Dream On Technology Logo
Dream On Technology Logo
Log in

DORA in practice: what financial entities really need to demonstrate during a cyber crisis

DORA goes far beyond risk policies - it demands proven operational resilience under stress. Here is what banks, insurers and FinTechs must actually be able to do, with concrete examples.

3 min read By Dream On Technology Compliance
Illustration of a bank pillar building with a resilience shield in front and a continuity chart line below

DORA is not just another risk framework

The Digital Operational Resilience Act (DORA) entered into application across the European Union in January 2025. For banks, insurers, asset managers, payment institutions and the critical ICT third parties that serve them, it represents a structural shift: regulators no longer want to see policies, they want to see operational resilience demonstrated under stress.

In other words, DORA does not ask “do you have a plan?” - it asks “can you actually run that plan when half your systems are encrypted at 3 a.m. on a Sunday?

That is a very different question.

The five DORA pillars in plain language

PillarWhat it really means in operations
ICT risk managementA living risk register, owned by the board, refreshed continuously.
Incident reportingMajor incidents reported to regulators within strict deadlines, with structured fields and follow-up.
Digital operational resilience testingRegular Threat-Led Penetration Testing (TLPT) for significant entities, plus tabletop exercises and recovery drills.
ICT third-party riskA complete inventory of critical providers, contractual safeguards, exit strategies and concentration analysis.
Information sharingVoluntary collaboration with peers and authorities to anticipate emerging threats.

Each of these pillars converges on the same operational reality during an actual crisis: the regulator will eventually ask for evidence.

What “evidence” really means

Regulators do not accept screenshots. Under DORA, evidence must be:

  • Time-stamped - every action, every decision, every notification, with second-level accuracy.
  • Tamper-evident - logs that cannot be silently rewritten after the fact.
  • Reconstructable - you can replay the crisis chronologically, hour by hour, role by role.
  • Independent - if your collaboration tools were compromised, the evidence is still intact because it lives elsewhere.

This last point is the one most institutions underestimate. If your incident response runs on the same Microsoft 365 tenant or on the same shared drive as your production environment, a single ransomware event can destroy both your operations and the evidence you need to prove your response.

Three concrete capabilities to build now

If you are a CISO, COO or risk officer in a financial entity, focus on three operational capabilities:

1. Out-of-band crisis communications

Your crisis cell must be able to convene, talk, share documents and assign tasks without depending on the IT under attack. This means a dedicated crisis platform, hosted outside your production perimeter, accessible from personal devices, and protected by independent identity management.

2. Auditable decision trails

Every instruction issued during the crisis - “isolate domain controllers”, “notify ACPR”, “activate insurance”, “communicate to clients at 9 a.m.” - must be captured automatically with author, timestamp and context. The goal is not surveillance; it is to be able to reconstruct the chronology when the regulator and the board ask.

3. Pre-drafted, jurisdiction-aware notifications

DORA notification deadlines are short. Banks operating in multiple jurisdictions must also handle GDPR, NIS2, sectoral regulators and contractual notifications to clients in parallel. Pre-drafted templates, mapped to scenarios and jurisdictions, save hours when minutes matter.

How PanicSafe supports DORA compliance

PanicSafe was designed for exactly this brief. It provides an instantly-activated, IT-independent crisis cell with end-to-end encrypted chat, video, and document storage; an automatic, immutable logbook that produces exactly the kind of timestamped trail DORA expects; and a structured playbook engine that maps to incident classification and notification workflows. For our partners in financial services, it shortens the gap between having a DORA programme and being demonstrably resilient.

Closing thought

The institutions that will pass DORA scrutiny smoothly are not the ones with the thickest risk policies - they are the ones whose teams can run a crisis with discipline, traceability and independence. The work to build that capability happens before the alarm goes off, not after. Talk to our team if you would like to benchmark your current setup against DORA’s operational expectations.

DORAfinancial servicesoperational resiliencebanking cybersecurityregulation