BebcoIT Solutions
Compliance

DORA: what EU financial firms must prepare for

The Digital Operational Resilience Act turns IT resilience into a regulatory obligation for EU financial entities. What it covers, who is in scope, and the practical work it demands.

Written by

Eleanor Voss

Governance & Compliance Lead

17 June 20268 min read

The Digital Operational Resilience Act is the European Union's answer to a simple observation: financial firms now depend on technology so completely that an IT failure is a threat to the firm and, at scale, to the financial system itself. DORA takes practices that used to be internal good hygiene and makes them supervised obligations with real teeth.

If you are an EU financial entity, or you supply technology to one, this affects you. Here is what the regulation asks for, framed as work you can actually plan rather than legal text you have to decode.

Who is in scope

DORA applies broadly across the financial sector: banks, investment firms, asset managers, insurers, payment and e-money institutions, crypto-asset service providers, and more. It also reaches critical third-party technology providers, who can be designated and supervised directly. The principle of proportionality applies, so a small firm is not held to the same intensity as a systemic bank, but the core expectations apply to everyone in scope.

If you provide managed IT, cloud, or security services to an in-scope firm, expect that firm to pass DORA obligations down to you through contracts, audit rights, and resilience requirements. This is already reshaping supplier agreements across the sector.

The five pillars

DORA is usually described in terms of five areas of obligation. Reading them as a to-do list is the fastest way to understand what compliance actually involves.

  • ICT risk management: a documented framework for identifying, protecting against, detecting, and recovering from technology risk, owned and overseen by the management body.
  • Incident reporting: classify ICT-related incidents against defined thresholds and report major ones to your regulator within set timeframes, using a harmonised format.
  • Digital operational resilience testing: test your resilience regularly, ranging from vulnerability assessments to, for the largest firms, threat-led penetration testing.
  • Third-party risk management: maintain a register of all ICT third-party arrangements, assess concentration risk, and hold contracts that meet DORA's minimum terms.
  • Information sharing: firms are encouraged to share cyber threat intelligence with each other to raise the sector's collective resilience.

What this means in practice

The single biggest shift is from documented intent to tested evidence. It is no longer enough to have a backup policy; you need a measured recovery time from an exercise you actually ran. It is no longer enough to trust your cloud provider; you need a register, a concentration-risk view, and contractual audit rights.

The most common gaps we see are untested recovery, an incomplete or missing third-party register, and incident processes that were never mapped to the regulatory reporting thresholds. Each is straightforward to close with focused work, but each takes time, which is why starting now matters.

A sensible order of work

Begin by mapping your critical business services and setting recovery objectives for each, because everything else hangs off knowing what must come back and how quickly. Build or complete your third-party register next, since it is often the most time-consuming to assemble. Then run a real recovery test so your objectives are evidenced rather than assumed, and align your incident classification to the reporting thresholds so a major incident does not become a compliance failure on top of an operational one.

Bebco helps EU financial firms turn DORA from a compliance headache into resilience they can demonstrate to a supervisor. If that is on your horizon, the earlier the conversation, the calmer the deadline.

Let's pressure-test your IT

Book a free, no-obligation assessment. We'll review your infrastructure, flag the risks, and show you exactly where Bebco would make a difference.