward. As a part of annual security due diligence reviews, organizations should collect each critical provider’s own independent assurance report (such as SOC 2 andISO 27001) and test fail-over or exit scenarios. New supplier contracts will now include audit rights, strict incident-notification SLAs, and data-portability clauses. |
| Information Sharing (Voluntary) | Exchange of information and intelligence regarding cyberthreats throughout the industry | Share cyber threat intelligence or your experiences in trusted communities |
Compliance with DORA follows many existing cybersecurity best practices
The good news? You’re probably already doing many of these requirements already, just on a less robust level than DORA requires. Heller recommends taking this opportunity to assess your overall cybersecurity practices at every level:
Establish an ICT risk program
DORA isn’t just another “ISO” level for your security. You may already have a risk management program in place, but DORA just asks you to focus on ICT-related issues, including data governance, data storage, and your third-party landscape. For example, ISO 27001 requires you to assess and treat cyber risks, but DORA specifies that it must be continuous.
“Organizations should implement an automated, board visible ICT risk program that ties asset inventories, vendor records, testing results, and incident workflows together in a single system of record,” says Heller. “This one operating model simultaneously satisfies DORA’s five pillars and streamlines day to day operations.”
Find a new day-to-day rhythm of operations
The best approach to ICT risk is a proactive one, says Heller. He recommends taking a daily approach to risk management. “Organizations should incorporate many of the activities mentioned earlier into day to day operations such as performing regular incident response tabletop exercises, centralized monitoring of critical suppliers, and assess DORA compliance on a regular basis,” he says.
Doing this on a regular basis bakes cybersecurity into the culture of the organization, rather than an afterthought.
Communicate often with your leadership team
Finally, DORA establishes requirements across the entire organization for compliance, starting at the executive leadership level. Where ICT concerns might have been limited to CTOs or your IT organization, Heller advises communicating early and often with your leadership team about this issue. “Your leadership needs to be aware and accountable for ICT security risk, and DORA also requires staff training on these best practices.”
Third-party risk management: What this means for your contracts
As legal professionals, you’re not in charge of implementing the majority of the compliance for these new regulations. Your IT team likely already has cybersecurity as a major priority, and they’ll handle much of the nuts and bolts of day-to-day DORA compliance.
However, there’s one heavy lift that comes out of DORA regulations that legal teams must comply with, under the third-party risk management pillar: Contractual obligations. Says Heller, “You’ll need to include DORA-specific language in all of your contracts with suppliers, which takes time and effort to do correctly.”
That includes clauses such as:
- Specific audit rights
- Exit/portability clauses
- Resilience SLAs
- Receiving independent assurance reports (such as a SOC 2) on a regular basis
“Teams should centralize contracts and create and leverage templates for the DORA mandated-addendums to simplify this process,” says Heller. You’ll need to add these clauses into all of your new tech-related contracts to comply with DORA, or when a contract is up for renewal.
Additionally, organizations must now maintain a live register of any tech suppliers and perform in-depth risk reviews before onboarding anyone new. Maintaining a live register of any suppliers, including known risks, isn’t easy to do if you’re working with contracts scattered over multiple systems (or if they haven’t been digitized at all.) “You need to be able to effectively monitor critical suppliers on a continuous basis,” says Heller. “And organizations must be prepared to provide evidence of this register by regulators when requested to do so.”
Start by mapping out your existing suppliers that fall under the ICT bucket by renewal deadline—how many and their current obligations and risk factors—and work with your procurement team to make sure those new regulations are part of the next round of your contracts.
For more on how CLMs can be your secret weapon for third-party risk management, read how fintech infrastructure platform Plaid transformed their processes, and to learn more about Ironclad, request a demo today.
Ironclad is not a law firm, and this post does not constitute or contain legal advice. To evaluate the accuracy, sufficiency, or reliability of the ideas and guidance reflected here, or the applicability of these materials to your business, you should consult with a licensed attorney.
