DORA Is Here: Latest Developments, Enforcement Trends, and Essential Compliance Tips

As of today, the Digital Operational Resilience Act (DORA) has officially gone into effect across the European Union. This landmark regulatory framework introduces stringent guidelines designed to fortify financial institutions against ICT disruptions. Below is an overview of the latest buzz, how different member states are approaching enforcement, key compliance strategies, and a highlight of Omada’s new DORA Playbook.

The Current DORA Landscape

Pan-EU Enforcement, Local Nuances

DORA seeks to harmonize operational resilience requirements across all EU member states. Yet it allows each jurisdiction some discretion in transposing and supervising these standards. For example:

1. Denmark: Denmark’s financial regulator (Finanstilsynet) has emphasized robust ICT risk assessments, with special attention to outsourcing arrangements. Although there is no grace period, financial institutions are encouraged to integrate DORA requirements into existing risk management frameworks promptly—particularly regarding vendor oversight, incident reporting, and threat detection. Regular supervisory check-ins are expected, mirroring other member states’ practices, and institutions that cannot demonstrate active steps toward DORA compliance risk enhanced scrutiny.
2. France: Authorities are focusing on technical incident reporting and fast response capabilities, with additional guidance on applying artificial intelligence for threat detection. Institutions must demonstrate proactive threat monitoring as part of annual supervisory reviews.
3. Germany: While aligned with DORA’s core mandates, German supervisors have emphasized strict auditing procedures. Financial institutions are subject to detailed evaluations of outsourcing contracts and third-party oversight.
4. Luxembourg: Regulators here have conducted extensive consultations and even issued readiness checklists before DORA’s official start. Financial entities operating in Luxembourg can expect regular on-site reviews of their ICT risk management practices.
5. The Netherlands: In the Netherlands, the Dutch Central Bank (DNB) and the Netherlands Authority for the Financial Markets (AFM) share responsibility for DORA enforcement. They have stated that larger financial institutions will face stricter requirements, while smaller and micro-enterprises may use more simplified frameworks. DORA is seen as complementary to NIS2, with DORA focusing on financial entities and their ICT providers. From 17 January 2025 onward, DNB and AFM will supervise compliance, requiring institutions to prove they have robust ICT risk management procedures, secure infrastructure, and effective incident reporting protocols.
6. Sweden: Sweden has rolled out clear processes for incident reporting and cyber-threat submissions through Finansinspektionen (FI), its financial supervisory authority. As of mid-January 2025, institutions must report major ICT-related incidents using FI’s Fidac system. Excel-based templates are initially required, covering all steps from the first notification through final reports, and each incident submission automatically generates a unique reporting ID for tracking. Plans are underway to transition from Excel to a JSON format, streamlining data exchange and aligning with DORA’s push for efficient oversight and harmonized technical standards.
7. Other Member States: Enforcement may vary based on how quickly regulators finalize their national requirements. Some regions have rolled out comprehensive guidelines, while others are still consolidating sectoral rules under the DORA umbrella.

Despite differences, one constant theme remains: no grace periods. Institutions that are not prepared face heightened scrutiny and potential penalties.

Spotlight: The DORA Playbook

We have recently released a DORA Playbook to help financial entities navigate the complex requirements and obligations of DORA. This Playbook distills the regulation’s core pillars into practical, step-by-step guidance, providing an actionable checklist to manage compliance. It is designed for CISOs, Compliance Officers, Risk Managers, and other senior decision-makers responsible for safeguarding their organization’s digital resilience.

Why This Matters

With DORA officially in effect across the EU, financial entities—ranging from banks and insurance companies to investment firms and payment providers—are now facing heightened scrutiny around operational resilience. By aligning internal governance, bolstering cybersecurity practices, and fine-tuning risk management frameworks, organizations can confidently demonstrate their commitment to regulatory compliance. The DORA Playbook offers that quick checklist to ensure the right steps have been taken.