What is the Digital Operational Resilience Act (DORA)? What financial database & developer teams need to know

Effective January 17, 2025, the Digital Operational Resilience Act (DORA) is a regulation to enhance the ability of financial entities to prevent, minimize, and recover from modern threats to the digital economy for the European Union (EU). Specifically, it’s focused on the ICT (Information and Communication Technology) systems of financial institutions, and extends to entities connected to these organizations’ ICT infrastructure. 

Critically, for organizations in the United States and other regions, DORA applies to any financial institutions (and tech vendors serving them) doing business in the European Union. As such, many organizations might choose to treat DORA as a global standard internally. 

The new DORA regulations aim to ensure that financial institutions can withstand, respond to, and recover from disruptions and threats to their IT/ICT ecosystems. Its goal is to protect consumers from financial losses, data breaches, and service interruptions caused by technological failures or cyberattacks. It’s also equipped to protect businesses from operational disruptions, reputational damage, regulatory penalties, and financial risks associated with ICT vulnerabilities or failures.

With DORA in full force in 2025, every team on the financial application and data pipeline needs to lock down what compliance means for their environments and workflows:

• Information and security leaders in finance and related industries should take a top-to-bottom look at their organization’s tech stacks, data stores, and pipelines to ensure compliance and avoid consequences, including fines. 
• Developers, database administrators (DBAs), plus DevOps, platform, and data teams should likewise take a tactical approach to ensuring compliance by updating workflows and protections. 

Developing a solid understanding of DORA, as well as a strategy to automate and integrate database change management with the rest of the CI/CD pipeline, can streamline and solidify compliance. 

DORA or DORA? DevOps Research Assessment vs Digital Operational Resilience Act

Confusingly, DORA can mean two very different but very important things to audiences with plenty of overlap. DORA can refer to:

• The European Union’s Digital Operational Resilience Act, aimed at strengthening data security in financial services and institutions, in effect January 2025. 
• The DevOps Research Assessment, a renowned research organization known for identifying key DevOps metrics and releasing the annual Accelerate State of DevOps Report. These industry-aligning metrics include:some text
  • Deployment frequency (how often an organization successfully releases to production)
  • Lead time for changes (the time it takes for a code commit to reach production)
  • Change failure rate (the percentage of deployments causing a failure in production)
  • Mean time to recovery (MTTR) (the average time required to recover from a failure in production)

While both share the acronym “DORA,” the Digital Operational Resilience Act pertains to regulatory compliance within the financial sector, focusing on operational resilience against digital disruptions. In contrast, DORA Metrics are performance indicators used within DevOps teams to measure and improve software delivery processes.

If the “DevOps metrics DORA” is what you’re looking for, check out: Database pipeline analytics: Optimizing workflows with database observability metrics.

Why was DORA created?

The genesis of DORA can be traced back to the increasing frequency and sophistication of cyberattacks targeting financial institutions. As cybercriminals become more adept at exploiting vulnerabilities, the potential for large-scale disruptions has grown significantly. 

Recognizing the critical importance of operational resilience in maintaining financial stability, the European Commission proposed DORA as part of its Digital Finance Strategy. This legislative initiative seeks to create a unified, standardized, and consistent approach to digital resilience  across EU member states.

What kind of organizations fall under DORA’s regulations?

With a broad spectrum of coverage over the modern digital financial ecosystem in Europe, DORA unites a diverse sector of institutions and technologies including:

• Traditional financial institutions like banks, credit unions, and long-term savings institutions
• Investment and asset management firms like hedge funds, investment funds, and private equity
• Insurance providers that cover life, property, health, auto, and even other insurance companies 
• Payment services like digital wallets and payment processors, digital cash, and credit/debit cards
• Financial market infrastructure like stock markets, clearing houses, and trade data repositories
• FinTech companies like digital lenders, automated investment platforms, and cryptocurrency technology
• Pension and retirement funds
• Third-party ICT (Information/Communication Technology) providers 

While most of these are familiar and self-explanatory, the final category opens its own can of worms.

What third-party ICT providers fall under DORA’s scope?

Third-party ICT providers, in the world of DORA, include companies and organizations that provide technology services and infrastructure critical to the operations of financial entities. 

Even though these companies are not financial institutions themselves, their role in supporting financial systems makes them subject to DORA oversight. Their vulnerabilities can directly impact the resilience of the financial sector, so they need to take on the same accountability in support of their financial user base and the economy they sustain. 

DORA’s third-party ICT providers can include:

• Cloud computing services that deliver scalable infrastructure, storage, and computing resourcessome text
  • Common examples: Amazon Web Services (AWS), Microsoft Azure, Google Cloud
• Software-as-a-Service (SaaS) solutions for general or specialized financial processessome text
  • E.g., Salesforce, SAP Concur, DocuSign
• Payment processing platforms, even if not connected to a bank, that facilitate payments and transferssome text
  • E.g., Stripe, Worldpay, SWIFT
• Cybersecurity and risk management tools used to protect financial systems from cyberattacks, fraud, and vulnerabilitiessome text
  • E.g., CrowdStrike, Palo Alto Networks, Darktrace
• Data centers and hosting providers that offer infrastructure and storage for financial data and applicationssome text
  • E.g., Equinix, IBM, Iron Mountain
• Managed IT service providers (MSPs) that manage operations with accountability for financial system resiliencysome text
  • E.g., Accenture, IBM
• FinTech infrastructure providers with industry-specific solutions and niche technologies for digital financial innovationssome text
  • E.g., Plaid, Snowflake, Fiserv
• Independent Software Vendors (ISVs) outside of the above categories, including any on-premises software at a financial institution that helps run the business or achieve custom solutionssome text
  • E.g., ERP, CRM, financial, HR, risk detection, and other business systems

If these third-party providers experience disruptions or breaches, the financial institutions that rely on them could face cascading failures, exposing them to financial, operational, and reputational risks. Thus, they’re subject to the same resilience testing, risk oversight, and reporting requirements as a traditional bank. 

This scope ensures the entire financial ecosystem — including critical ICT providers up and down modern, distributed pipelines — is robust, secure, and prepared to handle disruptions effectively and with minimal fallout.

Key elements of the Digital Operational Resilience Act (DORA)

Let’s get to the meat of it: the rules and provisions DORA sets for financial entities in order to enforce the strength and modernization of the European Union’s digital economy. The goal of these guidelines is to comprehensively cover operational resilience from avoidance (risk management) to cleanup (incident response). 

Risk management and governance

At the heart of DORA is its focus on building strong, adaptable frameworks for managing digital risks. Financial institutions need to create strong, modern, and reliable risk management strategies that assess vulnerabilities across their ICT systems – and evolve as quickly as threats do. 

This means not only identifying and mitigating risks but also fostering a culture of proactive resilience throughout the organization. Clear governance mechanisms and traceable automated workflows are essential to ensure oversight and control of these efforts, especially at the scale of modern pipelines and data ecosystems. 

By staying ahead of potential disruptions and protecting critical operations and infrastructure, DORA pushes institutions to embed this level of resilience in their risk and governance strategies. 

But what if something does happen?

Incident reporting and management

To meet DORA’s requirements, and ensure transparency and accountability, financial institutions need to prove the timeliness and accuracy of their incident reporting. That includes clear protocols for identifying, reporting, and responding to significant ICT incidents that could disrupt operations or compromise data. These protocols need to:

• Support rapid recovery efforts
• Minimize the impact of disruptions
• Maintain operational integrity
• Be regularly audited and updated
• Align with industry best practices

This approach safeguards transactions and other operations in the digital economy, while also reinforcing confidence among regulators, shareholders, customers, and anyone else with a stake in the market. 

Risk management of third-party ICT providers

DORA wants the same level of risk aversion throughout financial data pipelines, even when they extend to external platforms or embedded systems. Yes, nearly every integration across development environments and data storage is likely subject to DORA compliance. Financial institutions must rigorously evaluate and continuously monitor their third-party service providers to ensure compliance with resilience standards. 

This includes:

• Conducting due diligence to assess provider capabilities
• Defining clear contractual obligations around risk management
• Establishing pipeline and database observability for ongoing oversight
• Maintaining open communication with providers to identify and address potential and future risks

By taking a hands-on and integrated approach to third-party risk management, financial institutions can better protect their operations and meet DORA’s requirements.

Threat intelligence and testing

To stay ahead of cyber threats, DORA mandates proactive threat intelligence programs and continuous testing of ICT systems. Financial entities need to conduct penetration tests, vulnerability assessments, and scenario-based exercises to identify weaknesses and fortify their digital infrastructures. These activities provide invaluable insights into the evolving threat landscape, enabling teams to refine their security strategies and improve their ability to detect and neutralize risks. 

Regular testing ensures enduring resiliency in the face of sophisticated modern attacks, while threat intelligence programs help anticipate emerging challenges.

DORA is effective January 17, 2025: Timeline and implications

DORA became law in 2023, and financial entities must meet compliance requirements by January 17, 2025. 

Financial institutions and third-party ICT providers must prioritize:

• Conducting risk assessments of their ICT systems
• Establishing governance mechanisms for risk management and incident response
• Implementing continuous testing and monitoring for resilience
• Ensuring third-party ICT providers align with compliance standards

Early action allows organizations to identify gaps, create strategies, and allocate resources effectively, avoiding last-minute disruptions.

Transition to full compliance

The transition period, basically from 2023 when the law was made to its effective date in January 2025, is a critical window for organizations to operationalize DORA’s requirements:

• Build traceable processes for managing risks, incidents, and audits
• Strengthen infrastructure to withstand cyber threats and disruptions
• Incorporate tools like database observability and automated governance to enhance compliance capabilities

Consequences of non-compliance

Failure to comply with DORA carries significant consequences:

• Fines of up to 2% of global annual turnover or 1% of average daily turnover for financial institutions
• Operational disruptions due to regulatory penalties that may limit or suspend operations
• Reputational damage, such as loss of customer, shareholder, or regulatory trust
• Increased exposure to risk due to unaddressed vulnerabilities

Compliance ensures financial institutions remain secure, competitive, and aligned with the EU’s push for a resilient digital economy.

How to prepare for the EU’s Digital Operational Resilience Act (DORA)

Achieving compliance with DORA requires financial entities to embrace best practices that build resilience, streamline workflows, and enhance security.

Overall best practices

• Conduct regular risk assessments to evaluate vulnerabilities and mitigate risks proactively
• Adopt automation to streamline governance, incident reporting, and testing to ensure efficiency and accuracy
• Foster collaboration to align developers, DBAs, and others to create cohesive and traceable workflows
• Shift-left security and build systems with robust encryption, access controls, and monitoring
• Focus on scalability and resilience to develop processes capable of adapting to new threats and regulatory changes
• Enact database observability to improve incident response time and reporting, as well as more efficient compliance with potentially costly audits

Development teams

• Build secure, compliant systems that align with DORA’s requirements
• Implement secure coding practices
• Prioritize CI/CD pipeline automation
• Incorporate resilience testing into workflows

Database administrators

• Ensure traceable, auditable database change management
• Automate schema changes
• Test rollback scenarios for resilience
• Monitor compliance across environments
• Detect and prevent database drift 

DevOps and platform engineering

• Maintain resilient pipelines that meet DORA standards
• Deploy observability tools
• Regularly test disaster recovery
• Align platform engineering with regulatory requirements

DataOps

• Govern data pipelines to ensure security and compliance
• Track data lineage
• Automate policy enforcement
• Secure sensitive data workflows
• Detect and prevent database drift 

IT and business leaders

• Oversee compliance initiatives to meet DORA goals
• Conduct risk assessments
• Prioritize compliance investments
• Evaluate and manage third-party provider adherence

Streamlining DORA compliance with database DevOps automation

Integrating database compliance with existing pipelines through database DevOps automation helps keep organizations efficiently in line with the EU’s Digital Operational Resilience Act. Automation is critical to scaling compliance efforts effectively. 

By automating database DevOps – schema change, governance, resilience testing, observability, and security protocols – teams can meet DORA’s stringent requirements while reducing manual overhead. 

Ensure compliance with the Digital Operational Resilience Act (and other compliance frameworks) without slowing down development or data pipelines. Learn how in one of our most popular and impactful guides: Database Compliance in a CI/CD World