DORA Explained: What the EU Digital Operational Resilience Act Means for Finance Teams

The Digital Operational Resilience Act (DORA) — Regulation (EU) 2022/2554 — has applied across the EU since 17 January 2025. It is the first EU-wide framework that treats technology failure, cyber attack and third-party outage as a core financial risk, with the same seriousness as capital or liquidity. For accountants and finance professionals working in or advising financial services firms, DORA is no longer a future deadline: it is live supervisory reality, and finance teams have a bigger role in it than many expect.

What is DORA and who does it apply to?

DORA applies to more than 20 categories of financial entities, including banks, insurers, investment firms, payment and e-money institutions, fund managers, and crypto-asset service providers authorised under MiCA. Crucially, it also brings critical ICT third-party providers — cloud platforms, data centres, core banking software vendors — under direct EU oversight for the first time.

If your organisation is regulated financial services in the EU, or provides material ICT services to firms that are, DORA applies. UK-headquartered groups with EU entities are in scope for those entities, and the UK's own operational resilience regime under the FCA and PRA runs on closely parallel lines.

The five pillars of DORA

DORA is built around five sets of obligations:

• ICT risk management — a documented framework owned by the management body, covering identification, protection, detection, response and recovery. Accountability sits with the board, not the IT department.
• Incident reporting — major ICT-related incidents must be classified and reported to the regulator under tight timelines, with an initial notification, an intermediate report and a final report including root-cause analysis.
• Digital operational resilience testing — regular testing of critical systems, escalating to threat-led penetration testing (TLPT) for significant entities at least every three years.
• ICT third-party risk management — a register of information covering all ICT contracts, mandatory contractual provisions, concentration-risk assessment, and exit strategies for critical providers.
• Information sharing — voluntary arrangements for sharing cyber threat intelligence between financial entities.

Why DORA matters to finance professionals specifically

It is tempting to file DORA under "IT's problem". That would be a mistake, for four reasons.

1. The register of information is an accounting-adjacent exercise

The contract register demands a complete, structured inventory of ICT arrangements — supplier, service, criticality, spend, substitutability. In most firms the only function that already holds a complete picture of supplier contracts and spend is finance. Finance teams are routinely being asked to co-own the register.

2. Incident costs flow into the numbers

Major incidents create provisions, contingent liabilities, regulatory fines and disclosure questions. Finance needs to understand the incident classification framework because the outputs land in management accounts, audit committee papers and, for significant events, the annual report.

3. Auditors are testing it

Internal and external audit teams are building DORA into their control testing. ITGCs, third-party assurance reports (ISAE 3402 / SOC reports) and resilience-testing evidence are now standard requests. Accountants in practice need enough fluency to scope and review this work.

4. Board accountability includes the CFO

DORA places responsibility on the management body collectively. CFOs and finance directors sitting on boards of in-scope entities carry personal accountability for approving and overseeing the ICT risk framework.

DORA and the UK regime — close cousins, not twins

The UK's operational resilience rules (FCA PS21/3, PRA SS1/21) required firms to remain within impact tolerances for important business services by March 2025. The philosophy is similar — assume disruption will happen, prove you can absorb it — but DORA is more prescriptive on contract terms, incident reporting formats and testing. Groups operating in both jurisdictions generally build to the stricter requirement.

What finance teams should be doing now

• Confirm whether your entity (or your clients) fall within DORA's scope, including via MiCA authorisation.
• Establish who owns the register of information and how finance's contract and spend data feeds it.
• Map incident-reporting workflows to finance processes — provisions, insurance recoveries, disclosure.
• Ask when the firm's next resilience test or TLPT is scheduled and how findings are tracked.
• Build DORA literacy into the finance team's CPD plan — supervisors increasingly expect it.

Frequently Asked Questions

Is DORA already in force?

Yes. DORA entered into force in January 2023 and has applied in full since 17 January 2025. Supervisory engagement and enforcement are active.

Does DORA apply to accountancy firms?

Accountancy firms are not themselves in scope as financial entities, but those auditing or advising financial services clients need working knowledge of it — and firms providing ICT services to financial entities can be caught as third-party providers.

What is the penalty for non-compliance?

Sanctions are set by member states and can include periodic penalty payments for critical ICT providers of up to 1% of average daily worldwide turnover. For financial entities, the sharper risk is supervisory intervention and remediation orders.

How is DORA different from GDPR?

GDPR protects personal data wherever it sits; DORA protects the operational continuity of the financial system. An outage with no data breach can still be a major DORA incident.

Study with Learnsignal

Operational resilience is now a core competency for finance professionals in regulated firms. Learnsignal's flexible online CPD courses help qualified accountants build practical regulatory and risk knowledge around a full-time workload, with expert-led content you can study anywhere.