How the DORA regulation impacts businesses and what steps you should take

If you work in the financial or technology sector, you have surely heard of an acronym that is keeping more than one IT director up at night: DORA.

DORA is the Digital Operational Resilience Act, one of the European Union’s most ambitious and demanding cybersecurity regulations.

From January 2025, the DORA regulation is a mandatory reality. But why is it so important, and what will it really change for your business? It’s not just another law; it’s a shift in mindset. Having a good firewall is no longer enough; now, authorities want proof that your company can withstand a cyberattack and continue operating as if nothing happened.

 

What exactly is the DORA regulation, and which sector does it primarily target?

Although the name sounds general, which sector the DORA regulation primarily targets is one of the most frequently asked questions.

The short answer is: to the financial sector,. but the long answer is much more interesting. Unlike previous regulations that only targeted large banks, DORA extends to:

• Credit institutions and payment establishments.

• Investment and asset management companies.

• Insurance and reinsurance entities.

• ICT service providers that provide support to the above.

This last point is critical. If your company is a technology firm that sells software or cloud services to a bank, the DORA regulation also applies to you. The European Union has identified that the biggest weakness of the financial system is not always the bank itself, but rather the digital supply chain.

 

The pillars of the DORA regulation and cybersecurity

The aim of this regulation is to create a robust framework for the European financial system to withstand serious incidents. To achieve this, the DORA cybersecurity regulation rests on several fundamental pillars that companies must address:

1. ICT risk management

Organizations must have a solid governance framework. . Delegating security solely to the IT department is no longer permitted; company management is now legally responsible for risk decisions.

2. Incident Management and Reporting

If something happens, it must be reported. And quickly. The regulations establish strict deadlines and harmonized formats for reporting serious ICT incidents to the relevant authorities.

3. Digital operational resilience tests

This is where things get serious. DORA requires companies to conduct regular testing of their systems. For the most critical entities, this includes the TLPT (Threat-Led Penetration Testing), or penetration tests based on threat intelligence.

4. Third-party risk management

As we mentioned earlier, the DORA regulation focuses on your suppliers. You must audit how they manage their own security, since a breach in their system is, for all practical purposes, a breach in yours.

 

 

 

Analysis and guide to the DORA regulation: from compliance to strategy

If you look for analysis and guidance on the DORA regulation, you’ll see that most experts agree on one thing: compliance cannot be reactive. Many companies make the mistake of waiting for an audit to find out whether their systems are up to date.

However, the current threat landscape doesn’t wait. According to data from various European security reports, ransomware attacks and credential theft have increased exponentially in the last two years, particularly affecting financial services companies.

How to move from theory to practice?

To comply with the regulations, it is necessary to adopt tools that not only analyze risk once a year, but also offer a continuous overview. This is where the concept of CTEM, Continuous Threat Exposure Management, becomes vital.

Traditionally, companies would do a “pentesting”annually. The problem is that if a new vulnerability emerges the day after the test, your report is useless. A CTEM strategy proposes a five-stage cycle:

1. Discovery of assets and attack surfaces.
2. Mapping of possible attack routes.
3. Prioritization based on real risk (not just technical).
4. Validation that the controls work.
5. Mobilization to correct what really matters.

 

How Kartos from Enthec helps you with compliance

At Enthec,we understand that managing all this information can be overwhelming. That’s why we’ve developed solutions that align perfectly with the philosophy of the DORA regulation.

For companies seeking professional and continuous management, our Kartos platform is the answer. It positions itself as a key tool for CTEM, enabling organizations to automatically and non-intrusively monitor their external exposure.

• Third-party surveillance. One of the most challenging aspects of DORA is monitoring your suppliers. Kartos allows you to analyze the risk level of your supply chain without installing anything on their systems or requesting special permissions. You’ll get a real and objective picture of their digital health.
• Leak detection. Kartos scans the Deep and Dark Web looking for leaked credentials or confidential information from your company before cybercriminals can use it.
• Risk scoring. It provides a clear score on your security posture, which greatly simplifies life for CISOs when reporting to the board of directors, as required by the new regulatory framework.

If you are a freelancer or concerned about your personal digital identity, we also have Qondar, our cyber-surveillance solution for individuals that applies the same principles of prevention and continuous monitoring.

Important: The DORA regulations are not just a checklist. They are an opportunity for your company to become more competitive and build greater trust with its customers.

 

Practical steps you should take today

If your company falls under the umbrella of this regulation (or if you simply want to improve your cybersecurity), here’s a simple roadmap:

1. Find out if you are affected. Check whether your activity, or that of your main clients, falls within the scope of the DORA regulation.
2. Map your assets and suppliers. You can’t protect what you don’t know. You need an up-to-date inventory of all your systems and, above all, your critical IT providers.
3. Adopt a CTEM mentality. Leave static audits behind. Implement continuous monitoring tools, such as Kartos, to have 24/7 visibility into your external attack surface.
4. Review your contracts. Make sure that agreements with your technology service providers include the security and incident notification clauses required by law.
5. Training and awareness. Human error remains the primary entry point. Train your team and, above all, raise management’s awareness of their new legal responsibilities.

The DORA regulation may seem like a huge logistical challenge, but with the right tools and a proactive approach, it can become the best shield for your organization’s future.

Are you worried about how the new regulations will affect your infrastructure or your suppliers?
Get in touch with usand we’ll help you assess your actual exposure through a Kartos demo. It’s time to move from worry to prevention!