

The day thousands of banks and financial services firms across Europe have prepared for has finally come: from today the EU’s Digital Operational Resilience Act (DORA) regulations will start applying.
Banks, financial institutions and other actors in the finance space rushed in recent months to finalise compliance requirements as the entire finserv sector across Europe will face a host of new challenges.
From today, confronted with a slew of new regulatory conditions, European financial institutions are compelled to gather, analyse, and report more extensive amounts of data to make highly strategic decisions.
“Manually handling these tasks would not only be impractical but also leave organisations with little time to do anything else,” stressed Yakir Golan, the chief executive officer and co-founder of Kovrr, a firm that helps banks and other financial institutions to quantify the financial risks of software flaws.
“Consequently, EU business leaders are now in search of advanced risk management models and platforms that can streamline these processes and facilitate compliance,” he stressed.
“DORA is a much-needed regulation that will undoubtedly enhance the safety and stability of the EU financial market and, by default, the rest of the world,” Golan observed.
“Nevertheless, compliance does not come without considerable challenges. Financial entities must quickly learn how to navigate this new landscape of requirements that now demand meticulous data gathering, analysis, and reporting,” he warned.
Deadline is here
As the implementation deadline for DORA has arrived, banks and financial firms across Europe used 2024 to make sense of the new rules and, perhaps more importantly, to be fully compliant from today.
Time has run out now, because there is no doubt about it: bankers, legal experts, regulators and others have all stated DORA may mean a whirlwind change in the regulatory climate that banks and other financial firms face in relation to their digital infrastructure and assets.

A whirlwind since many European banks may still not, yet, be prepared for DORA. At least that was the stark warning from the European Central Bank (ECB) at the end of last year.
The ECB stated that a host of banks across Europe still face major IT challenges and their software testing practices are not up to scratch.
In fact, IT security risk assessment frameworks at numerous European financial institutions are in need of an upgrade, according to the central bank.
The ECB, the central bank of the European Union countries which have adopted the euro, wrote in a damning article in its November 2024 newsletter that “some banks are still facing challenges in implementing basic security controls and many key areas remain insufficiently developed in certain banks.”
The central bank stressed “these areas include security testing, vulnerability management, network segmentation, security detection, response and recovery capabilities and identity and access management.”
Moreover, “IT security risk assessment frameworks require significant improvement,” the ECB observed.
Framework
The DORA rules aim to strengthen oversight, operational resilience and the relationship between banks and other financial institutions and the firms that manage, run, test and update their software infrastructure.
The European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) have been tasked to jointly establish, roll out and enforce the EU’s new ICT framework.
“The finance sector is increasingly dependent on technology and on tech companies to deliver financial services. This makes financial entities vulnerable to cyberattacks or incidents,” EIOPA recently explained.
“When not managed properly, ICT risks can lead to disruptions of financial services. This in turn, can have an impact on other companies, sectors, and even on the rest of the economy, which underlines the importance of the digital operational resilience of the finance sector. This is where the DORA regulation comes into play,” the body stressed.
“Financial entities must quickly learn how to navigate this new landscape of requirements that now demand meticulous data gathering, analysis, and reporting.”
– Yakir Golan
The DORA Directive will need to be transposed into each Members States’ national law and EU Member States will be responsible for establishing the penalties and remedial measures under DORA, which can apply to both natural and legal persons.
Additionally, Member States can apply the penalties or remedial measures of a legal entity to members of its management body and other responsible individuals.
As a result, many companies are forced to adopt new tools, methods and models to address each specific DORA requirement, Golen stressed.
He explained that many banks are turning to cyber risk quantification, the process of translating an organisation’s cyber risk into broader business terms, such as event likelihoods and financial impacts.
While there are various types of quantification approaches, the one most applicable to DORA compliance is the on-demand CRQ model, Golan explained.
This type of CRQ enables businesses to evaluate their cyber risk postures provides data-driven insights on how to lower exposure levels.
After all, DORA spells out detailed criteria for the classification, management, and reporting of ICT risks. It also includes comprehensive recurring testing of these systems and a set of requirements for managing and monitoring ICT-related risks in the finance sector.
What is important to note is that the new regulation expands its scope beyond traditional financial institutions to include the management of technology services by third parties and organisations such as insurance companies and reinsurers.
The DORA regulation sets out specific requirements with regards to ICT risk management and governance, incident reporting, third-party risk management as well as operational resilience testing and threat sharing.
With regards to this last element, ICT systems must be tested regularly to evaluate their performance, identify vulnerabilities, and repair them in a timely manner.
In addition, financial institutions must establish agreements to share information and intelligence about threats and vulnerabilities.
In summary, from today financial services firms are required to have in place sound, effective and comprehensive strategies, processes and systems that enable them adequately to comply with the applicable operational resilience requirements, Golan noted.
REGULATION & COMPLIANCE
Looking for more news on regulations and compliance requirements driving developments in software quality engineering at financial firms? Visit our dedicated Regulation & Compliance page here.
NEXT MONTH

DO NOT MISS

QA FINANCIAL FORUM LONDON 2024: RECAP
In September, QA Financial held the London conference of the QA Financial Forum, a global series of conference and networking meetings for software risk managers.
The agenda was designed to meet the needs of software testers working for banks and other financial firms working in regulated, complex markets.
Please check our special post-conference flipbook by clicking here.
READ MORE
- Automation is rapidly taking hold of banks’ QA strategies
- ‘Let’s redefine what quality assurance means’, says QA Mentor CEO
- Deep Dive: why do most AI testing projects fail to scale?
- Leapwork co-founder warns ‘AI is not in a state we can rely on’
- Ozone API eyes Australian banks with ProductCloud deal
Why not become a QA Financial subscriber? It’s entirely FREE
* Receive our weekly newsletter * Priority invitations to our Forum events *