Aruba helps you achieve DORA compliance

Starting January 17, 2025, financial institutions across the European Union must implement new requirements to enhance digital resilience and risk management.

Contact us

DORA: strengthening ICT risk management in the financial sector

The DORA regulation (EU Regulation 2022/2554) establishes a framework for ICT risk management in the financial sector, enhancing 'digital operational resilience.' This ensures the reliability of IT services and their ability to maintain operational continuity, even during incidents or disruptions.

As of January 17, 2025, financial institutions must comply with the DORA framework, which establishes benchmark technical standards to mitigate risks associated with digital technology.

DORA applies to all financial sector operators, including both traditional (banks, payment institutions, investment funds, financial brokers) and non-traditional players (ratings agencies, crowdfunding platforms, etc.).

Financial institutions required to comply with the DORA regulation (art. 2)

  • Credit institutions
  • Payment institutions
  • Account information service providers
  • E-money institutions
  • Investment companies
  • Crypto-asset service providers
  • Authorized and registered token issuers
  • Central securities depositories
  • Central counterparts
  • Trading venues
  • Trade repositories
  • Alternative investment fund managers
  • Management companies
  • Data communication service providers
  • Insurance and reinsurance companies
  • Insurance and reinsurance intermediaries
  • Pension providers
  • Credit ratings agencies
  • Administrators of critical reference indices
  • Crowdfunding service providers
  • Securitization data repositories

Key DORA requirements for ensuring security

The DORA regulation requires financial entities to effectively manage IT risks to minimize their impact.

This is achieved through a structured IT risk management framework that defines specific technical requirements to ensure adequate security levels.

IT risk management

The approach to risk management must be structured in specific phases: Identification, Protection and Prevention, Detection, Response and Recovery, Learning and Evolution, and Communication. In practical terms, financial entities must map business functions supported by ICT services, identify critical ones, assess threats, implement security policies, monitor anomalies, ensure operational continuity, and adopt a dynamic approach for continuous improvement.

IT risk management

Reporting and notification of incidents and threats

Financial entities must continuously monitor services and assess abnormal events or cyber threats, reporting major incidents and significant risks to the relevant authorities. The criteria for reporting include the number and importance of affected customers, the volume of impacted transactions, reputational damage, the criticality of services, the duration and geographical scope of incidents, and both direct and indirect economic impact.

Reporting and notification of incidents and threats

Digital operational resilience testing

The DORA regulation requires financial entities to establish and implement an annual digital operational resilience testing program to assess their preparedness for managing incidents, disruptions, and external attacks on ICT systems. For critical ICT services, threat-led penetration testing (TLPT) must be conducted using advanced simulations that mimic real-world attack tactics, helping to identify security weaknesses and improve response capabilities.

Digital operational resilience testing

Third party risk management

DORA recognizes the critical role of ICT service providers in ensuring digital operational resilience. As the financial sector becomes increasingly digital, interconnections and dependencies—both within the sector and with third-party infrastructure—have grown. Financial entities must identify key providers, evaluate their reliability, and ensure they meet required security standards.

Third party risk management

Aruba helps you achieve DORA compliance

As Italy’s leading provider of IT services and solutions for private users, businesses, and the Public Administration, Aruba offers cloud, hosting, data center, and trust services. It helps customers meet all necessary requirements for DORA Regulation compliance.

icona

Aruba-owned data center infrastructure

Aruba has many years of experience in designing and constructing data centers, establishing an outstanding European network of privately owned, Rating 4 ANSI/TIA-compliant infrastructures. Thanks to this strategic asset, Aruba offers a full range of services and IT platforms based on security best practices, with insurance coverage for residual risks.

icona

Security certifications and accredited Certification Authorities

Aruba services undergo regular internal audits and third-party evaluations to ensure compliance with ISO 27001, ISO 27017, ISO 27018, ISO 27035, ISO 22301, ISO 9001, and CSA STAR Level 2 security standards. Through our Aruba PEC and Actalis Certification Authorities, we provide trust services that certify our qualification to operate in various IT sectors and offer certified services recognized at the European level.

icona

Risk management, monitoring, and internal controls

Aruba considers information a critical asset and has implemented an ICT risk assessment model to safeguard it. The company actively contributes to the IT security sector through associations and regulations, continuously monitoring technology and emerging threats. Additionally, Aruba collaborates with research bodies to integrate innovative solutions.

Aruba security services for DORA compliance

Thanks to our team of highly skilled experts in security solutions, along with the Actalis and Aruba PEC Certification Authorities, we provide solutions that strengthen the ICT infrastructure of financial entities. Our services help protect digital transactions while ensuring resilience and operational continuity in line with DORA requirements.

Managed Services

  • Managed Aruba MDR - A solution for combating cyber threats to customer resources, enabling antivirus protection at no additional cost.

    More info

  • Aruba Vulnerability assessment and Penetration testing - Identifies vulnerabilities and simulates intrusions, reducing the area of attack and ensuring system compliance.

    More info

  • Aruba Managed Web Application Protection - Customizable web security services with no need to purchase specialized tools and personnel, lowering costs and simplifying effective usage.

  • Business Continuity as a Service - Solutions with zero RPO and near-zero RTO, managed on technology campuses designed for mission-critical environments.

    More info

  • Disaster Recovery as a Service - Enables the creation of replicas between remote sites, ensuring structured and documented processes for system restoration.

    More info

Trust Services

  • SSL Certificates - Guarantee a secure, encrypted connection between server and customer, protecting data transfers from being intercepted or tampered with.

    More info

  • Code Signing Certificates - Digitally sign software, scripts, and applications to guarantee their integrity and prevent unauthorized modifications.

    More info

  • S/MIME Certificates - Encrypt and digitally sign email messages to ensure confidentiality, integrity, and authenticity.

    More info

  • QWAC - PSD2-compliant, providing high reliability and strong identification to guarantee data inalterability during transmission.

    More info

For more detailed information on the full range of products and security services, please submit a contact request form.

Get in touch with our team and request further information on DORA and Aruba solutions

Contact us
Customer Care 24/7