Risk Management under the Digital Operational Resilience Act (DORA): A Practical Guide

Jun 12, 2026

Article by

GoTrust

Introduction 

The operation of financial services has broadly transformed after the digitisation of financial services. The technological innovation has certainly improved the efficiency, scalability, and customer experience, but it has also given rise to various risks, including cyberattacks, system failures, third-party service disruptions, and functional vulnerabilities. The European Union enacted the Digital Operational Resilience Act (DORA) to reduce these risks. 

The act was adopted in 2022, entered into force 16 Jan 2023, and became fully applicable on 17 Jan 2025. It’s aims is to develop an integrated framework to manage Information and Communication Technology (ICT) risks across financial sector institutions of the European Union and to ensure that financial institutions can withstand, respond to, and recover from various disruptions related to ICT (Information and Communication Technology). The traditional cybersecurity laws and regulations used to primarily focus on security controls focus. The Digital Operational Resilience Act is based on a resilience-orientated model. It considers the concern of operational continuity as a strategic governance issue and makes management entities more accountable. 

Understanding the Risk Management Framework of the Digital Operational Resilience Act (DORA 

The foundation of the Digital Operational Resilience Act (DORA) exists in the statutory provisions of Chapter II (Articles 05-16), which lays down a comprehensive ICT Risk Management Framework

Article 6 mandates that the financial institutions will have to establish a comprehensive Information and Communication Technology (ICT) risk management framework to ensure a strong digital operational resilience and enhance market trust and confidence. The framework must enable financial institutions to identify and protect from the risks related to Information and Communication Technology (ICT), detect abnormal activities and incidents, respond effectively to digital disruptions, recover operations in a timely manner, and continuously learn and evolve from ICT-related incidents. 

The Five Core Pillars of Risk Management under the Digital Operational Resilience Act (DORA) 

1. ICT Governance and Accountability 

According to the Digital Operational Resilience Act, senior management is primarily responsible for ICT risk management. Senior management will approve ICT risk strategies, monitor the implementation of resilience measures, ensure proper allocation of resources, and regularly review capabilities of operational resilience. The Act also restricts the delegation of accountability regarding ICT risk management. The Act has introduced a shift from traditional approaches, where cybersecurity has become a board-level governance responsibility. Earlier, it was primarily considered merely an IT function. 

2. ICT Risk Identification and Asset Mapping 

Effective digital operational resilience relies on stronger asset visibility. The Act mandates the financial entities to maintain detailed records of ICT assets, software applications, data repositories, critical business functions, and ICT interconnections and dependencies. They also need to identify potential single points of failure and closely examine vulnerabilities and digital disruptions that may hinder financial services. 

3. Protection and Prevention Measures 

The Digital Operational Resilience Act mandates financial institutions to implement proper safeguards to ensure the confidentiality, integrity, and availability of ICT systems. These safety measures include access controls, encryption technologies, network segmentation, vulnerability management programmes, and secure software development practices. The Act provides a risk-based approach, which will ensure that security controls do not only depend on technical compliance requirements and remain proportional to the size, complexity, and risk profile of the financial institutions. 

4. Detection and Incident Response 

This Act provides that the financial institutions will have to design a framework for the early detection of abnormal activities, cyber threats, and ICT-related incidents. Such designs must include continuous monitoring systems, incident detection capabilities, escalation procedures, crisis communication protocols, and clearly defined response responsibilities. These measures will be helpful in mitigating the effects of ICT-related incidents in broader systemic failures. 

5. Recovery, Continuity, and Learning 

The Digital Operational Resilience Act focuses on quick recovery and building business continuity capabilities. This Act requires financial institutions to develop business continuity plans, disaster recovery procedures, backup strategies, and appropriate Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs). The institutions must conduct a post-incident detailed review to identify the loopholes and strengthen operational resilience for future.

ICT Incident Reporting Obligations 

Chapter III (Articles 17–23) of the Digital Operational Resilience Act provides an integrated framework to report major incidents related to Information and Communication Technology (ICT). Financial institutions are required to identify incidents according to regulatory criteria, notify competent authorities, and submit intermediate and final reports. These statutory requirements will improve supervisory visibility for a stronger digital operational resilience across the European Union's financial sector. 

Operational Resilience Testing 

Chapter IV (Articles 24–27) of the Act mandates financial institutions to regularly conduct digital operational resilience testing. This testing will include vulnerability assessments, security assessments, scenario-based testing, business continuity exercises, and Threat-Led Penetration Testing (TLPT) for qualifying institutions. The Act provides a proportionate approach to ensure the testing under realistic conditions, which is certainly a shift from the traditional approach of theoretical compliance. 

Third-Party ICT Risk Management 

Chapter V (Articles 28–44) of this Act provides an advanced model for the management of third-party ICT risks. The Act considers the increasing dependencies of financial institutions on cloud service providers, data analytics platforms, software vendors, and outsourced infrastructure providers. The financial institutions are required to maintain a register of ICT contractual arrangements, assess concentration risks, monitor critical providers, conduct due diligence, and make exit strategies to manage risks due to these dependencies. The Act also provides for the direct oversight of the European Union (EU) on critical ICT third-party providers. It aims to resolve the issue of systemic dependence on a limited number of technology providers and strengthen the operational resilience across financial sectors in the European Union (EU). 

Practical Challenges in the Implementation of the Digital Operational Resilience Act (DORA) 

There are various practical challenges in the implementation of the Digital Operational Resilience Act (DORA), despite a clear framework provided in the Act. 

  • Legacy Systems: Many financial institutions operate through fragmented infrastructures. This results in limited visibility and makes the resilience testing complicated. 


  • Third-Party Dependencies: The mapping process of complex third-party dependencies is very resource intensive. 


  • Gaps in Governance: ICT, risk, compliance, and legal teams in the institutions often operate independently, which creates gaps in governance, and fixing the accountability becomes complicated. 


  • Resource Constraints: Smaller institutions which face the problems of resource constraints will have to struggle in following the requirements of extensive documentation, testing, and monitoring obligations. 

Industry experience of the implementation demonstrates that various organisations consider compliance just as a technology project. Further, these organisations often underestimate the governance and cultural modification, which are essentially required for long-term resilience. 

Best Practices for the Compliance of Digital Operational Resilience Act (DORA) 

The framework provided under the Digital Operational Resilience Act must be properly integrated into the risk management and governance structure of the institutions. It must not be considered as a separate cybersecurity initiative. A continuous approach for effective compliance must combine governance, risk management, operational resilience, and third-party oversight. 

  • Board-level ownership and oversight of ICT risk: Senior management should regularly review resilience capabilities and ensure that proper financial, technological, and human resources are attributed to resilience initiatives. 


  • Comprehensive ICT asset inventory and dependency mapping: Consistent mapping of interconnections and dependencies will help in identifying single points of failure and improve risk visibility across the institutions. 


  • Continuous monitoring and threat detection capabilities: Institutions must implement comprehensive mechanisms for real-time monitoring, threat intelligence, and incident detection to recognise vulnerabilities and abnormal activities at an early stage. 


  • Robust ICT third-party risk management and governance: Financial entities must conduct due diligence reviews of ICT service providers, continuously assess concentration risks, and ensure close monitoring of critical suppliers.  


  • Integrated ICT incident response and recovery planning: Financial institutions must create a robust response framework, including clear roles, escalation procedures, communication protocols, and recovery responsibilities.  


These practices will empower financial institutions to operationalise a sustainable model of digital operational resilience. This model will be capable of facing complex risks of Information and Communication Technology (ICT) and cyber security risks. 

Conclusion 
The Digital Operational Resilience Act is one of the most comprehensive regulatory developments in financial-sector cybersecurity and operational risk management. The regulation has introduced an integrated model for ICT governance through including third-party oversight, incident reporting, resilience testing, and business continuity. It has basically reshaped the digital risk management approach of financial institutions.  

The compliance framework under this Act does not only focus on avoiding regulatory scrutiny. It ensures that critical financial services remain functional even during the time of major disruptions. Financial institutions should embrace this Act as a resilience framework and should not confine it as a compliance checklist. It would help these institutions to smoothly navigate the complex digital threat, strengthen stakeholder trust and long-term operational stability. 

Want to know more? 

Want to navigate the complexities of the DORA and build a resilient, future-ready compliance framework? Reach out to the experts at tsaaro.com today.