
Time is running out for banks and other financial institutions across Europe to get ready for the new Digital Operational Resilience Act (DORA) as the new regulation is just four weeks away from implementation as the new framework will come into force on 17 January of 2025.
The EU’s DORA spells out detailed criteria for the classification, management, and reporting of ICT risks. It also includes comprehensive recurring testing of these systems and a set of requirements for managing and monitoring ICT-related risks in the finance sector.
What is important to note is that the new regulation expands its scope beyond traditional financial institutions to include the management of technology services by third parties and organisations such as insurance companies and reinsurers.
The DORA regulation sets out specific requirements with regards to ICT risk management and governance, incident reporting, third-party risk management as well as operational resilience testing and threat sharing.
With regards to this last element, ICT systems must be tested regularly to evaluate their performance, identify vulnerabilities, and repair them in a timely manner.
In addition, financial institutions must establish agreements to share information and intelligence about threats and vulnerabilities.
ECB warning
Banks are urged to prepare and get ready for the new rules, with the European Central Bank firing off a stark warning in November, saying many banks are across Europe still face major IT challenges and their software testing practices are not up to scratch, Europe’s main financial institution has warned.
In fact, IT security risk assessment frameworks at numerous European financial institutions are in need of an upgrade, according to the ECB.
The central bank of the European Union countries which have adopted the euro, wrote in a damning article in its latest compliance newsletter that “some banks are still facing challenges in implementing basic security controls and many key areas remain insufficiently developed in certain banks.”
The central bank stressed “these areas include security testing, vulnerability management, network segmentation, security detection, response and recovery capabilities and identity and access management.”
Moreover, “IT security risk assessment frameworks require significant improvement,” the ECB stated.
Preparations at ING
Following the firm ECB warning, many banks across Europe have started to prepare for the new regulatory regime, including Dutch banking giant ING Group.
Amsterdam-headquartered ING is Holland’s largest bank, with assets totalling just over €967 billion, while it employs close to 61,000 people in over fifty countries. Last year, it booked revenues of close to €19 billion.

Explaining what ING has been doing to prepare for DORA, Tom-Martijn Roelofs, the bank’s global head of security strategy and data said that “to ensure ING is compliant, our chief operating officer introduced a DORA programme quite some time ago.”
Roelofs explained “this programme involves a number of bank functions, including my department, the Chief Information Security Office because of the cybersecurity requirements that are packed into the regulatory technical standards.”
One of the first steps, he continued, was to assess the impact of DORA and distinguish between new requirements and those requirements that ING was already undertaking, such as European Banking Authority standards.
“Then, the quite complex step was made to define our critical business services and to register the relevant applications and infrastructure connected to these,” Roelofs noted.
“The last part will be to ensure compliance to the regulatory technical standards of all critical business services, and this is still ongoing,” he stressed.
“The quite complex step was made to define our critical business services and to register the relevant applications.”
– Tom-Martijn Roelofs
Roelofs fully understands why the EU has ramped up its regulatory oversight and supervision when it comes to QA and the use and implementation of software.
“You only need to see what happened recently with American cybersecurity company CrowdStrike’s faulty update to see what impact IT outages have,” he said.
“It shows that financial institutions must design and operate their services so that they are resilient to the various root causes of outages, including cyber-attacks.”
Impact in 2025
Roelofs downplayed DORA’s direct impact on ING customers and other consumers.
“The Act will not directly impact customers and clients. It is all about financial institutions making sure their critical business services are sufficiently resilient.”

He clarified that “you could say that if we do our jobs properly, customers will not know about all the work that has been done because everything is robust and functioning 24/7.”
That is not necessarily the case for third parties, however.
“There is an impact outside of the bank though,” Roelofs explained. “It is what is referred to as a ‘vertical law’ meaning that every critical business service, such as hosting providers and cloud providers, are in scope.”
He added: “Via what’s called third party risk management, the technical standards that are enforced on the financial service providers are also in force for these third parties, and can even impact fourth parties.”
“This is a step that the EU has taken to enforce resilience on the entire EU market.”
“Non-EU based entitites will also notice the effects although they are strictly not in the scope of DORA.”
– Martijn Roelofs
Recently, the European Supervisory Authorities have published regulatory technical standards on the various topics that are covered within DORA and it has become increasingly clear the scope and reach of the rules will be felt far outside the EU.
“DORA is an EU law, but it will have a wide impact because EU-based financial institutions will implement requirements uniformly, such as via global services, policies, and internal standards,” Roelofs said.
“This will also impact big service providers, such as telecommunications companies. So non-EU based providers will also notice the effects although they are strictly not in the scope of DORA. In that way it is perhaps similar to the Sarbanes-Oxley legislation which has a global effect despite being US legislation,” he concluded.
UPCOMING EVENTS

QA FINANCIAL FORUM LONDON: RECAP
In September, QA Financial held the London conference of the QA Financial Forum, a global series of conference and networking meetings for software risk managers.
The agenda was designed to meet the needs of software testers working for banks and other financial firms working in regulated, complex markets.
Please check our special post-conference flipbook by clicking here.
READ MORE
- Automation is rapidly taking hold of banks’ QA strategies
- ‘Let’s redefine what quality assurance means’, says QA Mentor CEO
- Deep Dive: why do most AI testing projects fail to scale?
- Leapwork co-founder warns ‘AI is not in a state we can rely on’
- Ozone API eyes Australian banks with ProductCloud deal
Become a QA Financial subscriber – for FREE
* Receive our weekly newsletter * Priority invitations to our Forum events