The Digital Operational Resilience Act (DORA) is a European regulation designed to ensure that financial institutions and critical infrastructure operators in the European Union are resilient to digital operational disruptions. This includes cyberattacks, technology failures, and incidents caused by third-party providers.

In essence, DORA requires financial and technology organizations to prove that they can withstand, respond to, and recover from any digital threat, protecting the stability of the European financial system.

Officially adopted in January 2023, DORA will be fully enforceable starting January 17, 2025, when EU supervisory authorities will begin conducting compliance audits across member states.

Objectives and purpose of DORA Regulation

The DORA framework sets out a unified approach for improving digital resilience across the European financial sector. Its primary objectives are:

  • Strengthen digital resilience against technological disruptions or cyberattacks.
  • Harmonize supervision criteria across all EU member states under a common standard.
  • Ensure operational continuity even in the event of critical third-party failures.
  • Reduce systemic risk caused by dependency on technology and external providers.
  • Enhance transparency and coordination among entities, regulators, and authorities.

The five pillars of DORA

The DORA regulation is built around five core pillars, which define the minimum resilience requirements for financial institutions and their technology partners:

1. ICT Risk Management (Information and Communication Technology Risk Management)

DORA requires organizations to manage all technology risks comprehensively — including infrastructure, software, data, and communications.

This involves defining security policies, classifying critical assets, implementing preventive measures, and maintaining up-to-date contingency plans.

For IBM z/OS mainframe environments, this involves continuously monitoring key areas such as RACF privileges, data encryption, and overall system security, capabilities that are typically provided by platforms like Bsecure DataPASS

Key actions for ICT risk management include:

  • Classifying critical assets and defining security policies for them.
  • Implementing automated controls to monitor the health of security measures.
  • Ensuring the regular update of contingency plans to reflect current threats.

2. Incident Management and Reporting

DORA requires that organizations implement effective procedures for detecting, classifying, and reporting incidents**.

Any major cybersecurity or operational incident must be reported to the relevant supervisory authority within a defined time frame.

This ensures that regulators have a real-time view of the operational impact and can coordinate responses across the European financial system.

The IBM z/OS mainframe must also have robust incident management protocols, including:

  • Automated log collection and reporting using tools like RACF.
  • Real-time detection of anomalies or breaches.
  • Timely reporting of issues to supervisory authorities.

3. Digital Resilience Testing

This pillar requires regular digital resilience testing, both technical and operational, to ensure systems can withstand real-world attacks or disruptions.

Recommended exercises include:

  • Advanced Threat-Led Penetration Testing (TLPT).
  • Disaster Recovery Testing.
  • Crisis Simulation and Tabletop Exercises.

For mainframe environments like z/OS, these tests involve simulating RACF security failures, SYSPLEX integrity issues, and the availability of critical services such as CICS, DB2, and MQ.

4. Third-Party ICT Risk Management

DORA extends its requirements to third-party providers, emphasizing the need for financial institutions to evaluate and control risks from external technology providers. This includes managing risks associated with services such as cloud hosting, cybersecurity, and infrastructure management.

Organizations must:

  • Maintain a detailed register of critical third-party service providers.
  • Ensure contracts include provisions for resilience, auditability, and the ability to terminate services.
  • Monitor compliance with these standards and ensure third-party resilience measures are on par with those of the organization itself.

For IBM zSeries mainframes, this includes ensuring that all third-party security providers align with strict encryption, authentication, and traceability standards.

5. Information Sharing and Cooperation

DORA emphasizes cyber threat intelligence (CTI) sharing between financial institutions, regulators, and technology providers. This pillar aims to improve collective detection and response capabilities across the European financial ecosystem, creating a collaborative security culture.

The goal is for institutions to share information about threats and incidents to improve overall cybersecurity resilience across the sector.

Who is affected by DORA?

DORA applies to all financial entities within the European Union, including:

  • Banks and savings institutions.
  • Insurance and reinsurance companies.
  • Investment firms and fund managers.
  • Payment service providers.
  • Financial market infrastructures (stock exchanges, clearinghouses).
  • Critical technology providers (including mainframe, cloud, and cybersecurity services).

Both regulated financial entities and their technology suppliers must demonstrate compliance with DORA’s five pillars and maintain documented, verifiable digital resilience.

Sanctions and penalties for non-compliance

Failure to comply with DORA can result in significant financial penalties, suspension of activities, or even revocation of authorization to operate in the EU.

While the exact amounts vary by member state, regulators may impose fines proportional to the severity of the breach and require immediate remediation plans.

Organizations that cannot prove effective operational continuity or third-party oversight mechanisms may be deemed non-compliant with resilience standards, risking reputational damage and loss of customer trust.

DORA and the New era of digital eesilience

The DORA regulation represents a turning point in European financial cybersecurity, shifting the focus from reactive defense to proactive resilience.

Financial institutions operating on IBM z/OS or mainframe systems must ensure their infrastructures meet all five pillars through continuous auditing, risk traceability, and automated security validation.

At Bsecure – The Mainframe & Security Company, we help organizations achieve and maintain compliance with DORA and NIS2 through our DataPASS (continuous auditing) and DataPASS HUB (partner enablement model) solutions.

For further reading, visit:
👉 How to Automate DORA Compliance in IBM z/OS Mainframe Environments