Get going with Cakewalk and manage all of your accesses
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

I understand that by submitting the form, Cakewalk will use the information collected above to schedule a meeting in accordance with our Privacy Policy.

Home
/
Resources
/
Everything Financial Companies Need to Know about DORA
Knowledge

Everything Financial Companies Need to Know about DORA

June 19, 2025
Johannes Keienburg
5 minutes
Table of Contents
Example H2
Example H3

While we've recently covered NIS2, the AI Act, and other sweeping regulations that address tech innovations, the EU's Digital Operational Resilience Act seems to have flown under the radar for many. Possibly in part due to its esotericism or being kept in the dark about how it will affect non-EU entities, many companies we interact with haven't taken action to become compliant. 

So what is DORA? How will it affect you? What are its implications for the future? Here we'll answer all of these questions and more. 

What is DORA?

DORA is a piece of EU legislation that aims to improve the digital resilience of financial companies and institutions. Cyberattacks and system failures greatly hinder a financial institution's ability to operate and protect sensitive data. DORA aims to mitigate these issues and prepare organizations with the procedures they need to rebound quickly if a cybersecurity incident occurs.

The new law was introduced to the EU in January 2025, affecting not just financial entities, but also: third-party service providers (yes, even ones not in the EU!) So, it’s actually very likely that DORA affects you too—at least as a 2nd-order consequence. 

What's in DORA That You Should Care About?

First Off, it Requires Action From Your End.

What actions are those, exactly? Glad you asked. Under DORA, you'll need faster incident reporting and response plans, you must audit all of your vendors and partners (even those not in the EU) to ensure they are compliant, and it raises the bar for IGA policies.

1. Enhanced Transparency into Third-party Risk

The EU loves to create legislation that doesn't just affect its member states, but their entire networks as well—and DORA is no exception. Third-party vendors and partners will need to be more heavily scrutinized to ensure that they are also remaining compliant. This includes:

  • Evaluating and understanding which vendors are most important to your operations. 
  • Reviewing their cybersecurity infrastructure and business resilience plans.
  • Ensuring each vendor meets the same standards as you do and that the upcoming law requires.
2. Fast Incident Reporting and Response Plans are Required

DORA has very stringent requirements on quick and accurate incident reporting so that you know the who, what, where, when, why, and how of each and every cyber incident. In the event of a post-incident audit, you should be able to answer detailed questions that regulators may ask, such as "what does your incident response plan look like? Were access privileges misused? Can you verify the event timeline? Who accessed the data and how?" And an automated identity governance plan ensures these conversations are held quickly and without headache.

Reportable incidents include any ICT event that impacts confidentiality, integrity, or availability of data, or if it has material impact on operations or critical services and functions. Companies and institutions are also required to classify the severity of each incident using predefined criteria in order to execute the proper response plan.

3. DORA Raises the Bar for Access Management and Identity Governance

Lastly, DORA requires strong internal ICT security practices. Specifically, when it comes to identity governance, every identity should only access necessary systems and nothing more. It utilizes least-privilege principles, meaning all financial organizations must limit, monitor, and review privileged access accounts because they carry the most significant threats if compromised. Therefore, automated identity governance workflows have never been more essential.

Why Should European Companies Care?

DORA may change how you do business, or indeed who you do business with. But let's wade a little deeper to highlight exactly why you should care.

There are Hefty Penalties for Non-Compliance (Plus Board/Executive Accountability)

If you're involved in the financial sector in any capacity, compliance is mandatory. Noncompliance comes with a slew of penalties based on the severity of the violation, including fines and even operational restrictions, not to mention intangible consequences like reputational damage and lost trust — which actually might be the most costly consequence of all.

Monetary penalties include:

  • For institutions: Fines of up to 2% of total annual worldwide turnover or 1% of average daily worldwide turnover.
  • For individuals: Up to €1,000,000 in fines.
  • For third-party ICT providers: Up to €5,000,000 for organizations or €500,000 for individuals.

Administrative penalties, which are reserved for serious or repeat offenders, include:

  • Suspended or revocation of operational licenses.
  • Mandatory implementation of enhanced, compliant security measures at the business' expense.

Plus, under DORA, IT teams are not alone — boardrooms and executives can be held accountable and thus must also be aligned with ICT risk management strategies. Personal, board-level accountability measures include:

  • Criminal charges for gross negligence  — this is a big one! Just wondering: Do your senior executives and board members know…?
  • Imprisonment (!) in the rare instance of willful and intentional non-compliance that leads to systemic instability.

It Provides Operational Stability

Having safety nets and processes, such as a platform or team dedicated to managing cybersecurity, will help you recover quickly from a cyber incident, which is now the law in the EU. It helps you maintain operations in the face of outages, infrastructure failures, data corruption, etc. Reducing downtime is especially critical for financial institutions if they want to stay in the good graces of their customers and not lose out to competition who actually make the effort to stay compliant.

Don't You Want to Maintain a Competitive Advantage?

You're always looking to stay one step ahead, right (nod yes even if it's not true)? Well, now is your time to shine. You have the opportunity to use compliance as a PR boon to market your newfound differentiator. Get ahead of the curve by showing your ability to adapt to new legislation (and remain stronger and more secure as a result.) 

You may deal with Euros, Pounds, and Dollars each day, but don't forget that trust is also a currency; and it's one that can be depleted very quickly. Vendors and partners may be quick to switch to more trustworthy options if you can't or won't comply. 

It Forces Transparency in Third-party Risks

Chances are you rely on some form of external services. DORA has the potential to completely complicate your vendor relationships. If your vendors aren’t compliant, you can’t legally use them anymore. From impacting suppliers and rewording contractual agreements, there's a chance you may have to form new vendor relationships if you want to avoid costly fines and potential loss of revenue due to inability to proceed with business as usual. 

At the very least, you'll need to audit each of your vendors to ensure compliance and it may lead to restructuring.

Future-proofing Against Broader Regulatory Pressures is Smart

DORA isn't the first piece of cybersecurity legislation, and it surely won't be the last. It's just one link in a long chain of ever-evolving compliance requirements. But the fact of the matter is that other countries and other industries are also adopting similar security legislation, so even if you aren't directly affected by DORA at the moment, it's still smart to implement measures and future-proof yourself against other, more sweeping regulations.

Why Should Non-European Companies Care?

You're not even in the EU, so you won't be affected, right? Wrong! Unfortunately for you, if you work with a financial entity within the EU, you are compelled to comply. Here's why:

You Don't Want to Get Dropped by Clients

If you provide any form of IT, cloud, or other digital services to an EU financial entity, you can bet that they will be auditing your practices to ensure DORA compliance. They need full omniscience into every cyber risk and thus must know any risk you pose. If you don't want to get dropped by your EU clients, you'll have to comply.

It Aligns with Global Regulatory Trends

As we covered previously, DORA and other legislation are emblematic of a global trend toward reinforcing critical sectors that are reliant on digital tools. Complying with DORA is just the first step toward maintaining an efficient business and sets you up for an easy transition once your country inevitably passes its own similar legislation.

Here are some steps you can start taking to avoid hefty fines and penalties.

1. Establish Governance & Accountability

  • Assign executive-level responsibility for ICT risk and DORA compliance (board, CISO, compliance officer).
  • Update internal policies and governance frameworks to include DORA requirements.
  • Ensure cross-departmental coordination (IT, risk, legal, compliance, procurement).

2. Strengthen ICT Risk Management

  • Conduct a comprehensive ICT risk assessment (systems, data, processes).
  • Define and apply risk-based controls (e.g., network segmentation, backup policies).
  • Implement continuous monitoring of ICT risks and vulnerabilities.

3. Implement Robust Access & Identity Controls

  • Apply role-based access controls (RBAC) and least-privilege principles.
  • Enforce privileged access management (PAM) and track elevated permissions.
  • Automate access reviews and certification to ensure entitlements remain appropriate.

4. Build Incident Reporting Procedures

  • Define what constitutes a major ICT incident under DORA.
  • Set up incident response playbooks covering classification, escalation, and notification.
  • Prepare to meet 4-hour, 3-day, and 1-month reporting deadlines.
  • Implement systems to log, track, and analyze security events and access anomalies.

5. Harden Third-Party Risk Management

  • Create or update a third-party inventory (especially ICT providers).
  • Review contracts to include DORA-aligned clauses (e.g., audit rights, incident disclosure, cooperation obligations).
  • Evaluate third-party cybersecurity posture and require regular performance reviews. Side note: This is how the entire DORA thing trickles down!
  • Develop exit strategies for critical vendors to reduce concentration risks.

6. Prepare for Resilience Testing

  • Conduct threat-led penetration testing or advanced simulation exercises on critical functions.
  • Test backup, recovery, and continuity plans.
  • Document lessons learned and integrate them into risk mitigation strategies.

7. Enhance Documentation & Audit Readiness

  • Maintain an ICT incident register with clear records of past events.
  • Ensure detailed documentation of policies, processes, controls, and risk assessments.
  • Prepare internal audit teams for DORA-specific supervisory reviews.

8. Invest in Continuous Compliance & Improvement

  • Deploy tools for automated compliance monitoring and reporting.
  • Train staff on DORA requirements and operational resilience principles.
  • Establish a feedback loop to regularly improve controls, processes, and governance.

Make Compliance a Cakewalk

Compliance isn't a one-time project; it's an ongoing process. Cakewalk is the new standard in identity governance, designed to get you up-to-speed on DORA and other cybersecurity requirements. 

We consolidate all access, apps and AI agents, fully automate workflows, and get guidance based on insights—enabling your teams while reducing your attack surface.

To learn more, get in touch today.

Knowledge
5 min read

The Future of Identity Governance is Employee-Centric. Here's Why.

June 18, 2025

by Johannes Keienburg

Up next