Table of Contents

Navigating Digital Operational Resilience Act (DORA) Compliance and Security

As financial institutions increasingly rely on technology, maintaining trust with customers, investors, and the public has become even more critical. Technology enhances the automation of operational processes and workflows, including regulatory compliance tasks like audit reporting, which are overseen by the European Supervisory Authorities. However, this increased automation can complicate information tracking across a complex data landscape and elevate associated security risks. According to Identify Theft Resource Center’s (ITRC) recent Consumer & Business Impact Report, the financial services sector is one of the top three most targeted industries for security breaches, alongside healthcare and professional services.1

The Digital Operational Resilience Act (DORA) is a European Union (EU) regulation that aims to strengthen financial institutions’ cybersecurity and digital resilience. It came into force on January 16, 2023, and now applies as of January 17, 2025.2

The act seeks to strengthen the IT security of financial entities such as banks, insurance companies and investment firms,  aiming to ensure that the financial sector in Europe is resilient in the event of a severe operational disruption. DORA brings harmonization to the rules relating to operational resilience for the financial sector, applying to 20 different types of financial entities and information and communication technology (ICT) third-party service providers.3

Understanding the Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act affects financial institutions, such as banks and investment companies, as well as non-traditional entities, including cryptocurrency service providers and crowdfunding platforms. It requires businesses to manage third-party risks effectively, ensuring that their service providers also comply with high standards of operational resilience. 

There are five core pillars to DORA. These include measures for the protection, detection, containment, recovery, and repair of ICT-related incidents, as follows: 

  • ICT risk management – Financial institutions need to develop robust risk frameworks to evaluate the impact of internal and external threats and mitigate against them. 

  • Incident reporting – Organizations must establish transparent and robust procedures for timely and accurate reporting of ICT-related incidents.  

  • Digital operational resilience testing – Organizations must regularly test ICT services and systems (both basic and advanced testing) to ensure resilience. 

  • Third-party risk management – Financial institutions have a responsibility to conduct due diligence and develop an oversight framework for critical ICT third-party providers to monitor risk.  

  • Information sharing – This includes creating a framework for information sharing and intelligence on cyber threats in compliance with current data protection laws. 

DORA recognizes that ICT incidents and a lack of operational resilience can threaten the stability of the entire financial system, even when "adequate" capital is allocated to traditional risk categories. DORA closes this gap by ensuring that operational resilience is not merely about financial buffers, but about the ability to withstand and recover from ICT disruptions.4

Like the EU AI Act and GDPR before, DORA applies to international organizations serving financial customers within the EU. Thus, if your financial business operates outside Europe but has EU customers, it must comply with DORA. Non-EU businesses need to understand DORA's complex conditions and accurately interpret and apply them, often requiring local expertise, which can increase costs significantly. Of 350 chief information security officers recently surveyed on DORA fulfillment preparations, 47% of those in the UK and 38% in the EU said their organization spent over €1m on compliance. 5

The Risks of DORA Noncompliance

Failing to comply with the Digital Operational Resilience Act can result in significant penalties for financial entities in several ways. The European Banking Authority (EBA), as one of the three European Supervisory Authorities, plays a crucial role in overseeing compliance and enforcement. Alongside other authorities, the EBA is responsible for developing technical standards and providing guidance to ensure compliance across various financial services within the EU.

The consequences of non-compliance can be severe and wide-ranging:

Financial Penalties - Penalties vary based on the severity and nature of the violation. Fines can be up to 2% of the total annual worldwide turnover or up to 1% of the company's average daily turnover worldwide. In some cases, fines can reach up to €10 million.

Operational Repercussions - Non-compliant businesses may face increased regulatory scrutiny and more frequent audits, increasing the resources needed and operational costs.

Operational Restrictions - Regulators may impose restrictions on certain business operations until compliance is achieved, including specific actions to remediate non-compliance issues (such as suspension of services, increased monitoring, limitations of working with third parties and restrictions on new business activities).

Reputational Damage - Non-compliance (as data breaches may be publicly disclosed) can lead to a loss of trust among customers, partners, and stakeholders, impairing sales and brand value.

Criminal Penalties - In extreme cases, non-compliance could lead to criminal charges, particularly if there is evidence of negligence or willful misconduct.

Ensuring compliance with DORA is crucial to avoid these penalties and maintain operational resilience and trust.

DORA's Impact on Data Management 

DORA has a significant impact on data management within financial institutions:

1. Enhanced Data Security 

AI for ETL can substantially reduce the burden required to build AI ETL data pipelines. Whether a developer is attempting to migrate data from a particular database, develop connectors for different data stores, or programmatically execute business-critical data transformations, current-generation AI tools can automate these tasks, making the entire process faster and more efficient. ETL pipelines transform data by ensuring data cleanliness and reliability, which is essential for meaningful decision-making.

2. Improved Incident Detection and Response 

Financial institutions must establish robust incident detection and response mechanisms. This involves setting up systems to quickly identify and report data breaches and other ICT incidents, ensuring timely and effective responses.

3. Strengthened Third-Party Data Handling

DORA requires financial institutions to manage ICT third-party risks associated with third-party ICT service providers. This includes ensuring that third-party providers adhere to the same data security and resilience standards, thereby reducing the risk of data breaches through external partners.

4. Comprehensive Data Governance

DORA emphasizes the importance of data governance frameworks to ensure data accuracy, completeness, and compliance. Financial institutions must implement policies and procedures for data management, including data quality controls and regular audits.

5. Increased Transparency and Accountability

DORA promotes transparency and accountability in data management practices. Financial institutions are required to maintain detailed records of data processing activities and make these records available to regulators upon request.

6. Regular Resilience Testing

Financial institutions must conduct regular testing of their ICT systems, including data management processes, to ensure operational resilience. This helps identify vulnerabilities and ensures that data management systems can withstand and recover from disruptions. 

By addressing these areas, DORA aims to create a more secure and resilient financial sector, capable of managing the complexities of modern data management.

How IDMC Can Help You Manage Your DORA Compliance Journey

As a comprehensive data management solution, Informatica Intelligent Data Management Cloud (IDMC) may help our customers and prospects to support their compliance efforts with DORA in several  areas: 

1. ICT Risk Management

IDMC provides comprehensive data governance and data catalog capabilities, which help identify, assess, and manage data across your business. IDMC integrates data from various sources, ensuring that data is consolidated and standardized. This unified approach helps maintain data consistency and accuracy, supporting better data insights, which is crucial for compliance reporting. By ensuring data accuracy, completeness, and reliability, IDMC supports robust risk management frameworks, to reduce risk exposure for reliable business outcomes. These risk management capabilities align with technical standards being developed by key regulatory bodies, including the European Insurance and Occupational Pensions Authority (EIOPA) and the European Securities and Markets Authority (ESMA), which play a crucial role in shaping compliance frameworks.

2. Incident Reporting

With its advanced data lineage and metadata management features, IDMC enables organizations to quickly trace and report data incidents. This ensures regulatory policies are consistently applied, improving the efficacy of reporting, essential for audit trails, which are a critical requirement under DORA.

3. Digital Operational Resilience Testing

IDMC's data quality and data governance tools facilitate continuous monitoring and testing of data processes. High data quality is crucial for accurate regulatory reporting and pipeline integrity. IDMC offers robust data quality management features to cleanse, validate, and enrich data, which is critical for compliance Financial entities must also have robust business continuity plans to address broader operational risks which helps by identifying vulnerabilities and ensuring data integrity.

4. Third-Party Risk Management

CLAIRE integrates with other systems to support the process of assessing third-party ICT service providers by analyzing their risk profiles and compliance status, addressing the critical aspect of ICT third-party risk. This is crucial for managing risks associated with third-party service providers.

5. Data Sharing

IDMC supports secure and efficient information sharing through its data integration and governance capabilities. Cloud Data Access Management (CDAM) enables the creation and enforcement of policy-based security controls across the enterprise. These controls ensure that data access is restricted based on predefined policies, reducing the risk of unauthorized access and data breaches.  

Furthermore, IDMC unifies data integration, master data management, quality, governance, and security functionalities within a single, connected platform, streamlining management processes and improving operational efficiency. 

Overall, IDMC provides significant business value that supports regulatory compliance for financial entities:

  • Enhanced Data Protection: Automated sensitive data discovery and policy enforcement. By harnessing AI and ML, IDMC automates data management, accelerating reliability and confidence in data pipelines., This approach enables organizations to better identify risks proactively, uphold data integrity with policy enforcement, and support sustainable practices.  

  • Improved Compliance: Build a comprehensive data governance framework that aligns with regulatory requirements. IDMC offers ready-to-use templates for data integration, cleansing, ETL processes, and taskflows. These templates help streamline compliance-related data workflows by providing pre-built logic that can be customized to meet specific needs. IDMC enhances risk management by ensuring high-quality data is used to identify, measure, and monitor risks across credit, market, operational, and liquidity domains. It also enhances risk management practices to address financial risks and helps comply with regulations such as DORA.  

  • Operational Efficiency: Streamlining data management processes reduces manual efforts. IDMC’s AI capabilities, including CLAIRE, provide advanced analytics for detecting patterns and anomalies in data, supporting the automation of regulatory reporting. IDMC democratizes data by providing transparent and efficient access to both technical and less technical users, , and enhancing data literacy and collaboration.

By leveraging IDMC, financial entities enhance their overall data management practices, leading to improved operational resilience and data-driven decision-making while including some DORA requirements. 

The Connected Data Platform Driving Better Enterprise Value

IDMC provides a comprehensive AI-powered connected data management platform that addresses regulatory compliance, including ESG standards, by helping minimize reduce data risk and maximize transparency throughout the data lifecycle. It facilitates safer data use through monitoring and automating data discovery and classification, ingestion, integration, mastering, and quality controls, helping to govern your data to remain clean, accurate, transparent, consistent and protected to help customers to meet the regulatory policies. 

IDMC automates and streamlines policy compliance processes through its cloud-native platform, offering flexibility and scalability to adapt to new regulatory mandates. This reduces manual workload and errors minimizes risks associated with integrating multi-point solutions. Itand enhances cost-effectiveness with consistent policy enforcement and audit trails, thus reducing the total cost of ownership through a unified data management solution.  

IDMC can help organizations define and enforce data access rules to meet regulatory requirements suited for hybrid and multi-cloud environments, enhancing their operational resilience by controlling data risks. For example, the UK Operational Resilience Framework requires that financial services organizations assess impact tolerance from disruption, such as supply chain concentration risks or single cloud provider dependence, particularly with the outsourcing of important business services.7. If both a third-party and a fourth data processor use the same cloud vendor, this concentration risk must be mitigated through the organization's third-party risk management process. (You can read more here). IDMC helps financial institutions comply with many industry regulations such as CCAR, BCBS 239, and BSA/AML by providing clean, valid, and transparent data for regulatory reporting.  

The path forward for the modern enterprise involves holistic, comprehensive governance capabilities — an evolution from siloed solutions to integrated cloud platforms that provide connected data management for better customer outcomes.

Ultimately leveraging technology can enhance efficiency and streamline compliance processes to mitigate compliance risks, turning compliance into a strategic advantage that supports sustainable business growth and a strong reputation. 

Additional Resources 

Chart the Course for Responsible AI Governance  

Advance Your Enterprise with Data Cataloging for Next-Gen Data Governance  

Unlock the Benefits of AI-Powered Data Lineage to Boost Your Business Success  

Data Leaders Guidebook: How to Deliver Trusted On-Time Data to Fast-Track Your Business  

EU AI Act: How to Create an Effective Data Governance Strategy for Your Organization 

Footnotes

ITRC Consumer & Business Impact Report - ITRC

2 https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en

3 IBID

4 https://www.digital-operational-resilience-act.com

5 DORA Compliance Costs Soar Past €1m for Many UK and EU Businesses - Infosecurity Magazine

6 https://www.helpnetsecurity.com/2024/12/20/financial-industry-data-breaches/

7 https://www.fca.org.uk/firms/operational-resilience

Disclaimer

This document is provided for reference purposes only and is not part of, and does not otherwise create or amend, any agreement, warranties, representations or other obligations between you and Informatica.   

Financial entities are responsible for ensuring their own compliance with various applicable laws and regulatory requirements. Financial entities are solely responsible for obtaining professional legal advice as to the identification and interpretation of any relevant laws and regulations that may affect the customers’ business and any actions the clients may need to take to comply with such laws and regulations. Informatica does not provide legal, accounting or auditing advice. Informatica also does not represent or warrant that its services or products will ensure that Financial entities are compliant with any applicable laws or regulations. 

English

Cloud Platform

Intelligent Data Management Cloud Data Integration & Engineering API & App Integration Customer 360 Data Catalog Data Governance, Access & Privacy Data Quality & Observability MDM & 360 Applications CLAIRE AI Engine – Intelligent Automation Pricing

Get Started

Demo Center Free Cloud Data Integration Free Data Loader Request Personal Demo Contact Sales Data Warehouse Trial API Lifecycle Management

Resources

Events Blog Customer Success Stories Community Documentation Informatica University Cloud Data Glossary

Learn Data Integration

ETL Cloud Data Integration What is iPaaS? Data Warehouse Data Governance Framework What is Data Quality? Customer 360 Application Integration

Company

About Us Careers News Investor Relations Awards & Recognition Contact Sales Customer Support
Facebook
LinkedIn
YouTube
Instagram

English

© Informatica Inc.

Legal Privacy Policy Modern Slavery

© Informatica Inc.