Digital Operational Resilience Act
DORA transforms ICT risk management from an IT concern into a board-level legal liability for every EU financial entity and its critical technology providers.
The Digital Operational Resilience Act (EU) 2022/2554 is the European Union's definitive mandate for systemic ICT risk management across the financial sector. Applicable to banks, investment firms, insurers, and their critical ICT third-party providers, DORA transforms cybersecurity from an IT concern to a board-level legal liability.
Fully enforced since January 17, 2025, DORA demands rigorous digital operational resilience testing, sub-24-hour incident reporting, and strict third-party risk management.
For financial entities reliant on Microsoft 365, we translate DORA’s resilience mandates into enforceable technical operations. From deploying Sentinel analytics for precise incident classification to engineering Purview data resilience controls, we ensure your infrastructure consistently produces the evidence expected by European Supervisory Authorities.
Why This Matters Now
As of January 2025, DORA represents a paradigm shift in financial regulation: ICT risk management is now a strictly enforced legal obligation with immense penalties for failure. Financial entities must demonstrate that their digital infrastructure—especially Microsoft 365—is resilient against operational disruptions and advanced cyber attacks. If M365 serves as your operational backbone, every Conditional Access policy, DLP rule, and automated incident response playbook is now a critical DORA compliance artifact subject to regulatory audit.
Framework Metadata
Scope & Applicability
DORA applies to virtually all EU-regulated financial entities: credit institutions, investment firms, insurance and reinsurance undertakings, payment institutions, electronic money institutions, crypto-asset service providers, central securities depositories, trade repositories, fund managers, and their critical ICT third-party service providers. Microsoft is designated as a critical ICT third-party provider. Organisations using M365 as their primary collaboration and identity platform must demonstrate that their configuration satisfies DORA's ICT risk management, incident reporting, resilience testing, and third-party risk management requirements.
Core Obligations
ICT Risk Management Framework
Establish and maintain a comprehensive ICT risk management framework. Identify, classify, and document all ICT-supported business functions, assets, and dependencies.
ICT Incident Reporting
Classify ICT-related incidents using defined criteria. Report major incidents to competent authorities within strict timelines (initial notification, intermediate report, final report).
Digital Operational Resilience Testing
Conduct regular testing of ICT systems including vulnerability assessments, network security reviews, and threat-led penetration testing (TLPT) for significant entities.
Third-Party Risk Management
Maintain a register of all ICT third-party arrangements. Assess concentration risk. Ensure contractual provisions for exit strategies, audit rights, and incident reporting.
Information Sharing
Participate in threat intelligence sharing arrangements with other financial entities and competent authorities.
Microsoft 365 Control Mapping
How each obligation maps to enforceable Microsoft 365 controls and the evidence they produce.
Article 9 - Protection and Prevention
Entra ID PIM eliminating standing privileges. Conditional Access with continuous access evaluation. Defender for Endpoint with attack surface reduction rules.
PIM activation logs, CA continuous access evaluation events, ASR rule trigger reports.
Article 10 - Detection
Microsoft Sentinel with financial sector-specific analytics rules. Defender XDR unified incident queue with precise severity classification. Custom detection rules for anomalous administrative activity.
Sentinel analytics rule inventory, forensic incident detection timeline, MTTD/MTTR metrics, validated false positive rates.
Articles 17–23 - Incident Reporting
Sentinel precise incident classification against DORA severity criteria. Playbooks generating initial notification drafts within 4 hours of major incident classification. Evidence chain preserved in immutable storage.
Incident classification logs, manually-verified notification timeline reports, evidence chain integrity hashes.
Articles 28–44 - Third-Party Risk
Defender for Cloud Apps discovery of all third-party SaaS usage. App governance policies blocking unsanctioned applications. Service principal inventory with permission audits.
Cloud App discovery report, sanctioned/unsanctioned app inventory, service principal permission audit.
Implementation Timeline
Related Frameworks
ISO 27001 certification is increasingly a procurement prerequisite. Without it, organisations face exclusion from enterprise supply chain shortlists and heightened scrutiny from insurers and regulators.
NIS2 introduces direct accountability for management bodies who fail to oversee cybersecurity risk across 18 critical sectors.
With fines exceeding EUR 1.2 billion for major infractions, GDPR non-compliance is a material financial risk that demands board-level ownership.
The FCA's full compliance deadline has passed—firms must now demonstrate, not merely plan, their ability to remain within impact tolerances during disruption.
Ready to get DORA-ready?
Start with a fixed-scope sprint. We assess your Microsoft 365 controls against DORA requirements, close gaps, and produce audit-ready evidence.