The Plain English Version
DORA is an EU regulation that makes financial services firms prove they can withstand, respond to, and recover from IT disruptions and cyber attacks. It came into force in January 2025.
Think of it as the EU saying: "Banks, insurers, and investment firms - we need to see your homework on how you handle technology risks. And your IT suppliers? They need to prove themselves too."
Who Does DORA Apply To?
Banks, insurance companies, investment firms, payment providers, crypto-asset providers, and critically - their ICT third-party service providers. If you supply IT services to financial firms, you may be in scope.
The Five Pillars of DORA
- ICT Risk Management - Comprehensive framework for identifying and managing technology risks
- Incident Reporting - Major ICT incidents must be reported to regulators
- Digital Resilience Testing - Regular testing including threat-led penetration testing
- Third-Party Risk - Managing risks from your IT suppliers and service providers
- Information Sharing - Sharing cyber threat intelligence across the sector
Why This Matters for SMEs
Even if you are not directly in financial services, DORA affects you if you provide IT services to companies that are. Your financial services clients will need assurance about your security controls, resilience, and incident response capabilities.
This creates a supply chain effect - expect due diligence questionnaires, security audits, and contractual requirements around operational resilience.
Getting Prepared
Start by understanding your exposure - do you have financial services clients? Then review your ICT risk management framework, incident response procedures, and business continuity plans. Document everything - DORA requires evidence.