DORA regulation 2025: Commentary from a legal expert

2025 01 09 · 6 min read

The Digital Operational Resilience Act (DORA) regulation will come into effect on 17 January 2025, requiring financial sector companies to strengthen their digital operational resilience. This regulation introduces new requirements covering internal resource strengthening and the effective management of external partners. DORA poses challenges for companies striving to ensure that their processes, infrastructure, and risk management meet the strict requirements set by the EU.  

In this interview, we discuss the key aspects and challenges of preparing for the DORA regulation with Stasys Drazdauskas, a legal expert at Sorainen. 

Readiness of different organisations 

The DORA regulation covers traditional financial institutions, such as banks and investment companies, as well as non-traditional entities, including cryptocurrency service providers and crowdfunding platforms. Moreover, the regulation also will be relevant to ICT service providers, such as cloud service providers and data analytics companies. 

The preparation for implementing the DORA regulation is already underway. Commenting on this process in the context of different financial institutions, legal expert S. Drazdauskas notes: 

“Established financial organisations are already actively preparing for the DORA regulation’s implementation, recognising its importance for effective risk management and business continuity. Large institutions with years of experience and sufficient internal resources typically find it easier to cope with new compliance requirements. However, smaller companies, lacking such resources, often face greater challenges and must rely on external partners or consultants to ensure smooth implementation of the regulation’s requirements.” 

Assessing internal resources 

One of the first steps in meeting the DORA regulation‘s requirements is the assessment of internal resources. Before considering external assistance, organisations must conduct a thorough audit of existing processes and documentation. 

“The assessment process begins with an inventory of documents, as it is important to examine whether existing policies, procedures, and internal documents align with DORA requirements. This allows for identifying areas where compliance is already met and where corrections or additional documentation may be necessary. An organisation can make informed decisions about engaging external partners only after evaluating the internal situation. Some companies may determine they have enough internal resources and expertise to achieve compliance independently. In contrast, others may require additional support to fill gaps and ensure full compliance with the DORA regulation,” says S. Drazdauskas. 

Another essential step in ensuring the smooth implementation of DORA requirements is forming teams of responsible individuals within the organisation. Commenting on this, the legal expert highlights: 

“With a clearly defined team responsible for DORA compliance, organisations can quickly identify weaknesses and gaps in internal processes. This approach speeds up problem-solving and ensures that the internal team is better prepared to cooperate with external experts who can cover missing resources or expertise.” 

Thus, by establishing a team of responsible individuals, companies can focus more on strategic decisions and ensure smooth implementation of DORA requirements, as this allows for better coordination and control over all compliance processes. 

Cross-border risk management 

Each country has its specific regulations and legal standards. Therefore, organisations operating in multiple countries must ensure compliance with local requirements. Discussing the DORA regulation in this context, Sorainen’s legal expert notes: 

“The DORA regulation provides the opportunity to centrally manage certain processes, which helps reduce administrative burdens. A centralised approach to ensuring compliance not only facilitates coordination of processes across different countries but also helps avoid duplication or conflicts between national and international legal acts.” 

S. Drazdauskas further emphasises the advantages of this approach: 

“Centralised document preparation allows for harmonising risk management standards across the entire corporate group, ensuring a consistent and efficient compliance process at the EU level. This is particularly important for multinational organisations that must comply with both national and international legal acts. In this way, companies can avoid inaccuracies that could risk business continuity.” 

The importance of legal and IT partners 

Once the existing situation and internal resources required to meet the DORA regulation‘s requirements have been assessed, organisations may consider involving external partners. Financial institutions often seek consultants who can provide comprehensive solutions covering both legal and IT aspects. S. Drazdauskas notes: 

“Key areas in implementing the DORA regulation include controlling ICT service providers, incident management policies, and other risk management processes. In these areas, expertise from both domains is often necessary, so cooperation between lawyers and IT specialists is crucial to ensure the smooth implementation of DORA requirements. This collaboration also helps address complex interpretation and integration issues that arise when trying to align legal requirements with technical solutions.” 

The legal expert also stresses: 

“External partners become important strategic allies when companies face gaps in internal processes or lack a clear compliance strategy. Partners with specialised legal and IT knowledge not only help implement DORA requirements properly but also ensure smooth and efficient process management.” 

Connection between MiCA and DORA regulations 

The DORA regulation is closely related to another EU regulation aimed at the financial sector – MiCA (Markets in Crypto-Assets Regulation). MiCA’s main objective is to regulate the cryptocurrency market, while DORA focuses on strengthening digital operational resilience in the financial sector. For companies seeking MiCA licensing, implementing DORA requirements becomes a key part of the preparation, helping not only to use time and resources more efficiently but also to ensure smooth compliance with broader EU regulatory provisions. 

Both DORA and MiCA regulations aim to strengthen the security and reliability of the financial sector. Discussing the relationship between MiCA and DORA, S. Drazdauskas explains: 

“Organisations seeking MiCA licensing often address DORA requirements at the same time, ensuring not only compliance with both regulations but also more efficient management of time and resources. This strategic approach allows companies to create a consistent compliance system, where there is no need to address the same issues multiple times, and the connection between the regulations forms the basis for a centralised risk and compliance management system.” 

The legal expert continues: 

“Moreover, this process helps companies adapt more quickly to regulatory changes and strengthens their competitive advantage in the market, as they not only obtain licenses but also demonstrate their readiness to operate according to the highest standards set by the EU.” 

Comparing DORA regulation with other legal acts 

When comparing the DORA regulation to other legal acts, the recently adopted NIS2 Directive also plays an important role. The directive aims to strengthen the EU member states’ resilience to cyber threats by ensuring a higher level of security across Europe in various important sectors, such as transportation, energy, health care, food industry, etc.  

“Both NIS2 Directive and DORA emphasise management of third-party supply chain risks. However, the NIS2 Directive is much less detailed than DORA and other implementing regulations, where the requirements are very detailed. Moreover, the NIS2 Directive applies to entities separately in each Member State, while DORA compliance is supervised in the country where the licence for financial activities is obtained. This allows applying a more centralised approach when ensuring compliance with DORA requirements,” comments the legal expert. 

The DORA regulation marks an important step towards strengthening the resilience of the financial sector. As noted by Stasys in our interview, organisations need to assess their available resources promptly, consider the help of external partners, and leverage the benefits of centralised management. Therefore, proper preparation not only ensures compliance with the DORA regulation but also allows organisations to achieve greater operational efficiency. 

Thank you for the conversation, Stasys!