DORA Regulation: What Finance and Treasury Teams Need to Know Now
- Jun 29
- 6 min read

The DORA Regulation has been mandatory since 17 January 2025. The Digital Operational Resilience Act (DORA) is an EU-wide regulation designed to strengthen digital operational resilience in the financial sector. This is why it is not just an IT topic. It mainly affects the finance department, including all processes, payment transactions and third-party providers.
The regulation covers five central areas. These include:
ICT risk management
Management and reporting of ICT incidents
Testing digital operational resilience
Management of third-party risks
Information sharing on cyber threats
Implementing DORA requires clear data and process control. Modern treasury management systems help companies meet regulatory requirements efficiently
What is the DORA Regulation?
DORA stands for “Digital Operational Resilience Act”. The DORA Regulation therefore means a law on digital operational resilience. It provides a uniform regulatory framework for digital resilience across the EU.
The focus of the DORA EU Regulation is on the financial sector. Financial companies should become more resilient to digital risks. These risks should be systematically controlled, identified and managed. Companies should prepare for threats through testing. If an incident still occurs, reporting processes ensure a controlled procedure. Banks, insurers, investment firms and other financial companies should therefore be better prepared.
When did DORA come into affect and is it mandatory?
The DORA Regulation was published in the Official Journal of the European Union on 27 December 2022 with the official name DORA Regulation (EU) 2022/2554. The regulation entered into force on 16 January 2023. From that point, companies had two years to implement the measures.
Since 17 January 2025, the law has been mandatory in all EU Member States. The supervisory authority monitors implementation. Anyone who violates the regulation must expect regulatory consequences.
What does this mean in practice for companies?
Compliance must no longer be limited to documents. Regulatory requirements must be actively integrated into operational processes. Responsibilities must be clearly defined and documented. Evidence of controls, tests and risk management must be available at any time
Who must implement DORA?
The DORA Regulation does not only affect banks. It affects the entire European financial sector. Here you will find the most important players that must implement DORA:
Directly affected | Indirectly involved | Relevant internal stakeholders |
Banks | Cloud providers | Treasury |
Payment service providers | Software providers | Finance |
Insurers | IT outsourcing partners | Risk management |
Investment firms | Data centres | Compliance |
Investment companies | Managed service providers | IT |
Crypto service providers | Payment service providers | Internal Audit |
Relevant information and communication technology (ICT) third-party providers are also in focus. They can be monitored directly by European supervisory authorities. This results from the indirect requirements through customers from the financial sector.
Why DORA Also Affects Treasury and Finance Teams
When it comes to regulations on digital operational resilience, the IT department is usually the first focus. However, DORA does not only affect IT systems. All financial processes must be examined more closely. Treasury and Finance in particular manage many operational control points, including:
Payment transactions.
Bank connections.
ERP integrations.
Liquidity data.
User rights.
Approval processes.
Reporting.
To implement the DORA Regulation, all processes must be controlled and optimised. A treasury management system can help with this. It automates processes while maintaining compliance. This helps avoid manual errors and ensures real-time transparency.
The 5 Pillars of the DORA Regulation
To make implementation easier, the DORA Regulation structures its requirements into five central areas. This should help financial companies identify and control digital risks and remain able to act in a crisis.
ICT Risk Management
ICT stands for information and communication technology. It is a central part of secure processes. With DORA, ICT risks should be systematically identified, assessed and managed. They should be monitored continuously. Access rights and approvals should always be documented.
Relevant questions:
Which systems are critical?
Who has access?
Where do manual media breaks occur?
ICT Incident Management and Reporting
The DORA Regulation requires companies to set up structured incident management. ICT-related incidents must be identified, assessed and documented. This should limit the impact of IT disruptions and cyberattacks at an early stage.
For serious ICT incidents, the Bundesbank sets out requirements. These cases must be classified and formally reported.
Typical DORA process:
Identify → Classify → Escalate → Report → Document → Follow up
Testing Digital Operational Resilience
The DORA Regulation requires regular testing of digital resilience. These tests examine the resilience of systems, applications and processes. Potential weaknesses and risks should therefore be identified early.
Thanks to these tests, security and control measures can be continuously improved. Certain financial companies are subject to extended requirements. They must implement so-called Threat-Led Penetration Testing (TLPT). This test is a realistic simulation of targeted cyberattacks.
Central question:
Can the finance or treasury team continue to operate during a cyberattack?
ICT Third-Party Risk
The DORA EU Regulation requires companies to actively manage risks from external ICT service providers. Companies are becoming increasingly dependent on cloud, software and technology providers. This brings certain risks, including:
Third-party type | Risk | Required evidence | Treasury relevance |
Bank | Failure of account information | Emergency and escalation processes | Account balances, payment transactions |
ERP provider | Interruption of data flows | Documented interfaces and controls | Forecasting, reporting |
Treasury software | Failure of central finance processes | Recovery and backup concepts | Liquidity management |
Payment service provider | Delayed transactions | Risk assessment and monitoring | Solvency |
Cloud provider | Availability problems | Contractual and resilience evidence | Operation of critical systems |
Information Sharing
Financial companies should identify new attack patterns and vulnerabilities at an early stage. Continuous exchange between companies also makes sense for this. This allows risks to be identified and managed faster.
Implementation Checklist for CFOs and Treasury Managers:
Record critical finance systems
Document data flows
Review roles and permissions
Secure payment approvals
Record and assess third-party providers
Ensure audit trails
Test incident and emergency processes
From Excel Chaos to Controllable Finance Processes
Many finance processes are still based on manual spreadsheets and decentralised data sources. This creates significant risk potential for companies.
A treasury management system can centralise these processes and data. It automates relevant workflows, which significantly reduces the risk of errors. Responsibilities and processes are documented in line with DORA. Permissions are clearly structured. This provides greater operational resilience and security during audits.
How Modern Treasury Systems Support DORA Compliance
The DORA Regulation does not prescribe specific software. However, a TMS should meet certain requirements in order to support DORA. Financial Navigator combines these requirements on one platform. This makes the following easier:
Transparency.
Auditability.
Secure payment processes.
Bank and ERP integration.
Rights management.
Central data basis.
Real-time dashboards.
Check which treasury processes are still documented manually today. Increase your company’s compliance and security with a TMS.
Single Source of Truth for Liquidity and Payment Processes
Many companies work with data from different sources. Relevant data can come from bank portals, ERP systems, Excel files or payment platforms. This is linked to high effort, error risk and security risk.
A central data basis, on the other hand, creates transparency. It provides a consolidated view of account balances, payments and liquidity. Financial data is always up to date and accurate. This improves liquidity planning and treasury management. It also makes it easier to implement the DORA Regulation, as processes are systematic, traceable and documented.
Audit Trails, Permissions and Approval Processes
The DORA Regulation requires traceable and controllable processes. With a TMS, permissions and approval processes are clearly regulated. So-called audit trails create traceability. They serve as a log of changes, approvals and user activity.
This ensures complete documentation of all finance processes. This is especially relevant for payment transactions.
DORA Regulation Summary: What Finance Leaders Should Take Away
The DORA Regulation is mandatory for all companies in the financial sector. It mainly affects companies from EU Member States. However, the regulation can also indirectly affect other companies. DORA is intended to make the financial sector more resilient to digital risks.
Since 17 January 2025, the DORA Regulation has been mandatory. Companies must pay particular attention to the five pillars of the DORA Regulation:
ICT risk management
Incident management and reporting obligations
Resilience testing
Management of third-party risks
Information sharing
To meet regulatory requirements, companies are increasingly relying on finance systems. They automate and optimise processes and identify risky workflows. This increases transparency in payment transactions and the traceability of decisions.
The DORA Regulation is not just an IT project. For finance leaders, it mainly means more transparency, control and evidence.
Simplify DORA compliance in treasury
With Financial Navigator, you can centralize treasury processes, improve transparency and create traceable workflows.
FAQ on the DORA Regulation
What is the DORA Directive?
DORA, the Digital Operational Resilience Act, is an EU regulation designed to strengthen digital resilience in the financial sector. It requires financial companies to manage ICT risks, report incidents and make their systems resilient against cyberattacks and outages.
Who must implement DORA?
DORA applies to banks, insurers, payment service providers, investment companies, crypto service providers and other regulated financial companies. Critical ICT service providers can also be indirectly or directly affected by the requirements.
What are the 5 pillars of the DORA Regulation?
The five pillars are:
ICT risk management
ICT incident management
Digital resilience testing
Management of ICT third-party risks
Information sharing
Together, they are intended to strengthen the digital resilience of financial companies.
Is the DORA Regulation mandatory?
Yes, the DORA Regulation has been mandatory since 17 January 2025. As an EU regulation, it applies directly in all Member States and does not require national implementation.
Where can I find the DORA Regulation text or PDF?
You can find the official DORA Regulation text on EUR-Lex under Regulation (EU) 2022/2554. BaFin and the Deutsche Bundesbank provide further information and practical guidance.


