• Office Hours: 9:30 AM – 7:45 PM

DORA Compliance: What It Means for Your Business in 2025

  • August 5 2025
  • Costas Filou

When DORA Took Effect

  • The EU Regulation 2022/2554 (DORA) officially entered into force on January 16, 2023, with full obligations applying from January 17, 2025.
  • Day Zero has already passed — as of January 17, 2025, all organizations in scope must be fully compliant.

 

What Is “Day Zero”?

“Day Zero” is the date when DORA becomes enforceable in practice.

  • For DORA, that was January 17, 2025.
  • From that day on, EU regulators can audit compliance and impose penalties.
  • All frameworks — from ICT risk management to third‑party oversight — must already be operational, not just planned.

⚠️ We are now beyond Day Zero: organizations that are still preparing instead of operating under DORA standards are at serious regulatory risk.

 

Who Must Comply with DORA

The Digital Operational Resilience Act (DORA) applies to more than 20 categories of entities in the EU financial sector.

  • Financial Entities
  • Banks and credit institutions
  • Insurance and reinsurance companies
  • Payment institutions and electronic money issuers
  • Investment firms
  • Central securities depositories (CSDs)
  • Central counterparties (CCPs)
  • UCITS management companies and Alternative Investment Fund Managers (AIFMs)
  • Pension funds and their administrators
  • Financial advisors, brokers, and trading venues
  • Crypto‑asset service providers (CASPs)

 

ICT Third‑Party Providers

  • Cloud service providers and data centers
  • SaaS vendors delivering critical services
  • Cybersecurity, monitoring, and analytics providers
  • Telecommunications and communication infrastructure platforms

 

DORA for Small and Micro‑Enterprises

 

What Remains Mandatory

  • Basic ICT Risk Management: Even small firms must maintain a documented ICT security policy.
  • Incident Reporting: Obligatory to report serious incidents, even in simplified form.
  • Vendor Oversight: Contracts with ICT providers must include at least minimal DORA clauses.
  • Documentation: All policies and procedures must be written down, even if concise.

 

What Gets Simplified

  • Proportionality Principle: Reporting and compliance can be lighter than for large banks or fintechs.
  • Resilience Testing: No need for costly TLPT (Threat‑Led Penetration Testing).
  • Reporting Templates: Regulators may provide simplified forms and workflows.

 

What Cannot Be Avoided

  • Accountability: Regulators can still impose penalties if minimum standards are ignored.

 

The Five Pillars of DORA

 

1. ICT Risk Management

  • Establish documented policies and procedures to identify and mitigate ICT risks.
  • Apply the principle of proportionality depending on organization size and risk profile.

 

2. Incident Reporting

  • Detect, classify, and report major ICT‑related incidents.
  • Initial notification within 4 hours after classification and full reporting within 24 hours after detection.

 

3. Resilience Testing

  • Regular resilience tests, including penetration testing (TLPT), for systems supporting critical functions.
  • Significant entities must conduct these at least once every three years.

 

4. Third‑Party Risk Management

  • Maintain a Register of Information (RoI) of all ICT service contracts.
  • Include DORA‑specific clauses in contracts and monitor providers continuously.
  • Critical Third‑Party Providers (CTPP) are under direct EU supervisory oversight.

 

5. Information Sharing

  • Voluntary, secure cyber‑threat intelligence sharing across the financial sector to strengthen collective resilience.

 

Consequences of Non‑Compliance

  • Fines: up to 2% of global turnover for financial entities, and up to €5 million for ICT providers with critical status.
  • Legal risks: lawsuits, reputational damage, and even loss of license or operational restrictions.

 

How Zefsina Helps You Stay DORA‑Compliant

 

End‑to‑End Compliance Support

 

1. ICT Risk Management

  • Continuous vulnerability scanning and monitoring.
  • Regular updates to policies and risk frameworks.

 

2. Incident Management & Reporting

  • Automated detection and notification workflows.
  • Bitdefender for advanced threat detection and response.
  • Assistance with preparing regulator‑ready reports.

 

3. Resilience Testing

  • Planning and execution of penetration testing and TLPT scenarios.
  • Full documentation to meet audit requirements.

 

4. Third‑Party Risk Oversight

  • Automated RoI registers with integrated SLA and contract terms.
  • Monitoring vendors via Cisco Security Access and NinjaOne.
  • Contract review and updates to meet DORA clauses.

 

5. Access Management & Zero Trust

  • Cisco Duo provides MFA, phishing‑resistant authentication, and secure access.

 

6. Training & Awareness

  • Hands‑on workshops for IT and compliance teams.
  • Scenario‑based exercises for effective incident response.

 

Contact us — Zefsina Networks delivers the full journey to DORA compliance

 

Tags
Previous Post
Windows 10 End of Support: What You Need to Know

Leave a Comment