& nbsp
Author: Georgios Argytakis, Executive Director, Just2Trade
Digital Operational Resilience Act (Dora) is a historic European regulation which aims to strengthen the digital infrastructure of financial entities, ensuring that they can resist and recover from the disturbances of information and communication technologies (ICT). Dora introduces a uniform framework for managing ICT risk across the EU. However, given that many companies still have fragmented systems, inherited infrastructure and incoherent risk practices, the alignment of existing risk management frameworks will require the revision of governance, technical controls and reports, in particular for companies operating in multiple jurisdictions. Dora also makes financial entities directly responsible for ICT risks placed by third -party suppliers, such as cloud service providers or data processors.
For this reason, these companies will need much more rigorous supplier contracts, surveillance and outing strategies. It is important to emphasize that some large suppliers, especially cloud suppliers based in the United States, may not easily line up with the standards centered on Dora.
As a leading European brokerage firm which gives its customers access to more than 128,000 financial instruments, in particular actions, bonds, term contracts, options, investment funds and Forex, Just2trade is at the forefront of the implementation of the rigorous requirements of Dora in its commercial model and the alignment of Dora with existing regulations such as Data (GDPR) and European commercial authorities (EBA) Guidelines, as well as European banking standard.
The five pillars of Dora
Dora became an official regulation on January 16, 2023, but only entered into force on January 17, 2025 after a two -year implementation period, during which financial entities had to align their operations on new requirements.
The regulations are applied by the three European supervision authorities (ESAS): EBA, European Securities and Markets Authority (ESMA) and European Insurance and Occupational Pensions Authority (EIOPA), which are responsible for the development of regulatory technical standards (RT) and the implementation of technical standards (SIT) in order to provide detailed orientations Dora. Although certain standards are already in force, others are awaiting adoption, requiring a proactive commitment to financial entities to keep up to date with regulatory developments. As a regulatory framework, Dora is designed to improve digital operational resilience in the EU financial sector, and has five key pillars that capture what it aims to accomplish and the type of strong and healthy commercial environment it wishes to support. Its main objective is to ensure that financial entities can maintain critical operations during serious ICT disturbances, thus guaranteeing the stability of the financial system.
Dora is designed to improve digital operational resilience of the EU financial sector
Since risk management is the cornerstone of the mandate, financial entities are required to establish ROP risk management executives. This includes the implementation of complete policies to identify, assess and mitigate ICT risks, ensure that systems are secure, up to date and capable of resisting cyber-menices. Dora also requires standardized procedures to report the main incidents related to ICT, forcing organizations to classify incidents according to severity and to report them to the competent authorities within specified deadlines, which allows rapid responses and systemic risk assessments.
Dora highlights the importance of regular digital operational resilience tests, which is compulsory for most investment companies. This implies a variety of tests, including table tests based on a scenario, vulnerability assessments, open-source analyzes, performance tests and penetration tests led by threats (TLPT), for entities deemed systemicly important, to ensure preparation for potential cyber attacks.
Given the high dependence on third -party ICT service providers, Dora imposes strict requirements to manage these relationships. Financial entities must make appropriate reasonable diligence, maintain detailed files of contractual provisions and ensure that providers of critical services comply with resilience standards. The final pillar encourages the sharing of voluntary information between financial entities concerning cyberrenchers and vulnerabilities, improving awareness and response capacities on the sector.
Dora has a complete scope encompassing a wide range of financial entities, in particular: credit, payment and electronic money institutions, investment companies, crypto-active service providers, insurance and reinsurance companies, central securities deposits, commercial places and crocfiling services providers. In addition, Dora extends to ICT third party service providers, in particular those deemed essential to financial entity operations. These providers will be subject to a surveillance framework established by the ESAS, guaranteeing their compliance with resilience standards.
Implementation challenges
Dora’s implementation to guarantee compliance and resilience has several challenges for financial entities, including the need to make in -depth journals of their current ICT infrastructure to identify all vulnerabilities and implement robust risk management frameworks. This will also mean the updating of information security policies and will establish continuity plans of activities, in order to ensure that ICT systems are resilient against emerging cyber-menices. To comply with Dora’s incident declaration requirements, financial entities will be necessary to develop and maintain standardized procedures to detect, classify and report ICT incidents quickly and precisely. This requires investment in monitoring tools and full staff training, which can reduce operational resources and capacities.
The EU financial sector can remain better protected against growing cyber-menues
Under Dora, regular tests of operational resilience are essential to assess the preparation for cyber attacks and operational disturbances, with any identified weakness treated by targeted correction efforts, which can be operationally disruptive. And while Dora promotes collaboration, the construction of an open information culture can be difficult because some institutions can hesitate due to competitive concerns or for fear of reputation damage, which makes a challenge to create confidence and transparency in the sector.
With the dependence of the sector with regard to third -party ICT service providers, financial institutions must apply more strict reasonable diligence processes. This means that legal and compliance teams play a central role in navigation in the new and complex regulatory landscape. They must interpret the regulatory requirements and guarantee organizational alignment, write and revise contracts with ICT service providers to include compulsory provisions to dora, develop internal policies and procedures for the declaration of incidents and risk management, and provide training and advice to staff on compliance obligations.
Advantages for Just2Trade customers
Dora’s implementation will result in a certain number of significant advantages for Just2trade customers, in particular the possibility of effectively preparing and managing potential IT incidents, which results in less stop time, less disturbance of services and more fluid access to financial services for customers, even during technical or cyber-crises. In addition, the implementation of robust cybersecurity controls and regular tests will guarantee customers better protection of personal and financial data against hacks, leaks and fraud.
Like all financial entities, under Dora, Just2Trade must record and report the main ICT incidents, including their impact and response, which will result in increased transparency on the problems that could affect their customers’ money, personal data or digital services. In addition, the application of stricter rules on the way in which third-party technological partners and cyber-risk are managed will lead to loyalty and resilience levels of services, increasing customer confidence levels when using trading platforms and Just2Trade investment tools.
Overall, Dora’s implementation reduces the systemic risks of the ICT to which he judges Just2trade, resulting in a safer financial ecosystem for customers with less chances of chess on the scale of industry due to technological breakdowns or cyber attacks. This is why Just2Trade prioritized compliance with Dora to protect its operations and maintain the confidence of stakeholders. Although the trip presents challenges, it also offers the possibility of improving digital resilience and promoting a safety and preparation culture.
By kissing the Dora’s framework, the EU financial sector can remain better protected against cyber-men’s growth, ensuring stability and continuity in an increasingly digital world.