28. April 2025
The Digital Operational Resilience Act (DORA) imposes strict cybersecurity measures on the financial sector. Financial entities and their ICT third-party service providers must demonstrate robust IT security, conduct risk analyses, and ensure contractual compliance. For the first time, the competent authorities in the individual EU member states must report the financial entities’ registers of information to the European supervisory authorities, with a deadline of April 30, 2025. These registers must list all the financial entities’ contractual agreements governing the employment of ICT third-party service providers. Even after the reporting deadline has passed, financial entities must continue strengthening their DORA compliance and bring their ICT service providers on board.
“DORA is driving the financial industry and its ICT service providers to take effective action for stronger cyber resilience,” says Richard Skalt, Advocacy Manager Cybersecurity at TÜV SÜD. “The regulatory requirements have been fully effective since the beginning of the year. We are currently seeing a significant demand for third-party conformity assessment of the measures implemented so far among financial entities.”
DORA compliance: a continuous commitment
By now, most financial entities have aligned their systems and processes to DORA requirements. Financial entities seeking independent verification of their implemented measures can use TÜV SÜD’s DORA Assessments to obtain qualified third-party assessments. Through targeted compliance audits, TÜV SÜD experts identify gaps in the implementation of the regulation and develop a roadmap for closing those gaps. The experts can, for example, develop and implement a DORA-compliant security strategy and establish a framework for incident detection and reporting.
Risk management and cyber resilience are particularly important for achieving DORA compliance. In the future, ICT third-party service providers to financial entities classified as “critical” will also be required to demonstrate compliance with these requirements as part of their contractual obligations to their clients. TÜV SÜD’s detailed assessments help companies identify weaknesses in their existing cybersecurity strategies and develop practical improvements.
Getting employees on board
Financial entities and critical ICT service providers must not only meet the compliance requirements but also cultivate a strong internal culture of cybersecurity. To this end, engaging their employees by providing cybersecurity trainings is crucial. Training for leadership is also essential to align DORA compliance with the business strategy. TÜV SÜD Academy supports this need by offering a comprehensive training program on cybersecurity, ranging from awareness workshops to specialized training programs for decision-makers.
“The attack methods used by cybercriminals are evolving rapidly, forcing financial entities to continuously check and improve the actions they have taken, even if they have met their first-time reporting obligations by the end of April”, adds Skalt.
For more information on TÜV SÜD’s DORA services, go to tuvsud.com/en/themes/cybersecurity/digital-operational-resilience-act
Press contact: Laura Albrecht