DORA (Digital Operational Resilience Act)

DORA (Digital Operational Resilience Act)

DORA (Digital Operational Resilience Act)2024-06-19T11:04:06+02:00


What is DORA?

DORA (Digital Operational Resilience Act) is the new EU regulation aimed at strengthening the financial sector’s resilience against digital risks and cyber threats. This regulation has been applied since January 16, 2023, and covers a range of financial actors such as banks, insurance companies, and other financial service providers with so-called critical information and communication technology services (ICT services). DORA is expected to be fully implemented by 2025.

DORA includes measures for crypto-asset markets, distributed database technology, and changes in financial service regulations. The focus is on managing ICT-related risks and enhancing operational resilience. Previous measures following the 2008 financial crisis strengthened financial resilience but ignored ICT risks. DORA aims to ensure a uniform framework for digital resilience, including testing ICT systems and increasing awareness among supervisory authorities.

Society as a whole will benefit from the increased confidence in the financial sector that DORA is likely to bring.

How can Lemontree help you with DORA?

Lemontree is a reliable partner offering comprehensive consulting expertise in a range of areas. We have solid regulatory competence and experienced business consultants, change leaders, test managers, and technical testing and quality assurance professionals with 20 years of experience. We have experience with similar regulatory rollouts such as GDPR and are happy to assist you in getting started with the implementation of DORA. The new regulation stipulates several requirements for testers, among others. We meet these requirements and can ensure a successful implementation of DORA for you.

  • Expertise: Lemontree has certified DORA experts who can help clients understand and implement the regulation.
  • Comprehensive Solutions: Lemontree offers a full range of services, from risk assessments and gap analyses to implementation support, testing, and education.
  • Tailored Solutions: Lemontree customizes its services according to each client’s specific needs and conditions.
  • Experience: Lemontree has extensive experience with similar regulations (such as GDPR) and a deep understanding of the financial sector’s challenges.

The scope of DORA

DORA has a comprehensive scope and regulates various aspects of digital security and resilience. It regulates the following:

ICT Risk Management Capability

The regulation introduces stricter requirements regarding ICT risk management capability. However, exceptions exist where micro-enterprises or other financial entities, depending on their size and risk profile, can have a simplified ICT risk management framework.

Incident Reporting

To enable financial entities to maintain full control over ICT risk, they must, in addition to having overall capabilities that enable robust and effective ICT risk management, have specific mechanisms and guidelines to handle all ICT-related incidents and report major ICT-related incidents.


DORA includes provisions for conducting appropriate tests, such as vulnerability assessments and scans, open-source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where possible, scenario-based testing, compatibility testing, performance testing, end-to-end testing, and penetration testing.

Management of ICT Third-Party Risks

DORA applies to all critical third-party providers of ICT services, including cloud service providers offering ICT services to financial entities. Since third-party ICT service providers often deliver standardized services to various types of customers, such contractual arrangements may not always meet the individual or specific needs of financial sector entities.

Therefore, it is necessary to establish certain key principles to guide financial entities’ management of ICT third-party risks, which are especially important when financial entities use third-party ICT service providers to support critical or important functions. These principles should be accompanied by a set of fundamental contractual rights regarding several aspects of the performance and termination of contractual arrangements to provide certain minimum safeguards to enhance financial entities’ ability to effectively monitor all ICT risks arising at the third-party service provider level.

Collaboration and Information Sharing Among Actors

As ICT risks become increasingly complex and sophisticated, effective measures to detect and prevent ICT risk will largely depend on the regular exchange of threat and vulnerability intelligence between financial entities. Information sharing contributes to increased awareness of cyber threats.

Under certain circumstances, financial entities may exchange information and intelligence on cyber threats, including indicators of compromised security, tactics, techniques and procedures, cybersecurity alerts, and configuration tools.

Who is affected by DORA?

  • Credit Institutions

  • Payment Institutions

  • Providers of Account Information Services

  • Electronic Money Institutions

  • Securities Firms

  • Providers of Crypto Asset Services

  • Central Securities Depositories

  • Central Counterparties

  • Trading Platforms

  • Transaction Registers

  • Managers of Alternative Investment Funds

  • Management Companies

  • Providers of Data Reporting Services

  • Insurance and Reinsurance Companies

  • Insurance brokers, reinsurance brokers, and insurance intermediaries conducting intermediary activities as ancillary activities

  • Service Pension Institutions

  • Credit Rating Agencies

  • Administrators of Critical Benchmarks

  • Providers of Crowdfunding Services

  • Securitization Registries

  • Third-Party Providers of ICT Services

Konsultchef Test/QA

Ludwig Östlund

Ludwig har arbetat med testautomatisering i komplexa projekt sedan 2012. Idag är han chef över TestOps-teamet på Lemontree och driver därtill kompetensområdet för kvalitetssäkring och testautomatisering. Ludwig utbildar även frekvent i testmetodik och blev 2021 utsedd till topp tre årets kulturbärare av Great Place to Work i hela Sverige. | +46 (0) 700 651 667 | LinkedIn

Frequently Asked Questions about DORA (Digital Operational Resilience Act)

Here you will find answers to the most common questions we receive from our customers. We have compiled information and solutions on various topics and issues that may arise. Whether it’s technical questions, product information, or general inquiries, we are here to assist you.

Can’t find an answer to your question?
What are ICT services according to DORA?2024-06-18T14:49:22+02:00

They are digital services and data services continuously provided through ICT systems to one or more internal or external users, including hardware as a service and hardware services that involve providing technical support through software or firmware updates from the hardware provider, excluding traditional analog telephone services.

How is a critical or important function defined according to DORA?2024-06-18T14:47:53+02:00

It is a function whose interruption would significantly impair the financial entity’s financial performance or soundness, or the continuity of its services and operations. Additionally, if the cessation, deficiencies, or failures of the function would materially impair a financial entity’s continued compliance with the terms and obligations of its authorization or its other obligations under applicable law regarding financial services.

What is threat-driven penetration testing according to DORA?2024-06-18T14:46:33+02:00

It is defined as a framework that mimics the tactics, techniques, and procedures used by real hostile actors perceived as genuine cyber threats. It provides a controlled, tailored, intelligence-driven (Red Team) test of critical production systems in operation at the financial entity.

Contact us for consultation or questions regarding DORA

Do you have questions or need assistance with implementing the new financial regulations from the EU? Feel free to reach out to us. Fill out the form and we will get back to you shortly. We are here to help you take the next step in your digital development.