Diritto al Digitale
Diritto al Digitale is the must-listen podcast on innovation law, brought to you by Giulio Coraggio, data and technology lawyer at the global law firm DLA Piper. Each episode explores the cutting-edge legal challenges shaping our digital world—from data privacy and artificial intelligence to the Internet of Things, outsourcing, e-commerce, and intellectual property.
Join us as we illuminate the legal frameworks behind today’s breakthroughs and provide insider insights on how innovation is transforming the future of business and society.
You can contact us at the details available on dlapiper.com
Diritto al Digitale
DORA is Applicable: Act Now to Avoid Non-Compliance Risks
The Digital Operational Resilience Act (DORA) is officially in force as of January 17, 2025, bringing strict new cybersecurity requirements for financial institutions across the EU. Are you ready?
In this episode of Diritto al Digitale, Giulio Coraggio, technology and data lawyer at DLA Piper, breaks down:
✅ Who must comply with DORA – from banks to crypto service providers and ICT suppliers.
✅ Key obligations – governance, risk management, incident reporting, and third-party oversight.
✅ Urgent steps to take to avoid regulatory penalties and strengthen cyber resilience.
With compliance deadlines expired, financial entities and ICT providers must act now to close gaps and meet the new security standards.
Read an infographic on the main obligations provided by DORA HERE
📌 You can find our contacts 👉 www.dlapiper.com
As of January 17, 2025, the Digital Operational Resilience Act (DORA) is officially applicable across the European Union. This landmark regulation is set to redefine cybersecurity and operational resilience standards for the financial sector, impacting banks, insurance companies, crypto-asset service providers, and critical ICT suppliers.
DORA is more than just another compliance requirement—it’s a fundamental shift in how financial entities must prepare for, respond to, and recover from cyber threats. With the deadline now passed, businesses that fail to comply risk severe penalties and increased scrutiny.
The financial sector has undergone a rapid digital transformation, but with that growth comes increasing exposure to sophisticated cyber threats. Until now, cybersecurity requirements were scattered across various EU directives and national laws, creating inconsistencies and gaps in protection.
DORA was introduced to harmonize and strengthen cybersecurity resilience across the EU, ensuring that financial institutions and their service providers have the technical and organizational measures to withstand cyber incidents and disruptions.
DORA’s scope is broad, covering both traditional financial entities and new digital market players, including:
✅ Banks, insurance companies, and investment firms
✅ Crypto-asset service providers
✅ Critical ICT service providers, including cloud platforms and cybersecurity vendors
✅ Third-party providers offering essential ICT services to financial institutions
If your business falls within these categories, compliance is no longer optional—it’s mandatory.
DORA introduces a structured approach to cyber resilience through three fundamental pillars:
1. Governance and Internal Organization
- Financial entities must establish a strong governance framework for managing ICT risks.
- The management body is directly responsible for ensuring operational resilience and must define clear cybersecurity roles within the organization.
2. Risk Management
- Companies must implement comprehensive risk management systems to detect, prevent, and mitigate cyber threats.
- This includes resilient ICT infrastructures, real-time threat monitoring, and robust security controls.
3. Incident Management and Reporting
- Businesses must have disaster recovery and business continuity plans in place.
- Cyber incidents must be detected, classified, and reported to the relevant authorities in a timely manner.
The Critical Role of Third-Party Providers
One of DORA’s most disruptive changes is its direct impact on third-party ICT providers. Financial institutions increasingly rely on cloud services, cybersecurity tools, and outsourced IT functions, creating systemic risks.
DORA introduces:
EU-wide supervision for critical ICT service providers.
Stricter contractual requirements for financial institutions using external ICT vendors.
Increased accountability for ICT providers, who must meet DORA’s operational resilience standards.
Immediate Steps to Ensure Compliance
With DORA now applicable, financial entities must act immediately to avoid non-compliance risks. Here are three critical actions:
1️⃣ Conduct a Gap Analysis – Evaluate your ICT risk management framework and identify areas that need improvement to meet DORA’s standards.
2️⃣ Strengthen Incident Reporting Protocols – Ensure your organization has the right processes in place to detect, classify, and report cyber incidents.
3️⃣ Assess and Update Contracts with ICT Providers – Identify critical suppliers, assess their compliance with DORA, and renegotiate agreements to align with the regulation’s requirements.
DORA is just the beginning. Many organizations will need to align its requirements with NIS2, the Cyber Resilience Act, and national cybersecurity regulations. In addition, European Supervisory Authorities (ESMA, EBA, and EIOPA) are finalizing technical standards, which will further shape how companies must implement DORA.
The clock is ticking. Financial institutions and ICT service providers that haven’t yet taken action must prioritize compliance immediately to avoid potential regulatory penalties and operational risks.
DORA is more than just a regulatory hurdle—it’s a game-changer for financial cybersecurity. Businesses that embrace these changes proactively will not only stay compliant but also build a more resilient and trustworthy digital financial ecosystem.
Is your organization ready for DORA? The time to act is now
