Tech topics

What is the Digital Operational Resilience Act (DORA)?

Overview

The Digital Operational Resilience Act (DORA) is a comprehensive European Union regulation designed to strengthen the digital operational resilience of the financial sector. Enacted in January 2023, DORA establishes a uniform framework for financial institutions to manage information and communication technology (ICT) risks, incident reporting, and third-party service provider relationships. This landmark legislation represents the EU's response to the growing digitalization of financial services and the need for robust cybersecurity measures.

See how your CMDB, IT service management (ITSM), and observability solutions can contribute to DORA compliance.

Read the white paper

Digital Operational Resilience Act

Understanding DORA's scope and application

DORA applies to a wide range of financial entities operating within the European Union. Banks and credit institutions, both traditional and digital, form the core of regulated entities. But DORA’s scope is far-reaching, extending beyond traditional banking and credit institutions to include:

Payment institutions, including payment institutions exempted pursuant to Directive (EU) 2015/2366
Account information service providers
Electronic money institutions, including electronic money institutions exempted pursuant to Directive 2009/110/EC
Investment firms
Crypto-asset service providers as authorized under a Regulation of the European Parliament and of the Council on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (“the Regulation on markets in crypto-assets”) and issuers of asset-referenced tokens
Central securities depositories
Central counterparties
Trading venues
Trade repositories
Managers of alternative investment funds
Management companies
Data reporting service providers
Insurance and reinsurance undertakings
Insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries
Institutions for occupational retirement provision
Credit rating agencies
Administrators of critical benchmarks
Crowdfunding service providers
Securitization repositories
ICT third-party service providers

What are the core components of DORA compliance?

ICT risk management

Financial entities must implement comprehensive ICT risk management frameworks that encompass multiple layers of security and oversight. These frameworks require detailed strategies and policies that specifically address digital resilience, including concrete measures for cyberthreat prevention and response. Organizations must conduct regular risk assessments that identify both current and emerging vulnerabilities across their digital infrastructure.

Security measures must include sophisticated access controls that manage user privileges and maintain data integrity, along with state-of-the-art encryption protocols to protect sensitive financial information. The framework demands continuous monitoring systems that provide real-time insights into potential security threats and system performance. Clear governance structures must be established, with specific roles and responsibilities assigned to ensure accountability in risk management procedures.

Incident management and reporting

DORA mandates sophisticated incident management and reporting procedures that go beyond basic cybersecurity protocols. Organizations must develop and maintain robust detection systems capable of identifying both obvious and subtle ICT-related incidents. This requirement includes implementing multitiered classification systems that accurately assess incident severity based on predefined criteria and potential impact on financial operations.

Detailed incident logs must be maintained with comprehensive documentation of response procedures, resolution steps, and outcome analyses. Major incidents require prompt reporting to relevant authorities through established channels, with specific timeframes for initial notification and follow-up reports. Organizations must develop and regularly update communication plans that address various stakeholder groups, including customers, partners, regulatory bodies, and the media when necessary.

Digital operational resilience testing

DORA requires systematic testing of digital resilience through multiple approaches. Vulnerability assessments must be conducted regularly using advanced testing tools and methodologies to identify potential weaknesses in ICT systems. Independent parties must perform penetration testing to ensure unbiased evaluation of security measures and identify potential breach points. Scenario-based testing should simulate real-world cyberthreats and operational disruptions to evaluate response capabilities and system resilience.

Regular validation of security measures must be performed to ensure their continued effectiveness against evolving threats. All testing activities require detailed documentation, including methodologies used, findings, and remediation steps taken.

Third-party risk management

DORA emphasizes comprehensive management of relationships with ICT service providers through structured oversight and documentation. Organizations must conduct thorough risk assessments of third-party providers, evaluating their technical capabilities, security measures, and business continuity plans. Service agreements require regular reviews to ensure alignment with current regulatory requirements and operational needs.

Organizations must maintain a detailed provider register that documents all critical and noncritical service arrangements, including specific services provided, data-access levels, and security measures in place. Critical service arrangements must be reported to regulatory authorities, with updates provided for significant changes. Contractual obligations must explicitly address compliance requirements, including security measures, incident reporting, and audit rights.

How do OpenText IT Operations solutions help with DORA compliance?

OpenText IT Operations solutions help financial institutions achieve and maintain DORA compliance through technology platforms that address key regulatory requirements.

OpenText™ Universal Discovery and CMDB serves as the foundational element for DORA compliance by providing deep visibility into an organization's ICT infrastructure. With both agentless and agent-based discovery capabilities, this solution creates a comprehensive view of IT environments, including devices connected through secure VPNs or intermittent internet connections. It performs event-based updates of multicloud environments, ensuring that financial institutions maintain an accurate, real-time picture of their entire infrastructure, both on-premises and in the cloud. Its service mapping capabilities allow organizations to predict, before implementation, how changes might impact critical financial services—directly addressing DORA's risk management and operational resilience requirements.

OpenText™ Service Management integrates essential ITSM and IT asset management capabilities to establish clear ownership and management of services, applications, and supporting ICT equipment. The solution includes ITIL-certified best-practice templates that cover incident, problem, change, release, and configuration management—all crucial elements for DORA compliance. These templates help organizations establish automated response chains that minimize service disruptions and ensure consistent handling of ICT-related incidents, meeting DORA's requirements for incident management and reporting.

OpenText™ Core Infrastructure Observability addresses DORA's monitoring requirements by providing end-to-end visibility of multicloud and on-premises resources. AI-driven anomaly detection capabilities enable financial institutions to identify potential issues before they impact service delivery. Organizations can also establish mechanisms to quickly detect anomalous activities—including network performance issues and ICT-related incidents—and identify potential single points of failure that could affect operational resilience.

OpenText™ Core Application Observability complements infrastructure monitoring by focusing on application performance and service delivery. This solution helps organizations ensure that critical financial services applications maintain optimal performance and availability. It enables comprehensive root cause analysis and documentation of incidents, supporting DORA's requirements for incident handling and resolution. Integrated monitoring and follow-up capabilities ensure that organizations maintain consistent service quality while meeting regulatory reporting requirements.

DORA readiness: Time to act

DORA represents a significant shift in how financial institutions must approach digital operations and risk management. Successful DORA compliance requires a comprehensive strategy combining robust technological solutions, clear processes, and ongoing commitment to digital resilience. Organizations must begin their compliance journey well before the January 2025 deadline to ensure they meet all requirements and maintain the necessary operational resilience for the digital age. With OpenText’s IT Operations solutions, financial institutions can build a strong foundation for DORA compliance while enhancing their overall IT operational efficiency and security posture.

FeaturedFeatured

Analytics CloudAnalytics Cloud

Data Lakehouse & AnalyticsData Lakehouse & Analytics

BI, Visualization & ReportingBI, Visualization & Reporting

eDiscovery and Legal SolutionseDiscovery and Legal Solutions

OpenText™ Aviator Search

Business Network CloudBusiness Network Cloud

Supply Chain AutomationSupply Chain Automation

B2B IntegrationB2B Integration

Secure CollaborationSecure Collaboration

Supply Chain TraceabilitySupply Chain Traceability

Supply Chain InsightsSupply Chain Insights

Industry Applications and ServicesIndustry Applications and Services

OpenText™ Business Network Aviator

Content CloudContent Cloud

Document ManagementDocument Management

AI Content ManagementAI Content Management

Capture and Intelligent Document ProcessingCapture and Intelligent Document Processing

Process AutomationProcess Automation

Business IntegrationsBusiness Integrations

Information ArchivingInformation Archiving

Industry SolutionsIndustry Solutions

Information GovernanceInformation Governance

OpenText™ Content Aviator

Cybersecurity CloudCybersecurity Cloud

Application SecurityApplication Security

Data Privacy and ProtectionData Privacy and Protection

Threat Detection and ResponseThreat Detection and Response

Identity and Access ManagementIdentity and Access Management

Digital Investigations and ForensicsDigital Investigations and Forensics

Threat IntelligenceThreat Intelligence

OpenText™ Cybersecurity Aviator

DevOps CloudDevOps Cloud

DevOps PlatformDevOps Platform

Functional TestingFunctional Testing

PPM and Strategic Portfolio ManagementPPM and Strategic Portfolio Management

Quality ManagementQuality Management

Performance EngineeringPerformance Engineering

OpenText™ DevOps Aviator

Experience CloudExperience Cloud

Web & Mobile ExperiencesWeb & Mobile Experiences

Contact Center AnalyticsContact Center Analytics

Messaging & FaxMessaging & Fax

Customer CommunicationsCustomer Communications

Digital Asset ManagementDigital Asset Management

Customer Journey and DataCustomer Journey and Data

OpenText™ Experience Aviator

IT Operations CloudIT Operations Cloud

Service ManagementService Management

Discovery & CMDBDiscovery & CMDB

AIOps and ObservabilityAIOps and Observability

Network ManagementNetwork Management

Cloud Management, FinOps & GreenOpsCloud Management, FinOps & GreenOps

AutomationAutomation

OpenText™ IT Operations Aviator

OpenText™ ThrustOpenText™ Thrust

OpenText™ Thrust bundleOpenText™ Thrust bundle

OpenText™ Aviator Thrust

PortfolioPortfolio

Enterprise Data Backup and Disaster Recovery SolutionsEnterprise Data Backup and Disaster Recovery Solutions

Unified Endpoint Management ToolsUnified Endpoint Management Tools

Hybrid Work, Email, and Team Collaboration Hybrid Work, Email, and Team Collaboration

Email Archiving, E-Discovery, Data Archiving ComplianceEmail Archiving, E-Discovery, Data Archiving Compliance

Connectivity and Document ManagementConnectivity and Document Management

Information reimaginedInformation reimagined

Artificial IntelligenceArtificial Intelligence

IndustryIndustry

Enterprise ApplicationsEnterprise Applications

Your journey to successYour journey to success

Customer SupportCustomer Support

Customer Success ServicesCustomer Success Services

Consulting ServicesConsulting Services

NextGen ServicesNextGen Services

Learning ServicesLearning Services

Managed ServicesManaged Services

Find an OpenText PartnerFind an OpenText Partner

Find a Partner SolutionFind a Partner Solution

Grow as a PartnerGrow as a Partner

Become a Partner

Asset LibraryAsset Library

Featured

Analytics Cloud

Data Lakehouse & Analytics

BI, Visualization & Reporting

eDiscovery and Legal Solutions

Business Network Cloud

Supply Chain Automation

B2B Integration

Secure Collaboration

Supply Chain Traceability

Supply Chain Insights

Industry Applications and Services

Content Cloud

Document Management

AI Content Management

Capture and Intelligent Document Processing

Process Automation

Business Integrations

Information Archiving

Industry Solutions

Information Governance

Cybersecurity Cloud

Application Security

Data Privacy and Protection

Threat Detection and Response

Identity and Access Management

Digital Investigations and Forensics

Threat Intelligence

DevOps Cloud

DevOps Platform

Functional Testing

PPM and Strategic Portfolio Management

Quality Management

Performance Engineering

Experience Cloud

Web & Mobile Experiences

Contact Center Analytics

Messaging & Fax

Customer Communications

Digital Asset Management

Customer Journey and Data

IT Operations Cloud

Service Management

Discovery & CMDB

AIOps and Observability

Network Management

Cloud Management, FinOps & GreenOps

Automation

OpenText™ Thrust

OpenText™ Thrust bundle

Portfolio

Enterprise Data Backup and Disaster Recovery Solutions

Unified Endpoint Management Tools

Hybrid Work, Email, and Team Collaboration

Email Archiving, E-Discovery, Data Archiving Compliance

Connectivity and Document Management

Information reimagined

Artificial Intelligence

Industry

Enterprise Applications

Your journey to success

Customer Support

Customer Success Services

Consulting Services

NextGen Services

Learning Services

Managed Services

Find an OpenText Partner

Find a Partner Solution

Grow as a Partner

Asset Library

Blogs

Events

Communities

Customer Stories

OpenText Navigator