Andreas Papaetis: DORA as a pillar of digital resilience in the financial sector

The European Union has set out to protect businesses and consumers from unforeseen digital crises, with the Digital Operational Resilience Act (DORA); a key tool in ensuring the continued functionality of organisations under challenging conditions.

Compliance with DORA’s pillars—such as risk management and information security—is essential for maintaining the credibility and sustainability of businesses in today’s digital environment.

At the 11th International Compliance Forum, presented by ECOMMBX, Andreas Papaetis, Senior Policy Expert at the European Banking Authority (EBA), focused on issues related to operational resilience, speaking about the challenges of DORA’s implementation and what lies ahead.

Papaetis presented the DORA framework as the EU’s response to the financial sector’s growing dependence on information and communication technology (ICT) services, and the emergence of threats such as ransomware attacks and distributed denial-of-service (DDoS) incidents.

Many of these incidents stem from vulnerabilities in third-party technology providers, exposing gaps in existing regulatory coverage. DORA introduces, for the first time, a cohesive pan-European legislative framework specifically designed to strengthen the digital resilience of the financial sector.

Initiated in 2019 with technical proposals by European Supervisory Authorities (ESAs), the regulation officially came into force in January 2023, with a compliance date set for January 2025. The vision is clear: to unify and elevate ICT risk management requirements across the EU’s financial landscape, streamline compliance obligations, and shield institutions from any form of digital disruption.

The five core pillars of DORA’s approach

1. Harmonised ICT risk management;
2. Incident reporting and digital incident response;
3. Operational resilience testing;
4. Oversight of third-party ICT service providers;
5. Information sharing on cyber threats.

These measures are not applied uniformly, but follow the principle of proportionality—each entity must implement them based on its size, nature, and risk exposure.

A key innovation is the new supervisory framework for critical third-party ICT providers (CTPPs). Oversight will be handled by the three European supervisory authorities (EBA, EIOPA, ESMA), assessing these providers’ ability to manage risks that could impact the stability of financial institutions.

This framework does not replace national supervision, but offers complementary support, with a focus on transparency and systematic monitoring.

According to Papaetis, compliance with DORA is not just a regulatory requirement, but a prerequisite for maintaining market trust. The cost of non-compliance—financial, reputational, and systemic—could far exceed the cost of adopting a solid ICT risk management framework.

Moreover, the ability to report incidents in a standardised and comparable manner, along with the formalisation of advanced resilience testing, will significantly boost the financial sector’s preparedness for future digital crises.

With only a few months remaining before the regulation takes effect, businesses are urged to intensify their preparations—not only by investing in technology and contracts with reliable providers, but also by fostering a culture of digital resilience that permeates their entire organisational structure.

One of Papaetis’ key messages to the business world was clear: Adopting DORA can become a competitive advantage for companies that move strategically in the evolving digital landscape.