Digital Operational Resilience Act (DORA)

Impacts and applications

1.  Introduction to DORA

The Digital Operational Resilience Act (DORA) is a European regulation that aims to strengthen the digital operational resilience of financial institutions. It was approved in December 2022 and came into force on January 17, 2025.

DORA applies to a wide range of financial institutions, including banks, insurance companies, investment firms, stock exchanges, and ICT (Information and Communication Technologies) service providers. Its purpose is to ensure that these entities can withstand, respond to, and recover from cyber incidents and technological failures.

Institutions exempted from the scope of the regulation

The Regulation establishes a robust set of requirements to strengthen the digital operational resilience of the financial sector, however, some entities are fully or partially exempted to ensure proportionality and avoid unnecessary regulatory burden. Small institutions, micro-enterprises, and entities with reduced systemic impact may struggle to afford the costs and complexities of full DORA compliance.

Some institutions are already subject to other European Union regulations that deal with similar aspects, making their complete inclusion in the scope of DORA redundant. Thus, to balance protection of the financial system and regulatory feasibility, the regulation provides for exemptions and simplified regimes, ensuring that digital resilience is required in a way that is proportionate to the risk of each entity.

2.  The 5 Pillars of DORA

The Digital Operational Resilience Act (DORA) establishes a set of rules to ensure that financial institutions are able to withstand and recover from digital incidents. To do this, it is based on five fundamental pillars, which detail the main requirements for digital security and resilience.

1.    ICT (Information and Communication Technology) Risk Management

This pillar requires financial institutions to implement a structured process for managing technology risks, ensuring that their systems are secure and reliable. This includes identifying threats, monitoring vulnerabilities, and defining risk mitigation strategies.

Main requirements:

• Map and document critical digital assets (systems, servers, networks, software).
• Create a well-defined incident response plan .
• Establish robust security policies, including encryption, multi-factor authentication, and backups.
• Ensure operational resilience, with redundancies and disaster recovery systems.

2.    Incident Reporting

DORA requires financial institutions to quickly notify regulators of relevant cyber incidents so that mitigation measures can be taken. This reduces impacts and improves the financial sector’s response to digital attacks.

Main requirements:

• Create an internal incident detection and notification process.
• Report critical incidents to law enforcement within 24 hours of initial detection.
• Provide a detailed report within 72 hours, explaining the impact and actions taken.
• Share threat intelligence with other financial institutions to prevent similar attacks.

3.    Digital Resilience Testing

To ensure that financial institutions are prepared to face attacks and failures, DORA requires them to conduct periodic tests to assess the security of their systems.

Main requirements:

• Conduct penetration tests (pentests) to simulate hacker attacks and find vulnerabilities.
• Conduct incident response exercises, simulating real attack scenarios.
• Regularly test business continuity and disaster recovery plans.
• Large companies must be subjected to tests conducted by external experts.

4.    Third-Party Risk Management (ICT Providers)

Many financial institutions rely on technology vendors, such as cloud providers, data centers, and software companies. DORA imposes strict rules to evaluate and monitor these partners, reducing the risk that a third-party failure will affect the company.

Main requirements:

• Create a policy for evaluating and monitoring critical suppliers.
• Require contracts that ensure transparency and security measures.
• Continuously monitor the resilience of ICT vendors.
• Regulators will be able to supervise suppliers considered critical to the financial sector.

5.    Threat Information Sharing

DORA encourages financial institutions to exchange information on cyber threats to improve the security of the entire industry. This allows companies to act preventively against new attacks.

Main requirements:

• Create internal mechanisms to collect and analyze information about cyberattacks.
• Participate in collaborative networks to share emerging threats.
• Adopt industry best practices based on incidents reported by other institutions.

3.  Comparison with Other Regulations

DORA stands out for its specific focus on the digital operational resilience of the financial sector. Unlike ISO 27001 and NIST CSF, which provide general information security guidelines applicable to various industries, DORA imposes mandatory regulatory requirements for financial institutions within the European Union. This brings it closer to NIS2, which also establishes cybersecurity standards, but with a broader scope for critical infrastructures beyond the financial sector.

Another differentiator is the rigorous treatment of third-party risk management, requiring European financial institutions to constantly monitor and audit their ICT providers.

4.  Practical Implementation of DORA

Implementing the Digital Operational Resilience Act (DORA) may seem complex, but let’s simplify each step so that it’s clear and easy to understand. Here are the practical actions that financial institutions should take:

1.    Map Digital Assets and Critical Risks

Identify and document all critical systems, servers, networks, and software that the institution uses.

Knowing exactly what your critical digital assets are helps you better protect these assets from threats.

A BIA (Business Impact Analysis) can be an assertive path to this front, once you have the Value Chain defined, just identify which assets are most relevant to support the most critical business processes and delve into the details of the function of each one, as well as the possible impacts and maximum tolerable time to recover the environment with its interdependencies.

In this way, you will have documented which are the most critical assets for your operation, allowing you to have more clarity on what efforts you should allocate to maintaining operational resilience.

2.    Develop a DORA-Aligned Incident Response Plan

A plan that defines how the institution should react to cyber incidents, such as hacker attacks or technological failures.

Having a clear and well-defined plan ensures a quick and effective response, minimizing damage.

This plan can follow good practices from NIST 800-61 or SANS Incident Response, both are good frameworks, however SANS goes into the detail of each step separately, namely:

• Preparation – Definition of team, tools and procedures.
• Identification – Discovery and categorization of the incident.
• Containment – Immediate action to limit damage.
• Eradication – Threat elimination and impact verification.
• Recovery – Restoration of services and monitoring.
• Lessons Learned – Post-incident review for continuous improvement.

Automated tools help in the more agile response process.

3.    Conduct Regular Safety and Continuity Testing

Periodic tests to assess the security of the systems and the ability to recover in case of failures.

Ensure that systems are protected and that the institution can recover quickly from incidents.

4.    Establish a Robust Third-Party Monitoring Program

Continuously assess and monitor technology vendors, such as cloud providers and data centers.

Reduce the risk that a vendor failure will affect the institution.

One practice would be to use providers with information security certifications, audited by a third party.

5.    Promote Security Culture and Threat Intelligence Sharing

Encourage the exchange of information on cyber threats between financial institutions.

Improve the security of the entire financial industry by sharing information about new threats.

5.  Impact on the Brazilian Market

The Digital Operational Resilience Act (DORA) is a European regulation that aims to strengthen the digital operational resilience of financial institutions. Although it is a European legislation, DORA can have significant impacts on the Brazilian market.

·        Adaptation of DORA Requirements to the National Regulatory Reality

In Brazil, financial institutions need to evaluate how these requirements can be applied in the national regulatory context. This is important because many of these institutions operate globally or have partnerships with European companies, which requires compliance with international standards.

To adapt DORA requirements to the Brazilian reality, institutions must analyze local regulations, such as the General Data Protection Law (LGPD), and compare them with DORA requirements. From this analysis, it is possible to adjust internal policies and procedures to meet both local and international requirements, ensuring an integrated and efficient approach to digital security.

·        Interaction with Resolution 4,893/2021 of the Central Bank

Resolution 4,893/2021 of the Central Bank of Brazil establishes guidelines for the cybersecurity and operational resilience of financial institutions in the country.

To ensure compliance with both regulations, Brazilian financial institutions must compare the requirements of Resolution 4,893/2021 with those of DORA. Identifying areas of overlap and differences is crucial to adjusting cybersecurity practices in a way that meets both regulations. This strengthens security and trust in the financial sector, both in Brazil and internationally.

·        Impact on ICT Supplier Management in Brazil

Many financial institutions rely on information and communications technology (ICT) providers for their operations. DORA imposes strict rules for the evaluation and monitoring of these vendors, reducing the risk that a vendor failure will affect the institution.

In Brazil, financial institutions must create ICT vendor assessment and monitoring policies aligned with the European regulation, although it is not a national requirement, Brazil requiring these vendors to meet the security requirements set by DORA can increase resilience in the sector.

·        DORA’s Impact on the Brazilian Cyber Insurance Market

Implementation Challenges from a Cyber Insurance Perspective: The implementation of DORA can present challenges, especially in adapting contractual clauses and negotiating with ICT service providers. Companies need to ensure that their suppliers are also compliant with the new regulations, which may require significant adjustments to contracts and operational processes.

The cyber insurance market in Brazil has grown significantly, driven by the increasing sophistication of cyberattacks and the complexity of digital infrastructures. The Superintendence of Private Insurance (Susep) has played a crucial role in regulating and supervising this market, ensuring that companies adopt robust cybersecurity measures.

Cyber insurance in Brazil offers a wide range of coverages, from ransom payments and remediation of malware attacks to legal expenses and third-party damages. However, they also face challenges related to the exclusions and disputes that may arise, especially in relation to silent cyber risks. The demand for cyber insurance is driven by the need to protect companies’ operations and reputation, as well as comply with regulations such as the General Data Protection Law (LGPD). These insurances are essential to ensure business continuity, mitigating financial impacts of cyberattacks and offering support in the rapid recovery of compromised systems and data.

* Susep Circular No. 637, of July 27, 2021, was a regulatory framework that expressly defined the consequences for claims arising from cyber events, classifying comprehensive cyber risk civil liability insurance as a specific line within the group of liabilities.

This regulatory evolution has been essential to adapt insurance policies to the particularities of cyber risks.

About the Author

“This article was written and developed by the Brazilian CISOs who were awarded at the CDM Awards in 2025. This group has a high impact on shaping cybersecurity strategies in Brazil, representing some of the largest companies in Latin America.”.

CISOS Brazil

Ronaldo Andrade

Eduardo Vasconcelos

João Passos

Longinus Timochenco

Pedro Nuno

Fabiana Tanaka

Renato Lima

William Telles

Paulo Bandin

Claudiano J. Da Silva