What is DORA?
If your business operates in the EU financial sector—whether as a financial institution or third-party service provider—you should already be familiar and complying with the Digital Operational Resilience Act (DORA), which went into full effect on January 17, 2025.
DORA is a regulation implemented to strengthen the digital resilience of financial entities. Quite simply, the goal is to ensure that banks, insurance companies, investment firms, and other financial entities can withstand, respond to, and recover from cyberattacks, system failures, and other information and communication technology (ICT) disruptions. Of course, individual institutions have their own protections, controls, and protocols, but DORA creates a uniform regulatory framework across the EU. By harmonizing the rules related to financial operational resilience, DORA ensures a consistent approach for financial entities and ICT third-party providers in the region. DORA requires operational resilience to be continuously architected, tested, and demonstrable, not just documented.
"DORA marks a major shift in how digital operational resilience is viewed—especially in financial services. Rather than treating resilience as a checkbox or disaster recovery afterthought, DORA enforces it as a continuous, provable discipline. It pushes organizations to rethink everything from failover design and regional isolation to vendor dependencies and incident response. For cloud networking, this means building systems that can not only fail gracefully but also demonstrate repeatable recovery and resilience testing. It’s an opportunity to elevate architecture maturity while aligning with a clear regulatory framework. Having said that, organizations should re-think their resilience framework and consider testing and operational resilience as a continuous job and not just like a one-day exercise."
– Cristian Critelli, EMEA Lead Networking & Resilience Specialist Partner Solution Architect at AWS
Why is DORA important?
No one questions the need to ensure the health of our financial systems, but what it takes to do that has evolved in our highly connected, digital age. Electronic transactions used to be big back-end organizational processes; today they’re available to individual consumers for just about everything via apps. According to The World Bank Group, the share of adults making or receiving digital payments worldwide grew from 35% in 2014 to 57% in 2021, and in high-income countries, 95% of adults made or received digital payments—and these numbers will only have increased in the past four years.
The financial sector is attractive to cyberattackers, and threats are on the rise. According to the 2025 Modern Bank Heists Report, which looks at the cyber threat landscape among the world’s leading financial institutions, two-thirds of respondents said they have experienced a cyber incident in the last 12 months.
And it’s not just the financial institutions themselves. For example, in 2020, SolarWinds, an IT software company, was hit by a major breach. Even though the company itself isn’t a financial institution, many of its customers are and they were disrupted by the widespread outage. And, of course, not all risks are of the cybercrime variety. Network infrastructures are complex and sometimes things can go awry. While there’s no malicious intent, the resulting disruptions can be just as injurious to the business. As financial systems span hybrid and multicloud environments, resilience requires observability and control at the network fabric level, not just procedural fault tolerance.
How is DORA different from all the other regulations?
If you feel like you’re swimming in an alphabet soup sea of regulations—GDPR, NIS2, GLBA, PCI-DSS, HIPAA, SOC 2, the list goes on—you may be asking yourself if we really need one more. GDPR, NIS2 and DORA are all EU laws—does Europe really need all three? GDPR focuses specifically on protection and privacy of personal data, whereas the range of ICT risks covered by DORA is much broader. NIS2 focuses on enhancing the security of critical infrastructure and essential services, while DORA specifically targets financial institutions.
Here is a very brief at-a-glance view of some the various privacy/security frameworks out there:
| Geo | Status | Focus | Target |
DORA | EU | Law | Digital resilience from ICT disruptions | Financial institutions |
GDPR | EU | Law | Protection and privacy of personal data | Everyone, including non-EU businesses that process personal data of individuals within the EU or offer goods and services to EU residents |
NIS2 | EU | Law | Protection of critical infrastructure and essential services against cyber threats | Critical services, such as energy, transportation, healthcare, and telecommunications |
GLBA | US | Law | Protection of sensitive data | Financial institutions |
PCI-DSS | Global | Standard | Payment card security | Organizations that process, store, or transmit cardholder data |
HIPAA | US | Law | Individually identifiable health information | Healthcare organizations and associated third parties |
SOC 2 | North America | Voluntary framework | Protection of sensitive customer data | Service organizations, particularly SaaS companies and cloud vendors |
CCPA/CPRA | California | Law | Use of personal information | Most businesses that process the personal data of California residents |
FISMA | US | Law | Protection of sensitive data and information systems | Federal agencies in the executive and legislative branches, and contractors and other organizations working on behalf of those agencies |
While there is similarity and overlap in all of these frameworks, each one plays a distinct role by focusing on a particular area for a specific group of entities. DORA uniquely mandates provable recovery and resilience testing—not just protection or detection—making it more architectural in nature. Think of it as the regulatory version of defense in depth, the security strategy that uses multiple layers of protection to defend against threats.
There’s no one single security product that can protect organizations against all the cyber threats out there, so you layer up a variety of controls—firewalls, encryption, antivirus software, intrusion detection/prevention software, etc.—so that even if one layer fails, another one is there to stop an attack. The layering of all these regulations and standards helps ensure that the world’s data and systems are protected.
I’m not a financial entity (or provide services to one) in the EU, so why should I care about DORA?
Even if you’re not subject to DORA today, it’s worth familiarizing yourself with its requirements and understanding where there may be potential gaps within your own ICT protections. It’s likely that EU financial companies and other covered businesses will be changing their contracts with partners, vendors, etc., and if you ever do want to do business with such organizations in the future, you’ll be prepared.
In any case, DORA, like many of the other regulations and standards, provides a solid framework to assess the controls and protections you have in place.
And, of course, knowing that financial organizations and associated businesses are being held to certain standards—and that those standards have teeth and are enforceable with real repercussions for non-compliance—brings some peace of mind about the resilience of our financial infrastructures.
Now what?
Check out part two of this series to understand some of the specifics of DORA compliance.
Learn about how the Aviatrix Platform and Platform-as-a-Service can help you know your network, trust your network, and optimize your costs.
Try our TCO Calculator to see how much the Aviatrix solution could save you in long-term costs.
Experience Aviatrix for yourself: Schedule a demo.
Want to assess how your architecture aligns with DORA’s resilience principles? The Aviatrix Security Assessment identifies architectural blind spots—no deployment required.
