Özgün Law Firm

1. Introduction

Digital Operational Resilience Act (DORA) is a regulation put in place by the European Union to reinforce the cybersecurity of financial organizations.

Latest news: EU’s Delegated Regulation on Subcontracting entered into force on 22 July 2025. The legal groundwork of the Digital Operational Resilience Act (DORA) is now complete. Authorities will now focus on enforcement and regulation.

Why it matters: DORA introduces extensive requirements that will affect financial organizations and information technology (IT) services providers alike. It includes important reforms with respect to cybersecurity, incident response and IT contracts.

What to do now: With the implementation of the obligations under DORA and the start of audits, it has become critical for companies to review their DORA compliance. In particular, key documents such as the list of “critical or important functions” and incident response plans should start to be subjected to stress tests.

2. 10 Fundamental Lessons From the First Six Months

Compliance levels vary and the development process continues.

Many obligations in DORA are based on already existing regulations (e.g. the European Banking Authority's outsourcing guidelines). Therefore, organizations operating in heavily regulated sectors such as banks and large-scale IT service providers (hyperscalers) have been able to achieve DORA standards by partially adapting their existing systems. In contrast, actors such as small-scale asset managers have had to make more extensive changes as they started from a weaker infrastructure. For such institutions, the DORA compliance process is still ongoing.

Targeted approaches can reduce compliance costs.

DORA introduces a large number of new policies and procedures. Therefore, organizations, especially those with limited resources, should adopt a risk-based and targeted strategy. For example, directing resources to areas with the highest audit risk (such as critical supplier management) can be cost and time efficient.

Critical functions must be carefully identified.

In addition to the basic obligations for all IT services, DORA contains more stringent rules specific to services that support only “critical or important functions”. It has been observed that organizations tend to use overly broad definitions when defining these functions. This can have the adverse consequence that non-essential systems are also subject to high compliance obligations. It is therefore crucial that the truly critical functions are correctly categorized.

Incident response plans should be stress-tested.

According to DORA, incident notification should be made within 24 hours of becoming aware of the incident. Furthermore, notification thresholds are based on new criteria such as reputational or economic impacts. It is therefore recommended that companies test response plans with incident simulations. Plans should;

• (a) include a hierarchy showing who the decision-makers are and that they have been authorized to make decisions,
• (b) include easily accessible information to guide decision-making (e.g. notification thresholds, who the information owners are, list of critical functions, etc.). 

It should also be considered to conduct these simulations under legal confidentiality.

A proportionate and justified compliance approach should be adopted.

Many concepts in DORA are still open to interpretation. This ambiguity makes a single “correct” compliance approach impossible. Therefore:

• (a) companies should establish a reasonable and defensible compliance position,
• (b) document the justification for that position; and
• (c) monitor developments in implementation and update their positions as necessary.

Adequate support should be provided to board members.

DORA imposes individual responsibility on board members. This is a source of concern, especially for members who are not familiar with IT systems. For this reason, legal and IT trainings should be provided for the board of directors, and the scope of these trainings should be expanded with the support of external consultants when necessary. It should also be ensured that the trainings are demonstrable before regulatory authorities.

IT teams should be involved in the process from the beginning.

It is critical to integrate the new policies established under DORA into the existing IT infrastructure. Therefore, involving IT teams in compliance processes at an early stage will both increase applicability and enable DORA compliance with minor revisions to existing systems.

Intra-group structures should be considered.

Organizations located within the EU and subject to DORA are often dependent on the IT infrastructures of their non-EU parent companies Therefore, obligations not only within the EU but also across the group need to be addressed in a balanced manner. This requires coordination and flexibility between EU and non-EU teams.

Contract updates take time, but standardized templates simplify the process.

DORA requires new provisions to be introduced into IT service contracts. Renegotiating such contracts will take time. However, industry-standard contract templates and negotiation guides that separate the “must-haves” from the “nice-to-haves” can significantly speed up the process. Prioritization, starting with high-risk suppliers first, is another effective method.

DORA compliance requires regular review.

DORA’s reglementary framework remains in flux. New statutes are being published, existing guidelines are being updated and authorities’ expectations are evolving. Firms’ IT infrastructures are also dynamic in nature. Therefore, policies adopted in light of DORA should be reviewed periodically. As a matter of fact, DORA requires annual reviews in many cases. In this regard, using annual checklists is an effective way to ensure the sustainability of review processes.