DORA is in force across the EU financial sector. Here is what it requires — and where digital trust does much of the work.
The Digital Operational Resilience Act (DORA) has applied since 17 January 2025, creating a single, binding framework for managing information and communication technology (ICT) risk across roughly 22,000 financial entities in the EU. From large banks to small payment firms, including the ICT providers that serve them, DORA expects organisations to withstand, respond to and recover from ICT disruptions. For DACH financial institutions, it is now a board-level priority, not a future project.
The five pillars of DORA
- ICT risk management. A comprehensive framework to identify, protect, detect, respond and recover, with cryptography and access control at its core.
- Incident management and reporting. Classify ICT-related incidents and report major ones to regulators within defined timelines.
- Digital operational resilience testing. Regular testing, including threat-led penetration testing for significant entities.
- ICT third-party risk management. Oversight of providers, contractual safeguards, and monitoring of critical third parties.
- Information sharing. Voluntary exchange of cyber threat intelligence among financial entities.
Where digital trust does the heavy lifting
Much of DORA’s ICT risk-management pillar is satisfied by sound cryptography and identity. Encryption with disciplined key management protects data in transit and at rest. Strong, phishing-resistant authentication controls access to critical systems. Public-key infrastructure underpins the integrity and authenticity of communications and machine identities, while digital signatures and timestamps make records tamper-evident and auditable. Get these foundations right and you address a substantial part of the framework directly.
DORA’s demand for demonstrable, well-governed decisions calls for the same evidentiary strength, and this is where qualified electronic signatures (QES) under eIDAS come in. Organizations increasingly need to be able to demonstrate that security-critical decisions were made properly and as part of an accountable decision-making process for example, management approvals of risk-management measures. QES provides the most robust evidentiary value for this (high legal validity, non-repudiation), which can make the difference during audits or in disputes before the supervisory authority.
A practical starting checklist
- Confirm scope. Determine how DORA applies to you and to your critical ICT providers.
- Assess your ICT risk framework. Map current controls against DORA’s expectations and find the gaps.
- Strengthen cryptography and access. Deploy encryption, key management and phishing-resistant authentication for critical systems.
- Tighten third-party oversight. Review contracts and monitoring for critical ICT suppliers.
- Prepare evidence. Ensure controls are documented and demonstrable for regulators.
How we help
CRYPTAS provides the encryption, key management, HSM, PKI and strong authentication that sit at the heart of DORA’s ICT risk-management requirements. We help financial entities close the technical gaps with auditable controls — protecting data, securing access, and proving integrity to regulators and partners alike. Where DORA expects records and approvals to be tamper-evident and provable, primesign adds qualified electronic signatures and timestamps under eIDAS, giving critical documents high legal validity and non-repudiation that stand up in a regulatory audit.
Preparing for a DORA audit? Talk to CRYPTAS and primesign about strengthening your ICT cryptographic, identity and signature controls.