What DORA Is Designed to Achieve

Understanding how DORA applies to an organisation, how it shapes customer expectations, and what constitutes appropriate evidence and documentation is central to meeting operational resilience obligations. Before going any further, it is important to step back and examine what DORA is designed to achieve, as this context underpins every compliance and governance decision that follows.

DORA, the Digital Operational Resilience Act, is now approaching its first year of full enforcement. Since becoming mandatory on 17 January 2025, it has fundamentally reshaped how the European financial sector approaches technology risk, resilience, and cyber readiness. Financial institutions and their critical service providers have been operating under a higher standard of operational discipline, with a consistent message emerging across the industry: operational resilience is no longer a discretionary capability, but a regulatory expectation.

Cyber incidents, system failures, supplier disruptions, and unexpected outages are no longer viewed as isolated or unlikely events. Under DORA, these are treated as foreseeable risks that must be managed proactively. The objective is clear. Financial services must be able to operate securely, protect customers, and recover quickly when disruption occurs.

Who has to follow DORA

The scope of DORA is deliberately broad. If an organisation operates within the regulated financial ecosystem, it is highly likely to be affected.

DORA applies to banks and credit institutions, payment firms, e-money providers, investment firms, insurance and reinsurance undertakings, insurance intermediaries, crypto-asset service providers authorised under MiCA, trading venues, central counterparties, central securities depositories, trade repositories, fund managers and management companies, credit rating agencies, crowdfunding platforms and securitisation repositories. It also includes pension schemes, benchmark administrators and data reporting service providers.

In practical terms, almost every component of the financial system is within scope.

What about technology providers

DORA does not stop with financial institutions. It explicitly recognises that operational resilience depends on technology and on the suppliers that provide it.

Cloud hosting platforms, software vendors, data centres, analytics providers, network and telecommunications services and other ICT suppliers all fall within DORA’s line of sight when they support critical or important functions. Where providers are deemed critical, EU regulators may place them under direct oversight.

Location does not remove responsibility. Even where a supplier is based outside the EU, DORA still applies if its services support EU regulated financial entities.

Where DORA sits alongside ISO 27001 and NIST CSF

Many organisations already operate established security and risk management frameworks such as ISO 27001 or NIST CSF 2.0. These remain valuable and relevant. DORA does not replace them.

Instead, DORA acts as an additional regulatory layer. It places greater emphasis on governance, accountability, testing and evidence. Organisations with mature frameworks are often better positioned, but alignment with DORA still requires targeted effort and clear documentation.

What DORA requires

DORA is structured around five core areas that organisations must address.

1. ICT risk management: Organisations must have a structured approach to identifying, assessing and managing technology and cyber risks. Governance, policies and ongoing oversight are central to this.

2.  Incident reporting: Significant incidents must be detected, classified and reported to regulators within defined timeframes. Transparency and speed are key expectations.

3. Operational resilience testing: Organisations are expected to regularly test systems and services to confirm they can withstand disruption and continue operating under stress.

4. Third party risk management: Supply chain resilience is a core focus. Organisations must understand the risks posed by their suppliers and manage those relationships accordingly.

5. Information sharing: DORA encourages responsible sharing of cyber threat information to improve resilience across the wider financial sector.

Why DORA matters to our customers

Many of our customers are not based in the EU and are not directly regulated under DORA. Even so, the regulation has a direct impact on them through their customers and partners.

A significant proportion of our clients provide infrastructure, platforms, applications or operational services to financial institutions that are regulated under DORA. Where your technology supports a bank, payment provider or insurer, you become part of their operational resilience framework.

This means customers will increasingly request evidence of DORA aligned controls. They will ask more detailed questions about resilience, incident handling and security practices. Not because you are regulated, but because they are.

For customers and service providers supporting regulated entities, this creates two clear realities:

• Increased scrutiny and more detailed due diligence from regulated clients

• An expectation to demonstrate operational maturity aligned with DORA requirements, even where formal regulatory scope does not apply

There is also a clear upside. Aligning with DORA strengthens trust, supports long term commercial relationships and positions your organisation as a dependable partner in a highly regulated market.

How Locked Stack can support you

Locked Stack supports organisations that are directly regulated under DORA as well as those indirectly affected through customer requirements. We help clients understand where DORA applies, what is expected and how to demonstrate operational resilience effectively.

Whether you are preparing for DORA alignment, responding to customer questionnaires or strengthening your overall resilience posture, our team can support you with clarity and pragmatism. Our focus is on helping you meet expectations efficiently while supporting sustainable growth.