In recent weeks, the European Commission has published two significant regulations under the Digital Operational Resilience Act (DORA) which will contribute towards firms’ compliance efforts, standardising reporting of major ICT-related incidents and cyber threats.
The first, Commission Delegated Regulation (EU) 2025/301, sets out technical standards for the content and timing of mandatory incident reports and voluntary cyber threat notifications.
It sets out classification criteria, reporting deadlines and required details, such as impact assessments, remediation efforts and communication with authorities.
Meanwhile, Commission Implementing Regulation (EU) 2025/302 provides standardised templates, forms and procedures for reporting. This regulation mandates uniform reporting formats, secure submission channels and requirements for complete and updated information.
Both regulations, published in the Official Journal of the EU, took effect on March 11, 2025, 20 days after entering the statute book.
The bigger picture
These frameworks will help firms remain compliant with DORA, which aims to improve the security of financial entities and shore up the EU financial sector's resilience against severe operational disruptions.
Applicable from January 17, 2025, DORA has introduced a set of harmonised requirements across the EU member states, addressing the fragmented approach to operational resilience previously observed.
The regulation encompasses a wide range of financial entities, including banks, insurance companies, investment firms, payment institutions and ICT third-party service providers, and the impetus behind DORA stems from the increasing frequency and impact of ICT-related incidents in the financial sector.
Notable disruptions in recent years have included a global IT outage in July 2024 caused by a faulty CrowdStrike update, affecting 8.5m Microsoft Windows devices and leading to widespread service interruptions across various sectors.
Outages have also occurred that were specific to the EU. For example, in October 2020, the European Central Bank's TARGET2 system, which is responsible for processing large-value euro payments, experienced an almost 11-hour outage due to a software glitch in a third-party network device.
In Spain in 2023 meanwhile, the Spanish online payment platform Redsys experienced a system failure affecting some consumer payments in the country.
Incidents like these signify the criticality of robust operational resilience, and DORA could certainly go some way towards guaranteeing a safer cyber environment for financial firms and their customers, despite its onerous, prescriptive requirements.
Firms should pay close attention to these regulations to ensure compliance, as adherence will not only ensure they are meeting legal obligations but also strengthen their operational resilience against ICT-related incidents and cyber threats.
Failure to comply could result in regulatory penalties and reputational damage.
There are also differences in the purpose of these frameworks. For example, in the EU, the Regulatory Technical Standards (RTS) and Implementation Technical Standards (ITS) serve distinct purposes within the trading bloc’s legislative framework.
RTS are detailed regulations developed by the European supervisory authorities (ESAs) and adopted by the European Commission through delegated acts, while ITS, also drafted by the ESAs, have a primary function to establish uniform procedures and forms to facilitate the implementation of legislative acts, guaranteeing harmonisation.
Why should you care?
The latest technical standards and reporting templates under DORA mark a significant step toward enforcing a uniform, harmonised and more structured approach to ICT incident management in the EU financial sector. As the regulations are both now in effect, financial firms must proactively ensure compliance and mitigate the risk of regulatory scrutiny.
Key actions for firms
To prepare for DORA’s stringent reporting requirements, firms should consider the following:
- Conduct a gap analysis: assess current ICT incident reporting policies and compare them against the new DORA requirements. Identify areas where enhancements are needed to ensure full compliance.
- Enhance incident reporting processes: review existing workflows, reporting mechanisms and automation capabilities. Firms should consider whether additional tools or system updates are required to meet the strict reporting deadlines efficiently.
- Training and awareness: compliance teams must ensure that all relevant departments understand the new obligations. Training programmes should be rolled out to incident response teams, IT, risk management and senior leadership to ensure a coordinated approach.
- Assess threat detection capabilities: firms should evaluate their existing threat detection and response processes, ensuring they are robust enough to identify and report ICT-related incidents in line with DORA’s requirements. Investments in advanced monitoring and intelligence-sharing mechanisms may be necessary.
Challenges and considerations
DORA signals a shift toward making operational resilience a strategic priority rather than just a compliance exercise.
The impact of these regulations will vary depending on the size and resources of the firm. Larger financial institutions and big tech companies with well-established cybersecurity frameworks may find compliance more manageable. Many of these firms already operate under stringent reporting obligations, such as those required by the NIS2 Directive, and have the resources to invest in automation and AI-driven reporting tools.
However, smaller financial firms, fintech startups and regional institutions may face greater challenges in adapting to the new framework. These firms, operating with limited budgets and relying on third-party service providers, must verify that their vendors comply with DORA.
Unlike the lighter-touch incident reporting requirements under the revised Payment Services Directive (PSD2), DORA introduces a far more detailed and prescriptive framework, requiring firms to rethink their approach to operational resilience. This could mean increased costs for compliance, investments in new technology and additional staff training.