<img src="https://secure.leadforensics.com/51974.png" style="display:none;">
English

Contact Support Login

English
  1. Home
  2. >
  3. Resources
  4. >
  5. DORA compliance: strengthen digital resilience
ISPnext-4777

DORA compliance: what you need to know

30 June 2025

DBG Date
post_id: —
group: title="Resources", name="Resources", slug="en/resources"
resources_match: true
language: "en" → lang_2="en"
table_id: 809010378
hubdb_date: 1751241600000 (matched_by=—)
content.publish_date: 2025-06-30 11:08:57
content.updated: 1766503226679
FINAL display_date: 1751241600000

Dirk Jan Leppers, Product Manager

Digital disruption has become one of the most significant risks facing the financial sector. Cyber incidents, system outages and third-party failures can quickly threaten operational continuity. With the introduction of the DORA regulation, the EU aims to ensure that financial organisations are digitally resilient and prepared for disruption.

“Digital risks now have the same impact as financial risks,” says Dirk Jan. “DORA recognises that resilience must be managed at board level, not just within IT.”

Although the UK is no longer part of the EU, DORA remains highly relevant for UK organisations operating within European financial markets or working with EU-regulated entities.

Contents

Download whitepaper
Useful links

What is the DORA regulation and why is it critical?

The DORA regulation (Digital Operational Resilience Act) is a comprehensive EU framework designed to strengthen ICT risk management across the financial sector. As a DORA law, it sets clear expectations for how organisations identify, manage and respond to digital disruptions.

According to Dirk Jan, DORA is about control and preparedness. “DORA does not assume that incidents will never happen,” he explains. “It requires organisations to demonstrate that they can absorb shocks and recover quickly.”

Which organisations must comply with DORA?

DORA compliance applies to a wide range of financial institutions, including banks, insurers, asset managers, payment service providers and fintechs, collectively referred to as DORA for financial entities.

UK-based organisations may fall under DORA if they:

  • operate in the EU;
  • provide services to EU-regulated financial entities;
  • are part of a cross-border financial group.

“DORA has a clear extraterritorial effect,” notes Dirk Jan. “UK organisations cannot ignore it if they are part of the European financial ecosystem.”

Understanding the core requirements of DORA

The DORA requirements are structured around a set of clearly defined DORA obligations covering five key areas:

  • ICT risk management;
  • Incident detection and reporting;
  • Digital operational resilience testing;
  • Management of third-party ICT risks;
  • Information sharing on cyber threats.

“What makes DORA unique is its integrated approach,” says Dirk Jan. “It connects governance, technology and third-party oversight into one regulatory framework.”

Dirk Jan Leppers ISPnext
"When the time comes to provide data, you generate a complete DORA report with a single click."

- Dirk Jan Leppers, Product Manager | ISPnext

Digital Operational Resilience: the heart of DORA

At the core of DORA lies digital operational resilience, the ability to prevent, withstand, respond to and recover from ICT-related disruptions. This requires mature ICT risk management practices across the organisation.

“Digital operational resilience is not a one-off project,” Dirk Jan emphasises. “It is a continuous capability that must be tested, reviewed and improved.” This includes regular risk assessments, resilience testing and clearly defined responsibilities at senior management level.

How to prepare your organisation for DORA compliance

Preparing for DORA compliance starts with understanding your current maturity level in ICT risk management. Organisations should assess existing policies, controls and third-party arrangements against DORA requirements.

Dirk Jan advises a structured approach. “Start with visibility: know your critical systems, your key suppliers and your biggest risks. Only then can you close the gaps effectively.” Preparation should be phased, evidence-based and well documented.

Impact of DORA on third-party IT providers

DORA places significant emphasis on third-party risk. DORA for IT providers means stricter oversight, clearer contractual obligations and greater transparency.

Under the DORA regulation, financial entities remain accountable, but IT providers are expected to actively support resilience, incident handling and audits. “Third-party providers are no longer just vendors,” says Dirk Jan. “They become part of the regulatory risk landscape.”

How ISPnext supports UK companies with DORA Compliance

ISPnext helps UK organisations achieve and maintain DORA compliance by structuring ICT risk management, supplier oversight and reporting processes.

“Our focus is on making digital operational resilience measurable and manageable,” explains Dirk Jan. By centralising data, risks and controls, ISPnext enables organisations to demonstrate digital operational resilience in a way that aligns regulatory requirements with day-to-day operations.

The 4 steps to DORA compliance

Want to know how your organisation can efficiently meet the requirements of the Digital Operational Resilience Act (DORA)? Download our comprehensive resource and discover practical steps to achieve compliance, manage risk and strengthen resilience to cyber threats.

Mockup_Preview_Whitepaper_DORA (ENG)
Dirk Jan Leppers ISPnext

About the author

Dirk Jan Leppers

Product Manager

Dirk Jan Leppers is Product Manager (Source-to-Contract) at ISPnext and has more than 10 years of experience in the field. Dirk Jan will lead the transition of the Business Spend Management platform with innovative developments on the S2C side. His expertise is in the areas of Contract Management, Vendor Management, Sourcing, Spend Analytics, ESG and Supplier360.

FAQ

Did you already know this?

The DORA regulation is an EU DORA law aimed at strengthening digital operational resilience in the financial sector. While it is not UK legislation, it applies to UK organisations that operate in the EU or provide services to EU-regulated financial entities.
DORA compliance applies to banks, insurers, investment firms, payment institutions and other DORA for financial entities. UK organisations fall within scope if they are part of EU operations or supply critical services to EU-regulated firms.
The core DORA requirements include robust ICT risk management, structured incident reporting, resilience testing, third-party risk control and information sharing. These DORA obligations must be embedded in governance and supported by evidence.
DORA for IT providers introduces stricter expectations around transparency, resilience and cooperation. Under the DORA regulation, IT service providers must support audits, incident response and risk mitigation activities.
Digital operational resilience refers to an organisation’s ability to manage ICT disruptions without compromising critical services. It is closely linked to effective ICT risk management, testing and recovery capabilities.
Failure to meet DORA compliance requirements may result in supervisory actions, fines and reputational damage. Regulators expect organisations to demonstrate ongoing adherence to the DORA regulation, not just initial implementation.
ISPnext supports DORA compliance by providing tools and structure to manage risks, suppliers and controls. This enables organisations to demonstrate digital operational resilience in a consistent and auditable way.
Is your question not answered? Get in touch