+31 (0)43 30 88 400 | office@comex.eu
Security and compliance in the financial sector
Digital Operational Resilience Act, DORA
The Digital Operational Resilience Act, DORA, has been applicable to financial organizations in the EU since January 17, 2025. The regulation sets stricter requirements for digital resilience, ICT risk management, incident reporting, resilience testing, and oversight of critical IT service providers.
Who does DORA apply to?
The Digital Operational Resilience Act (DORA) applies to a wide range of financial institutions within the European Union. These include banks, insurers, investment firms, payment institutions and pension funds. In addition, the regulations apply to IT service providers that provide critical services to these institutions, such as cloud providers and data center providers.
DORA aims to make not only financial organizations themselves, but also their entire chain of service providers more resilient to digital threats. This means that both large financial institutions and smaller players in the sector must meet stringent digital resilience and risk management requirements.
The 5 pillars of DORA
DORA is designed to strengthen the digital resilience of financial organizations and ensure that they are more resilient to IT incidents and cyber threats. The regulations are built around five core pillars:
- ICT risk management: Organizations should implement a solid framework to identify, manage and minimize digital risks.
- Incident reporting: Mandatory reporting of IT incidents to regulators to promote faster action and transparency.
- Testing digital resilience: Establish testing programs and conduct regular tests to identify and address vulnerabilities in systems.
- Third-party monitoring: Stricter monitoring of IT service providers, such as cloud providers, to reduce risks in the chain.
- Information sharing: sharing knowledge and threat information between organizations to increase joint resilience. This does need to take into account the potential sensitive nature of shared information.
The practical impact of DORA on organizations
DORA brings concrete changes to how financial institutions manage their digital infrastructure. The regulations require an in-depth review of IT systems and processes, with a focus on ensuring continuity and minimizing risk. In practical terms, this means that organizations must overhaul their entire IT landscape to comply with the requirements.
An important aspect of DORA is mandatory digital resilience testing. This means regularly exposing systems to stress tests and simulations to identify weaknesses early on. This requires a structured approach in which both internal and external audits play a major role.
It is also necessary to make stricter agreements with IT service providers, such as cloud providers and data center providers. This means not only adjusting contracts, but also establishing clear procedures for oversight and monitoring. Organizations need to be sure that third-party providers meet the same high standards as themselves.
Why storage is important for DORA compliance
DORA places high demands on the data storage infrastructure of financial institutions. It is not just about keeping data safe, but also about ensuring flexibility, performance, compliance and security. These are some key areas:
Scalability
Storage solutions must be able to grow seamlessly with increasing data volumes, both on-premise and in cloud environments, without compromising on security.
Performance, RTO and RPO
DORA emphasizes the importance of short recovery times (RTO) and minimal data loss periods (RPO). Backups and recovery operations must be fast and reliable to ensure business continuity. Recovery should be a matter of hours, not days or even weeks.
Compliance and demonstrability
Storage solutions must support frameworks that allow organizations to demonstrate DORA’s compliance and testing requirements. Open systems often offer more flexibility and transparency.
Security, immutability and air gap
Security goes beyond just software measures. In addition to data encryption, hardware-based protection plays a crucial role in ensuring data security. Hardware immutability through hardware WORM prevents data from being modified or deleted, even during a cyberattack. Additionally, a physical air gap provides an impenetrable layer of security by completely disconnecting data from networks, keeping it protected against ransomware and other threats. This combination of measures ensures that data is not only secure but also meets the stringent requirements of DORA.
DORA requires not only a robust storage strategy but also an approach that prepares the organization for rapid adjustments and compliance in an increasingly complex digital environment. It is therefore a concrete part of digital sovereignty in the financial sector.
European storage that contributes to DORA compliance
Ransomware proof backup and fast recovery
Protect critical data against data loss, ransomware, and disruptions. With secure backup storage, physical air gap, and fast recovery, you keep data recoverable when systems are hit.
Long-term, compliant archiving with WORM storage
Store data for the long term in a verifiable and demonstrably unchangeable way. Hardware WORM storage helps organizations protect archive data against modification, deletion, and data loss.
Frequently Asked Questions about DORA
What is DORA?
DORA stands for Digital Operational Resilience Act. It is a European regulation that requires financial organizations to demonstrably have their digital resilience, ICT risk management, incident reporting, resilience testing, and oversight of IT service providers in order.
Who does DORA apply to?
DORA applies to many financial organizations, such as banks, insurers, investment firms, payment service providers, pension funds, and crypto-asset service providers. Critical IT service providers to the financial sector are also subject to stricter requirements.
What role does storage play in DORA compliance?
Storage plays a role in availability, recoverability, data integrity, and demonstrability. Backups must be reliably restorable, archive data must remain verifiable, and critical data must be protected against modification, deletion, and ransomware.
Why are RTO and RPO important in DORA?
RTO is about how quickly systems must be recovered. RPO is about how much data loss is acceptable. For digital resilience, organizations must know how quickly they can recover critical data and systems after an incident.
How do Silent Bricks and Silent Cubes help with DORA?
Silent Bricks supports backup, recovery, VTL, and air gap storage. Silent Cubes supports long-term archiving with hardware WORM storage. Together, these solutions help keep data more recoverable, verifiable, and protected.
How can I ensure AI compliance within DORA?
AI compliance within DORA requires control over ICT risks, data, suppliers, and operational resilience. When AI is used with sensitive business data, it must be clear where data is processed, who has access, and how risks are managed.
Public AI services can raise additional questions around data processing, auditability, third-party dependency, and incident response. That is why it is important to make AI applications part of your broader ICT risk management.
With private AI or off-cloud AI, you keep sensitive data within a controlled environment. This helps financial organizations maintain control over data access, compliance, costs, and dependency on external AI platforms.

Subscribe for tips and info