Since coming into force in January 2025, the DORA regulation (Digital Operational Resilience Act) has been a key part of a series of European measures focused on digital finance.
This regulation creates a global regulatory framework for IT operational resilience and the cybersecurity of financial entities, including banks, insurance companies, and investment firms, as well as non-traditional entities such as crypto-asset service providers and crowdfunding platforms.
Below, we break down DORA’s importance and, with the help of Powens Group’s Compliance and Security teams, explain how this regulation has been implemented into our platform.
What is DORA?
DORA is a European regulation designed to strengthen the operational resilience of financial institutions and their service providers. It ensures that companies – including those like Powens – can withstand, respond to, and recover from any kind of IT-related disruption, whether caused by a cyberattack, technical failure, internal failure, or third-party incident.
The 5 main pillars of DORA
The EU DORA regulation identifies five pillars essential to achieving the strong operational resilience mentioned above:
- ICT risk management
- Management, classification, and reporting of information and communication technology (ICT) incidents
- Testing of digital operational resilience
- Third-party risk management
- Sharing of information between financial entities (on cyber threats)
Together, these pillars serve as a foundation to build resilience, mitigate ICT risks, and respond to digital threats in a coordinated, standardized way.
Why is the DORA regulation important for financial services entities?
As an industry increasingly reliant on tech and its service providers, financial entities are more vulnerable to emerging cyberattacks, system failures, and other digital disruptions. DORA directly addresses this by ensuring operational continuity in the face of such risks, ultimately enabling financial entities to take more effective action and strengthen their overall IT risk management systems. Claire Jeandel, Head of Compliance at Powens, explains:
“Financial entities must ensure their ability to resist, respond to, and recover from disruptions linked to ICTs. The DORA regulation encourages these financial institutions to integrate digital resilience into an overall enterprise-wide strategy, with particular implications for governance.”
In addition, DORA simplifies compliance for businesses operating across borders. By providing a single, harmonized framework of rules for all European financial entities, regardless of size (although a principle of proportionality is applied), it eliminates previous overlaps or gaps between national regulations.
What are the potential impacts of DORA for payment institutions or EMIs?
For regulated entities, the impacts are numerous.
Digital resilience must be integrated into an overall enterprise-wide strategy, with implications for governance and risk management in particular.
The DORA regulation establishes a set of rules and standards designed to mitigate ICT-related risks for financial entities, requiring them to adopt a proactive approach to IT risk management to ensure business continuity in the event of an incident.
As per the five pillars, the non-exhaustive list of impacts includes:
- Governance & oversight: Executive Committee (Excom) and board sessions must dedicate time to ICT topics, including risk management, governance, and incident reporting.
- Formal structures: Establish formal committees involving both operational and management bodies specifically for ICT oversight.
- Risk & process reinforcement: Reinforce existing policies and processes related to ICT risk management.
- Resilience testing: Reinforce the existing annual test plan and execute mandatory operational tests for digital resilience.
- Incident management: Reinforce incident management procedures, covering information, resolution, reporting to the national regulator, and post-incident feedback.
- Third-party risk management:
- Reinforce third-party management, reviewing current contracts and including new, DORA-compliant clauses.
- Evaluate risks associated with outsourced ICT services that support critical functions.
- Report annually to the national regulator on all outsourced ICT services.
- Organize a steering committee with every ICT provider that supports critical functions.
- Threat intelligence sharing: Participate in a working group to enable the sharing of information with other financial entities regarding cyber threats.
How do we implement the DORA regulation at Powens Group?
At Powens, DORA implementation has been more than a regulatory exercise; it’s been a strategic opportunity to strengthen operations and protect the ecosystem. As Jonathan Signorino, Chief Information Security Officer at Powens, states:
“We began by mapping every DORA requirement and control, aligning them with our internal framework. Each control was assigned a clear owner, a defined process, and specific evidence to support ongoing compliance. This approach gives us full visibility and accountability across all teams, ensuring that operational resilience is built into every layer of our organization.”
There’s also been a strong focus on awareness and education. DORA is not a security-only topic; it’s part of our company-wide mindset. Powens has integrated it into daily operations through workshops, documentation, and helping every team understand their role in maintaining resilience.
Treating DORA as a living framework rather than a static checklist ensures continuous improvement and real-world readiness, turning compliance into a driver of trust, maturity, and efficiency.
How does DORA ensure trust for our customers and partners?
“DORA represents a shared commitment to resilience and reliability across the financial ecosystem, and for us, it’s a cornerstone of how we earn and maintain trust.” – Jonathan Signorino.
By implementing DORA, Powens not only complies with regulatory expectations but also proactively strengthens its ability to withstand operational, cyber, and third-party risks. Our clients and partners can rely on the fact that our systems are continuously tested, the processes are transparent, and the governance is robust and auditable.
This transparency and rigor translate directly into confidence, knowing that their data, operations, and customer experiences remain protected even under pressure.
Ultimately, the DORA regulation helps us reinforce what trust really means: consistency, preparedness, and accountability. Through it, we’re building not just compliance but resilience and long-term partnerships based on reliability and shared values.
Want to know how Powens Group can help your business align with DORA? Contact our experts to start the conversation.
