The Digital Operational Resilience Act (DORA) is a landmark European regulation that aims to strengthen the digital infrastructure of financial entities, ensuring they can withstand and recover from information and communication technology (ICT) disruptions. DORA introduces a uniform ICT risk management framework across the EU. However, given that many firms still have fragmented systems, legacy infrastructure, and inconsistent risk practices, aligning existing risk management frameworks to DORA’s demands will require overhauling governance, technical controls, and reporting, especially for firms operating in multiple jurisdictions. DORA also makes financial entities directly accountable for the ICT risks posed by third-party vendors, such as cloud service providers or data processors.

Because of this, these companies will require far more rigorous vendor contracts, monitoring, and exit strategies. It is important to highlight that some large vendors, especially US-based cloud providers, may not easily align with DORA’s EU-centric standards.

As a leading European brokerage firm which provides its clients with access to over 128,000 financial instruments, including stocks, bonds, futures, options, mutual funds and forex, Just2Trade is at the forefront of implementing the rigorous requirements of DORA in its business model and aligning DORA with existing regulations such as the General Data Protection Regulation (GDPR) and European Banking Authority (EBA) guidelines, along with other sector-specific cyber standards.

The five pillars of DORA
DORA became an official regulation on January 16, 2023, but did not come into full effect until January 17, 2025 following a two-year implementation period, during which time financial entities were expected to align their operations with the new requirements.

The regulation is enforced by the three European Supervisory Authorities (ESAs): the EBA, European Securities and Markets Authority (ESMA), and European Insurance and Occupational Pensions Authority (EIOPA), who are responsible for developing Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) to provide detailed guidance on DORA’s provisions. While some standards are already in force, others are pending adoption, necessitating proactive engagement from financial entities to stay abreast of regulatory developments. As a regulatory framework, DORA is designed to enhance the digital operational resilience of the EU financial sector, and it has five key pillars that capture what it aims to accomplish and the kind of strong, healthy business environment it wants to support. Its primary objective is to ensure that financial entities can maintain critical operations during severe ICT disruptions, thereby safeguarding the stability of the financial system.

DORA is designed to enhance the digital operational resilience of the EU financial sector

As risk management is a cornerstone of the mandate, financial entities are required to establish robust ICT risk management frameworks. This includes implementing comprehensive policies for identifying, assessing, and mitigating ICT risks, ensuring that systems are secure, up-to-date, and capable of withstanding cyber threats. DORA also mandates standardised procedures for reporting major ICT-related incidents, requiring organisations to classify incidents based on severity and report them to relevant authorities within specified timeframes, which allows for prompt responses and systemic risk assessments.

DORA highlights the importance of regular digital operational resilience testing, which is compulsory for most investment firms. This involves a variety of tests, including scenario-based tabletop testing, vulnerability assessments, open-source analyses, performance testing, and threat-led penetration testing (TLPT), for entities deemed systemically important, to ensure preparedness against potential cyberattacks.

Given the heavy reliance on third-party ICT service providers, DORA imposes stringent requirements for managing these relationships. Financial entities must conduct proper due diligence, maintain detailed records of contractual arrangements, and ensure that critical service providers comply with resilience standards. The final pillar encourages voluntary information sharing among financial entities regarding cyber threats and vulnerabilities, enhancing sector-wide awareness and response capabilities.

DORA has a comprehensive scope encompassing a wide array of financial entities, including: credit, payment, and electronic money institutions, investment firms, crypto-asset service providers, insurance and reinsurance undertakings, central securities depositories, trading venues, and crowdfunding service providers. Additionally, DORA extends to ICT third-party service providers, particularly those deemed critical to the operations of financial entities. These providers will be subject to an oversight framework established by the ESAs, ensuring their compliance with resilience standards.

Implementation challenges
Implementing DORA to ensure compliance and resilience has several challenges for financial entities, not least the need to carry out extensive reviews of their current ICT infrastructures to identify all vulnerabilities and implement robust risk management frameworks. This will also mean updating information security policies and establishing business continuity plans, to ensure that ICT systems are resilient against emerging cyber threats. To comply with DORA’s incident reporting requirements, it will be necessary for financial entities to develop and maintain standardised procedures to detect, classify, and report ICT-related incidents quickly and accurately. This demands investment in monitoring tools and comprehensive staff training, which can strain resources and operational capacity.

The EU financial sector can stay better protected against growing cyber threats

Under DORA, regular testing of operational resilience is essential to assess preparedness against cyberattacks and operational disruptions, with any identified weaknesses addressed through targeted remediation efforts, which can be operationally disruptive. And while DORA promotes collaboration, building a culture of open information can be difficult as some institutions may be hesitant due to competitive concerns or fear of reputational damage, making it a challenge to create trust and transparency across the sector.

With the sector’s reliance on third-party ICT service providers, financial institutions need to apply stricter due diligence processes. This means that the legal and compliance teams play a pivotal role in navigating the new and complex regulatory landscape. They need to interpret regulatory requirements and ensure organisational alignment, draft and review contracts with ICT service providers to include DORA-mandated provisions, develop internal policies and procedures for incident reporting and risk management, and provide training and guidance to staff on compliance obligations.

Benefits to Just2Trade’s clients
Implementing DORA will result in a number of significant benefits for Just2Trade’s clients, specifically the ability to prepare for and manage potential IT incidents effectively, which translates to less downtime, fewer service disruptions, and smoother access to financial services for clients, even during technical or cyber crises. Additionally, the implementation of robust cybersecurity controls and regular testing will ensure clients benefit from better protection of personal and financial data against hacks, leaks and fraud.

Like all financial entities, under DORA, Just2Trade must log and report major ICT-related incidents, including their impact and response, which will result in increased transparency on issues that could affect their clients’ money, personal data, or digital services. Additionally, the application of stricter rules on how third-party tech partners and cyber risks are managed will result in services becoming more reliable and resilient, increasing client confidence levels when using Just2Trade’s trading platforms and investment tools.

Overall, implementing DORA reduces the systemic ICT risks which Just2Trade faces, resulting in a safer financial ecosystem for clients with fewer chances of industry-wide failures due to tech outages or cyberattacks. That is why Just2Trade has prioritised DORA compliance to safeguard its operations and maintain stakeholder trust. While the journey presents challenges, it also offers an opportunity to enhance digital resilience and foster a culture of security and preparedness.

By embracing DORA’s framework, the EU financial sector can stay better protected against growing cyber threats, ensuring stability and continuity in an increasingly digital world.