Exploring DORA, the new era of compliant digital communications in Europe

DORA + MiFID II 

In the European financial services and compliant business market, there are now two legislative pillars upholding stability, transparency, and security. 

The first is, by now, the more familiar of the two: the Markets in Financial Instruments Directive (MiFID II). Basically, MiFID II regulates the internal practices of investment services and market practices, with rules about how they compliantly conduct themselves and their interactions with clients.  

The other, newer and less familiar pillar is the Digital Operational Resilience Act (DORA), which came into application in January 2025 and focuses on the digital resilience of financial institutions, service providers and compliant organizations. The difference between the two is that while MiFID is inward facing, DORA is all about how prepared an organization must be to face external threats of Information and Communication Technology (ICT) disruptions, such as cyberattack or system failure. 

In this article we’ll be taking a look at how DORA affects businesses with regulated communications and compliance obligations, as well as how the two rulesets overlap in regard to risk management, incident reporting, and complexities in compliance. We’ll also provide a quick checklist for decision makers to evaluate their own strategic responses.  

Combined upgrade 

While MiFID II has long been the main regulation for market practices and investment services, the more recently introduced DORA brings a laser focus to the digital preparedness of financial institutions. DORA also significantly expands the footprint of what kinds of businesses are regulated and covered, so professionals in more than just finance and securities now need to be aware and understanding of the combined impact. 

Not only is DORA bringing new rules; it’s supercharging some of MiFID’s existing clauses, which is why an integrated understanding matters. For instance, MiFID II's mandate for ‘robust operational risk systems’ is now upgraded by DORA's specific frameworks for ICT-related risks, pushing firms to ensure their systems can withstand cyber threats and disruptions without hobbling their business models with inefficiencies.  

Furthermore, while MiFID II requires reporting of operational incidents, DORA elevates this with more detailed and structured requirements for significant ICT-related incidents, making clarity on reporting essential.  

In simple terms, a business might have theoretically been able to skip having robust reporting, compliance and reporting systems in place by simply never making a mistake or doing anything to attract the scrutiny of the auditors. Now with DORA, a business has many of the same reporting obligations when external bad actors come into play – a situation that they cannot avoid through any amount of internal diligence.     

This enhanced scrutiny also extends to third-party risk oversight. Where MiFID II provides guidelines for outsourcing critical IT functions, DORA now mandates even stricter supervision of third-party ICT providers, compelling them to meet higher digital resilience standards and thereby redefining vendor management.  

Finally, the approach to resilience testing is also evolving, with DORA introducing specific, detailed ICT resilience tests like penetration tests, which build upon MiFID II’s broader testing outlines, necessitating a harmonization of these practices.

The five pillars of DORA 

DORA is designed to ensure that financial entities can effectively withstand, respond to, and recover from the most common types of ICT disruption and threat, including cyberattacks and system failures. This objective is underpinned by five key pillars that form the backbone of the regulatory framework:     

• ICT Risk Management 

• ICT-related Incident Management, Classification, and Reporting 

• Digital Operational Resilience Testing 

• ICT Third-Party Risk Management 

• Information and Intelligence Sharing 

The EU parliament explains that these pillars are not intended as silos, but to provide strength through interconnectedness, collectively fortifying the resilience of digital communications.  

For instance, a robust ICT risk management framework (Pillar 1) that thoroughly assesses vulnerabilities in communication systems directly informs the scope and nature of digital operational resilience testing (Pillar 3) for those same systems.  

Similarly, effective incident reporting mechanisms (Pillar 2) are triggered when identified risks materialize despite controls and testing.  

Equally, a deficiency in one pillar concerning communication systems, such as an inadequate risk assessment, will inevitably undermine the effectiveness of the others in safeguarding those channels.    

DORA and digital resilience  

DORA specifically brings a sharper definition to digital resilience by requiring a holistic approach to ICT risk governance, embedding digital risk management into the actual organizational structure with clear senior management accountability.  

It also calls for continuous and dynamic risk assessment to proactively identify ICT vulnerabilities and adapt to ever-evolving threats. Institutions must develop, and rigorously test, robust incident response and recovery plans to effectively detect, manage, and recover from ICT disruptions. Alongside these internal measures, DORA institutes mandatory reporting for significant ICT incidents, ensuring transparency and rapid regulatory awareness. 

It also compels a thorough reassessment of internal processes and third-party provider relationships. Developing integrated compliance strategies to efficiently meet the demands from both frameworks, alongside enhanced staff training and awareness around digital risks, will be paramount. 

Obligations & opportunity  

The implications of DORA extend far beyond traditional IT or cybersecurity departments. It demands systemic changes in internal governance, meticulous review and amendment of service provider agreements, and an overhaul of numerous operational processes and policies.  

The most immediate effect of the new rule is that the digital communication systems and practices that might have been considered a problem for the IT department to deal with, and a routine item on the budget, is now a strategic concern for the whole company.  

So DORA is bringing significant compliance responsibilities, but it also presents an opportunity. Financial service providers and compliant businesses that follow the required changes can enhance their overall security posture, build more robust operations, and foster greater trust among clients and stakeholders.  

The new rules might place greater burdens on business, but agile operators can use the upgraded security posture as a value-add for clients and partnerships.  

Governance & accountability 

DORA significantly reshapes the governance structures within financially responsible organizations, compelling a more integrated and strategic approach to ICT risk.  

A central tenet of the regulation is the heightened role and direct accountability of the management body, specifically the Board and senior executives. These leaders are now explicitly responsible for defining, approving, overseeing, and ultimately implementing the comprehensive ICT risk management framework, which necessarily includes all aspects covering digital communication systems. This includes setting the institution's risk tolerance for ICT risks.    

This top-level accountability means that the security and resilience of digital communication channels are no longer mere operational details delegated solely to IT departments. Instead, they become matters of strategic importance requiring board-level scrutiny and approval as integral components of the overall ICT risk strategy.  

To effectively discharge these duties, management bodies will need a more profound understanding of cyber threats, technological dependencies within their communication ecosystems, and advanced resilience strategies. This may necessitate specialized training or advisory services for board members and senior leadership to ensure they can make informed strategic investment decisions and provide effective oversight.  

DORA also mandates the establishment of clear roles and responsibilities for ICT risk management at all organizational levels, including specific oversight for communication systems, and calls for an independent control function to monitor ICT risk.    

DORA’s demands 

DORA's requirements translate into specific, actionable changes of what financial service providers and compliant businesses need to do for their digital infrastructure. 

• Fortify your systems 

  All covered businesses now need a comprehensive ICT risk management framework that addresses all digital communication systems including email, instant messaging (e.g. WhatsApp), client portals, and productivity / meeting platforms (e.g. Microsoft Teams). This includes frequent audit of all digital assets, along with their interdependencies, and regular risk assessments specific to those channels, such as phishing via email. Furthermore, business continuity and disaster recovery plans must be developed specifically for each communication system, detailing data recovery processes and alternative communication strategies to be used during disruptions.    

• Prepare your response protocols  

  What might have once been considered as internal IT issues for engineers to fix may now be an incident that will trigger a raft of regulatory reporting obligations. Compliant organizations must monitor, manage, and classify virtually all ICT events based on criteria defined by the European Commission’s own Regulatory Technical Standards (RTS). This includes granular detail like the number of clients affected, the duration of the outage, geographical spread, and data loss.    

  A particularly tricky new rule regards reporting timelines, with initial notification required in as little as four hours of a major incident. Such rapid reporting means a lot of organizations will need to overhaul their crisis communication plans, because clearly pre-defined protocols will be needed to have any chance of responding within the timeframe.    

• Implement resilience testing  

  For DORA it’s not enough that businesses just put their ICT measures in place they also have to regularly test them. This includes testing all platforms to verify preparedness, vulnerabilities, and resilience every year, plus a full threat-led penetration test (TLPT) for critical systems every three years.    

  More than just technical vulnerabilities are included, and ‘effective resilience’ extends to human factors, such as employee responses to simulated phishing attacks. 

Contractual & third-party oversight 

DORA places strong emphasis on managing the risks arising from ICT third-party providers (TPPs), a category that includes many vendors of digital communication, collaboration, and client portal solutions. Financial service providers and regulated businesses must develop a strategy for ICT third-party risk, conduct thorough due diligence before contracting, and perform ongoing monitoring of their communication TPPs.    

Contracts with these TPPs must now include specific provisions mandated by DORA (Article 30), covering aspects like security measures, incident reporting obligations, audit rights, data processing locations, robust exit strategies, and potentially the TPP's participation in resilience tests, and also maintain a collated register of all contractual arrangements with TPPs. This responsibility extends throughout the entire delivery chain, meaning financial entities must ensure their direct communication TPPs adequately manage their own subcontractors involved in service delivery.  

Secure all data handling 

DORA directly impacts data handling policies, requiring that sensitive information transmitted or stored via email, messaging platforms, or client portals is heavily protected. This includes encryption mechanisms for data in transit and at rest within ecosystems, effective Data Loss Prevention (DLP) tools to monitor and control data transfers and prevent unauthorized breaches, and robust authentication and authorization controls for accessing communication platforms and data.  

DORA also demands tighter integration between data security policies (e.g. GDPR) and digital communication policies. These must be harmonized to ensure that data, however briefly it passes through corporate control, is managed in a DORA-resilient manner.  

Next steps: Getting ready for DORA  

Integrating DORA’s compliance requires strategic and proactive measures that are going to occupy the planning and technical departments of financial service providers and compliant businesses for years to come. Before formulating a plan, decision makers should consider the following high-level actions: 

Run ‘gap' analysis 
Evaluate current communication policies, the full inventory of communication tools, ICT infrastructure, and existing vendor contracts against DORA's specific requirements to identify shortcomings.    

Review vendor contracts 
Given the extensive use of third-party communication tools, a risk-based approach is essential. Consolidate and review contracts with all ICT TPPs providing communication services, enquire about DORA-compliant amendments focusing on security obligations, audit rights, incident reporting protocols, and clear exit strategies.    

Budget for training  
Robust training programs for all staff (including leadership) on new communication policies, secure communication practices, data handling protocols, and incident reporting procedures will require significant investments in time and resource.  

Establish cross-discipline teams 
Form dedicated, cross-functional teams involving IT, cybersecurity, legal, compliance, risk management, and relevant business units to spearhead and manage DORA implementation.    

Leverage partnerships 
Explore combining forces with specialized telco experts that can support DORA compliance for communications, such as advanced DLP solutions, end-to-end encryption tools, Security Information and Event Management (SIEM) systems for enhanced monitoring, and specialized resilience testing platforms.    

Conclusions 

From January 2025, DORA has been in force and previous legislation has been gradually phased out.  

This has been implemented at different speeds in different jurisdictions across Europe, such as in Germany where financial service providers have had to submit their ‘information registers’ to the German Federal Financial Supervisory Authority (BaFin) April 2025. Other overlapping local legislations such as Bankaufsichtliche Anforderungen an die IT (BAIT) won’t be fully phased out until the end of 2026.  

The necessity of DORA compliance is pressing, and it’s important to appreciate that it’s not a one-off project but an ongoing obligation. It demands continuous monitoring, regular review, and agile adaptation of policies and controls in response to evolving threats and technological changes.  Robust, secure, and resilient digital communication policies are no longer merely advisable or a good look for a brochure, but fundamental components of compliance and overall business stability. 

While navigating these overlapping requirements presents challenges, the complementary nature of existing rules such as MiFID II (ensuring market stability) and the new power of DORA (ensuring digital infrastructure resilience) aims to build a safer, more technologically robust telco ecosystem for regulated and compliant businesses.  

Are your institution's communications strategies aligned with these evolving regulatory demands and compliance requirements? Learn more about how 1GLOBAL can ensure and future-proof your compliance and resilience capabilities.