DORA harmonizes rules within the EU, replacing fragmented national approaches, to ensure unity of digital security. The EU regulation is a binding legal act from 2025, requiring EU financial institutions and their ICT vendors to not only protect themselves from cyberattacks, but also to have a guaranteed ability to recover.
A practical understanding of DORA includes ICT risk management, mandatory incident reporting, regular system testing, third-party vendor controls and direct management accountability.
The requirement applies to all financial organizations (banks, insurers, crypto services) in the EU, as well as to their critical third-party ICT providers (CTPs). Governing bodies (board of directors) are directly responsible for implementing the digital sustainability strategy.
In practice, this will mean that banks and insurance organizations will need to assess current ICT risks, renegotiate contracts with vendors (especially cloud vendors), develop plans for continuous system testing, and establish reporting protocols to avoid technological disruptions.
“The National Bank is constantly monitoring the changes brought about by the increasing use of digital technology in the operations of financial institutions. The increasing degree of digitalization in areas such as payments, e-commerce or digital distribution of financial products requires the adoption of common and robust measures to protect digital systems,” stressed Constantin Shkendrya, Deputy Governor of the NBM.
