top of page

DORA Regulation: What Finance and Treasury Teams Need to Know Now

  • Jun 29
  • 6 min read
DORA Regulation

The DORA Regulation has been mandatory since 17 January 2025. The Digital Operational Resilience Act (DORA) is an EU-wide regulation designed to strengthen digital operational resilience in the financial sector. This is why it is not just an IT topic. It mainly affects the finance department, including all processes, payment transactions and third-party providers.


The regulation covers five central areas. These include:


  • ICT risk management

  • Management and reporting of ICT incidents

  • Testing digital operational resilience

  • Management of third-party risks

  • Information sharing on cyber threats


Implementing DORA requires clear data and process control. Modern treasury management systems help companies meet regulatory requirements efficiently



What is the DORA Regulation?

DORA stands for “Digital Operational Resilience Act”. The DORA Regulation therefore means a law on digital operational resilience. It provides a uniform regulatory framework for digital resilience across the EU.


The focus of the DORA EU Regulation is on the financial sector. Financial companies should become more resilient to digital risks. These risks should be systematically controlled, identified and managed. Companies should prepare for threats through testing. If an incident still occurs, reporting processes ensure a controlled procedure. Banks, insurers, investment firms and other financial companies should therefore be better prepared.



When did DORA come into affect and is it mandatory?

The DORA Regulation was published in the Official Journal of the European Union on 27 December 2022 with the official name DORA Regulation (EU) 2022/2554. The regulation entered into force on 16 January 2023. From that point, companies had two years to implement the measures.


Since 17 January 2025, the law has been mandatory in all EU Member States. The supervisory authority monitors implementation. Anyone who violates the regulation must expect regulatory consequences.



What does this mean in practice for companies?

Compliance must no longer be limited to documents. Regulatory requirements must be actively integrated into operational processes. Responsibilities must be clearly defined and documented. Evidence of controls, tests and risk management must be available at any time



Who must implement DORA?

The DORA Regulation does not only affect banks. It affects the entire European financial sector. Here you will find the most important players that must implement DORA:


Directly affected

Indirectly involved

Relevant internal stakeholders

Banks

Cloud providers

Treasury

Payment service providers

Software providers

Finance

Insurers

IT outsourcing partners

Risk management

Investment firms

Data centres

Compliance

Investment companies

Managed service providers

IT

Crypto service providers

Payment service providers

Internal Audit


Relevant information and communication technology (ICT) third-party providers are also in focus. They can be monitored directly by European supervisory authorities. This results from the indirect requirements through customers from the financial sector.



Why DORA Also Affects Treasury and Finance Teams

When it comes to regulations on digital operational resilience, the IT department is usually the first focus. However, DORA does not only affect IT systems. All financial processes must be examined more closely. Treasury and Finance in particular manage many operational control points, including:


  • Payment transactions.

  • Bank connections.

  • ERP integrations.

  • Liquidity data.

  • User rights.

  • Approval processes.

  • Reporting.


To implement the DORA Regulation, all processes must be controlled and optimised. A treasury management system can help with this. It automates processes while maintaining compliance. This helps avoid manual errors and ensures real-time transparency.



The 5 Pillars of the DORA Regulation

To make implementation easier, the DORA Regulation structures its requirements into five central areas. This should help financial companies identify and control digital risks and remain able to act in a crisis.



  1. ICT Risk Management

ICT stands for information and communication technology. It is a central part of secure processes. With DORA, ICT risks should be systematically identified, assessed and managed. They should be monitored continuously. Access rights and approvals should always be documented.


Relevant questions:

  • Which systems are critical?

  • Who has access?

  • Where do manual media breaks occur?



  1. ICT Incident Management and Reporting

The DORA Regulation requires companies to set up structured incident management. ICT-related incidents must be identified, assessed and documented. This should limit the impact of IT disruptions and cyberattacks at an early stage.


For serious ICT incidents, the Bundesbank sets out requirements. These cases must be classified and formally reported.


Typical DORA process:

Identify → Classify → Escalate → Report → Document → Follow up



  1. Testing Digital Operational Resilience

The DORA Regulation requires regular testing of digital resilience. These tests examine the resilience of systems, applications and processes. Potential weaknesses and risks should therefore be identified early.


Thanks to these tests, security and control measures can be continuously improved. Certain financial companies are subject to extended requirements. They must implement so-called Threat-Led Penetration Testing (TLPT). This test is a realistic simulation of targeted cyberattacks.


Central question:

  • Can the finance or treasury team continue to operate during a cyberattack?



  1. ICT Third-Party Risk

The DORA EU Regulation requires companies to actively manage risks from external ICT service providers. Companies are becoming increasingly dependent on cloud, software and technology providers. This brings certain risks, including:


Third-party type

Risk

Required evidence

Treasury relevance

Bank

Failure of account information

Emergency and escalation processes

Account balances, payment transactions

ERP provider

Interruption of data flows

Documented interfaces and controls

Forecasting, reporting

Treasury software

Failure of central finance processes

Recovery and backup concepts

Liquidity management

Payment service provider

Delayed transactions

Risk assessment and monitoring

Solvency

Cloud provider

Availability problems

Contractual and resilience evidence

Operation of critical systems



  1. Information Sharing

Financial companies should identify new attack patterns and vulnerabilities at an early stage. Continuous exchange between companies also makes sense for this. This allows risks to be identified and managed faster.


Implementation Checklist for CFOs and Treasury Managers:

  1. Record critical finance systems

  2. Document data flows

  3. Review roles and permissions

  4. Secure payment approvals

  5. Record and assess third-party providers

  6. Ensure audit trails

  7. Test incident and emergency processes



From Excel Chaos to Controllable Finance Processes

Many finance processes are still based on manual spreadsheets and decentralised data sources. This creates significant risk potential for companies.


A treasury management system can centralise these processes and data. It automates relevant workflows, which significantly reduces the risk of errors. Responsibilities and processes are documented in line with DORA. Permissions are clearly structured. This provides greater operational resilience and security during audits.



How Modern Treasury Systems Support DORA Compliance

The DORA Regulation does not prescribe specific software. However, a TMS should meet certain requirements in order to support DORA. Financial Navigator combines these requirements on one platform. This makes the following easier:


  • Transparency.

  • Auditability.

  • Secure payment processes.

  • Bank and ERP integration.

  • Rights management.

  • Central data basis.

  • Real-time dashboards.


Check which treasury processes are still documented manually today. Increase your company’s compliance and security with a TMS.



Single Source of Truth for Liquidity and Payment Processes

Many companies work with data from different sources. Relevant data can come from bank portals, ERP systems, Excel files or payment platforms. This is linked to high effort, error risk and security risk.


A central data basis, on the other hand, creates transparency. It provides a consolidated view of account balances, payments and liquidity. Financial data is always up to date and accurate. This improves liquidity planning and treasury management. It also makes it easier to implement the DORA Regulation, as processes are systematic, traceable and documented.



Audit Trails, Permissions and Approval Processes

The DORA Regulation requires traceable and controllable processes. With a TMS, permissions and approval processes are clearly regulated. So-called audit trails create traceability. They serve as a log of changes, approvals and user activity.


This ensures complete documentation of all finance processes. This is especially relevant for payment transactions.



DORA Regulation Summary: What Finance Leaders Should Take Away

The DORA Regulation is mandatory for all companies in the financial sector. It mainly affects companies from EU Member States. However, the regulation can also indirectly affect other companies. DORA is intended to make the financial sector more resilient to digital risks.


Since 17 January 2025, the DORA Regulation has been mandatory. Companies must pay particular attention to the five pillars of the DORA Regulation:


  1. ICT risk management

  2. Incident management and reporting obligations

  3. Resilience testing

  4. Management of third-party risks

  5. Information sharing


To meet regulatory requirements, companies are increasingly relying on finance systems. They automate and optimise processes and identify risky workflows. This increases transparency in payment transactions and the traceability of decisions.


The DORA Regulation is not just an IT project. For finance leaders, it mainly means more transparency, control and evidence.



Simplify DORA compliance in treasury

With Financial Navigator, you can centralize treasury processes, improve transparency and create traceable workflows.




FAQ on the DORA Regulation



What is the DORA Directive?

DORA, the Digital Operational Resilience Act, is an EU regulation designed to strengthen digital resilience in the financial sector. It requires financial companies to manage ICT risks, report incidents and make their systems resilient against cyberattacks and outages.



Who must implement DORA?

DORA applies to banks, insurers, payment service providers, investment companies, crypto service providers and other regulated financial companies. Critical ICT service providers can also be indirectly or directly affected by the requirements.



What are the 5 pillars of the DORA Regulation?

The five pillars are:


  • ICT risk management

  • ICT incident management

  • Digital resilience testing

  • Management of ICT third-party risks

  • Information sharing


Together, they are intended to strengthen the digital resilience of financial companies.



Is the DORA Regulation mandatory?

Yes, the DORA Regulation has been mandatory since 17 January 2025. As an EU regulation, it applies directly in all Member States and does not require national implementation.



Where can I find the DORA Regulation text or PDF?

You can find the official DORA Regulation text on EUR-Lex under Regulation (EU) 2022/2554. BaFin and the Deutsche Bundesbank provide further information and practical guidance.

 
 
bottom of page