Your Guide to Understanding DORA


This blog looks at the who, what, when, why, and how behind this new piece of EU legislation.

The Digital Operational Resilience Act will come into effect on 17 January 2025. With just under a year to go, now is the perfect time to get your house in order. If you don’t, you risk facing embarrassing repercussions, financial penalties or criminal sanctions. 

However, when it comes to new legislative changes, it can be difficult to know where to start. A recent survey conducted by Stryve found that 8 in 10 people do not understand their responsibility under DORA. 

That’s why we asked our CISO and DORA Certified Compliance Specialist, Paul Delahunty, to sit down and explain what exactly this new EU legislative change will entail.  

What is DORA?

DORA is the primary regulatory initiative by the EU to coordinate ICT risk requirements throughout Europe. DORA is all about resilience and mitigating reasonably identifiable risks. How resilient is your organisation to a cyber breach? What measures are in place to respond and recover from cyber-attacks? 

Who is Affected by DORA?

The legislation is aimed at the financial sector and its critical ICT providers. The legislation places responsibility for compliance with the Act with the leadership. Therefore, members of the C-Suite and management teams are personally responsible. We expect to see heavy penalties applied throughout 2025. 

When will DORA Apply?

DORA has been in force since January 2023. It will be in effect from January 17th, 2025, and when financial penalties will begin. 

Why is DORA Being Implemented?

The Act provides a comprehensive framework for ICT risk management to mitigate the risk of a liquidity issue arising in Europe. 

How Will DORA Work?

DORA is a risk-based approach, balancing technical and processing controls by assessment, validation, monitoring and management. 

What are the Five Pillars of DORA?

  1. Risk Management – Business Continuity and Disaster Recovery plans are a must;  
  2. Incident Reporting – Cybersecurity and reporting processes are a requirement;  
  3. Digital Operational Resiliency Testing – Must be done annually, including remediation plans; 
  4. ICT Third-Party Risk – ICT third parties are subject to EU oversight;  
  5. Information & Intelligence Sharing – Encouragement to share threat information and intelligence.  

What Should You Do Next?

Attendees at our recent webinar should take the steps outlined in their complimentary roadmap. Most companies will need to speak with a security expert, like Paul, and develop a comprehensive plan to ensure they are meeting their legal requirements.  

Get in touch with the teams at Stryve and Sleepless today to learn more:   


Do you have 5 minutes for a quick chat?