7 things you need to know about the Digital Operational Resilience Act 

The Digital Operational Resilience Act (DORA) is set to transform how the finance sector in the EU – and any business that wants access to it – protects against cyber threats such as cyberattacks, ransomware infections, data breaches, and more. The legislation, introduced by the European Commission, expects firms to mitigate any reasonably identifiable circumstances that could lead to an event that could compromise the digital operational security of the firm. Here are 7 things you need to know about the Digital Operational Resilience Act. 

1. DORA will impact financial firms and other businesses all over the world

DORA’s impact won’t just be contained to financial institutions in the EU. The comprehensive legislation will have wide-reaching global significance primarily for two reasons. First is that it impacts any financial institution or third-party software organization that needs to access the EU market, in this case making it applicable to the USA, UK, Australia, and more. 

The second is that it sets a benchmark for organizations of all sizes in all sectors globally to look to improve their digital operational resilience and business continuity planning. Ultimately, any organization concerned by cyber threats should use DORA as a guidebook to improve its digital resilience. 

2. DORA could be enforced sooner than you think 

DORA is expected to be fully enforced by 2024, but this doesn’t mean affected firms shouldn’t start getting ready. DORA legislation is due to be formally announced as early as Autumn this year (2022). So, it’s vital for all impacted businesses to start preparing now. 

3. DORA will reduce business disruption and protect business continuity

The Digital Operational Resilience Act will reduce business disruption in a number of ways. It will mean businesses are properly equipped to mitigate any reasonably identifiable circumstances that could lead to an event that could compromise the digital operational security of the firm (for example – a cyberattack). Instances such as ransomware attacks and DDoS attacks are known to significantly disrupt business continuity, and DORA helps protect against these and safeguard sensitive data. 

DORA will also reduce business disruption and improve business continuity by creating smoother exit strategies. Now, unscrupulous ICT vendors can no longer leave old ‘not fit for purpose’ kit with financial organizations once their contracts are up, as DORA requires exit strategies to be put in place. 

4. Board members that don’t comply with DORA could face jail 

DORA puts the ‘final responsibility’ to ensure that measures, policies, tools, and protocols are enacted to mitigate cyber threats on a business’ management body (i.e. its boards and directors). If they fail to do this, they could face reputational damage, shareholder litigation, regulatory fines, and even criminal sanctions.

5. To comply with DORA, businesses need to protect against threats relating to email and domain security

According to CISCO, 90% of cyberattacks happen because of weak email security. So, strengthening email and domain protection will be a key consideration for financial entities preparing for DORA. Targeted phishing attacks such as Business Email Compromised (BEC) are extremely common forms of attack, often made successful by ‘domain spoofing’. The FBI has been warning of Business Email Compromise in its IC3 Internet Crime Report since 2015. So, financial entities can consider BEC a reasonably identifiable circumstance and in turn, should implement DMARC (among other measures), to mitigate it. 

DMARC configured at p=reject is a fundamental protection against this. DMARC protects an organization against phishing and BEC by making it impossible for a hacker to impersonate its domain (and brand) to send phishing emails and compromise sensitive data, money, systems, etc. DMARC is recognized by the National Institute of Standards and Technology (NIST), which in turn is recognized by DORA.

6. DORA will mean businesses and supply chains are better protected 

DORA means that financial firms will now only be able to interact with third-party vendors that offer ‘high, appropriate, and the latest information security standards.’ This in turn means that supply chains will become more robust because everyone has to put the right measures in place. 

7. DORA will help businesses make better decisions, faster 

DORA contains everything needed to help financial institutions make better decisions about risk management, data security, risk mitigation, etc. Its comprehensive and straightforward nature also enables faster decision-making. 

Download the whitepaper to find out more about DORA

DORA is a lengthy piece of legislation, and without a law degree, it’s hard to dissect. Luckily, we’ve written an all-in-one whitepaper covering everything from what this new legislation means, to who’s impacted, and how organizations can begin to prepare. Download your free copy below, and start getting ready for DORA today! 

PUBLISHED BY

Red Sift

4 Jul. 2022

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
Certificates

TLS certificates are changing: What you need to know

Red Sift

Executive summary: TLS certificates are about to get significantly shorter-lived. Starting 15 March 2026, newly issued public-trust certificates will max out at 200 days—and just three years later, that lifespan drops to 47 days. Backed by Google, Apple, and Mozilla, this shift aims to make the web safer through fresher data, faster failover, and…

Read more
DKIM

The hidden threat: How misconfigured DKIM enables replay attacks

Red Sift

Email authentication isn’t just an IT concern. It protects your brand and customers. A single misstep can let attackers spoof your domain, send phishing emails, and destroy customer trust. One of the most dangerous methods? The DKIM replay attack. In this post, we’ll break down how undersigned DKIM keys and related misconfigurations open your…

Read more
BIMI

Why DMARC and BIMI are a business priority

Jack Lilley

Email threats aren’t slowing down, and neither should your authentication strategy. In our recent joint webinar with Marigold, “From DMARC to BIMI: Navigating the New Email Authorization Landscape,” we broke down what today’s evolving standards mean for both security and marketing teams—and how to take action now with our free Red Sift Investigate tool.…

Read more
ASM

Zoom stops zooming: Why active monitoring is essential

Billy McDiarmid

​On April 16, 2025, Zoom experienced a significant global outage that disrupted video conferencing services and access to its website for thousands of users, as well as their corporate email for all their employees. It was quickly identified as a domain name registration status problem. Despite being a critical name for Zoom, somehow, the…

Read more