Exploring DORA: A look at the next major EU mandate

Financial institutions have historically managed operational risk using capital allocation, but under EU Regulation 2022/2554 – also known as the Digital Operational Resilience Act (DORA) – the financial sector and associated entities in the European Economic Area (EEA) must also soon follow new rules. These new rules focus on the protection, detection, containment, and the ability to repair and recover capabilities against Information and Communication Technology (ICT) related incidents. With DORA becoming effective January 17, 2025, covered organizations only have one month left to align with its requirements.

DORA was initially adopted by the European Parliament on November 28, 2022, and targets specifically the financial entities operating within the European Economic Area (EEA). The mandate is part of a broader strategy aimed at improving the cybersecurity and operational resilience of financial institutions in the face of increasing cyber threats and digital risks. 

The new regulation applies to a broad range of financial entities, including banks, insurance companies, investment firms, payment service providers as well as financial market infrastructures such as trading venues and central counterparties. It even extends to third-party providers of critical ICT services, including cloud computing, which play an essential role in the financial sector’s modern digital infrastructure.

DORA sets out requirements for ICT management, including the need for financial institutions to implement comprehensive risk management frameworks, conduct regular resilience testing, and establish incident reporting protocols. It also creates a new oversight regime for third-party ICT providers, ensuring they are subject to proper regulatory scrutiny.

Why EU enterprises need to prioritize implementing phishing-resistant MFA

While DORA does not explicitly call out multi-factor authentication (MFA), it does prescribe the implementation of policies and protocols for strong authentication as part of its broader focus on improving cybersecurity in the financial sector.

In practice, MFA is recognized as an essential component of strong digital operational resilience, significantly reducing the origination of incidents and cyber attacks. For financial entities operating under DORA, integrating MFA certainly aligns with the directive’s aim to mitigate risks related to unauthorized access and data breaches, reinforcing both customer protection and the security of critical financial infrastructure. 

MFA alone will help save enterprises thousands, if not millions, of dollars arising from cyber incidents in the long run, and protect the valuable digital assets which are critical to operations. However, not all MFA is equal, and prioritizing the adoption of modern, phishing-resistant MFA tools – including hardware security keys – is the only way to ensure organizations are truly safe from stolen credentials and sophisticated attacks like phishing.

What’s the penalty for non-compliance?

Specific monetary penalties are not set out in DORA, however, there will be significant financial consequences for entities within the EEA that do not comply. European Supervisory Authorities (also referred to as Overseers) within each of the member states have the freedom to impose daily penalty payment (for up to six months) equating to 1% of the average daily worldwide turnover from the previous business year. While some sources may cite figures from specific countries and include predictions or comparisons to penalties under similar regulations, like GDPR, those are situational and subject to high variability.

In very severe or continuous cases of non-compliance, regulatory bodies may even enforce operational restrictions. This could involve halting certain business activities or services that are considered highly vulnerable to cybersecurity threats or suspending licenses if entities are found to be consistently violating DORA standards. These measures ensure that non-compliant entities cannot operate in ways that put the broader financial or digital ecosystem at risk or erode trust within EU’s financial infrastructures.

Beyond fines and operational consequences, companies that do not adhere to DORA also face significant reputational harm. Cybersecurity incidents due to weak digital resilience, coupled with the penalties for non-compliance, can undermine customer and partner trust. In a highly interconnected market, reputational damage can have a severe long-term impact on a company’s viability.

How Yubico can help your enterprise comply with DORA

Implementing DORA requirements will be an ongoing challenge. Both the depth and breadth of requirements across all facets of the mandate, such as incident reporting and third-party risk management, require continuous action and thoughtful planning. However, understanding that basic cyber hygiene and robust authentication is at the heart of all of it will not only promote a culture of strong cybersecurity, but also raise the floor on how enterprises view risk and resilience.

Yubico can support enterprises of all sizes in their ongoing journey to DORA compliance with YubiKeys – the gold-standard for hardware security keys and phishing-resistant MFA – to help protect employees, the supply chain and customers. Our highest assurance authentication will help bolster enterprise defenses against cyber attacks and incidents, freeing up resources to focus on the other pillars of DORA and, of course, core business values.​

For more information and any questions on how your organization can move toward phishing-resistance and get started with YubiKeys to prepare for the upcoming January 2025 deadline today, contact our team and read our new eBook here.

Talk to our teamTalk to our team

Share this article:


  • CEO Corner: Maintaining stable growth while navigating global uncertaintyAs we officially close out the first quarter of 2025,  I am pleased we saw a quarter with solid growth and profitability along with ongoing demand for phishing-resistant authentication. We continue to see new types of high-profile cyber attacks appearing regularly, and a major reason for the success of phishing attacks is stolen credentials. As […]Read moreCEOCEO CornerEarningsMattias Danielsson
  • Introducing the Yubico Academy: Enabling partners for a phishing-resistant futureAt Yubico, strong partnerships are fundamental to a more secure digital world. Our commitment goes beyond providing leading security keys; it’s about actively fostering the growth of our valued partners through impactful enablement programs. A cornerstone is the Yubico Academy, featuring our comprehensive certification program.  This program enables our partners’ teams to become Yubico experts, […]Read more
  • AI is booming — but proving you’re human matters more than everIf you walked the show floor at the RSA Conference this year, you probably noticed the same thing I did: Artificial Intelligence (AI) is everywhere. Agentic AI. AI in threat detection. AI in firewalls. AI in identity management. AI-generated demos. AI everything. The energy around AI was undeniable, and we’re seeing real innovation, efficiency gains […]Read moreAIArtificial IntelligencephishingRSAC
  • Ditching passwords for good: Celebrating the inaugural World Passkey DayHave you ever been stuck in a relationship with someone who constantly lets you down, exposes your secrets, and leaves you vulnerable? Odds are you cut your losses, packed up your things and moved on. Today is the day to do the same with your passwords: say goodbye forever! The reality is a majority of […]Read morepasskeyspasswordlessWorld Passkey Day