DORA regulation for the financial sector

Dallmeier supports banks and financial institutions with cyber-secure video solutions to help meet the requirements of the Digital Operational Resilience Act.

What is DORA?
DORA stands for the Digital Operational Resilience Act – an EU regulation aimed at strengthening the digital operational resilience and cybersecurity of the financial sector. It has been in effect since January 17, 2025, and applies directly in all 27 EU member states. As a sector-specific regulation, DORA takes precedence over the NIS2 Directive when it comes to cybersecurity risk management and the reporting of major incidents. Entities affected by DORA include banks, payment institutions, investment firms, crypto-asset service providers, insurance companies, and ICT third-party providers.

Relationship between DORA and NIS2
According to Article 1 paragraph 2, DORA is classified as a sector-specific legal act of the European Union within the meaning of Article 4 of the NIS2 Directive. This means that the provisions of DORA take precedence over the requirements of the NIS2 Directive in the areas of cybersecurity risk management and reporting of significant security incidents, and replace them in these areas.

Financial institutions and ICT service providers affected
The Digital Operational Resilience Act (“DORA”) is a new EU regulation that has been in force since January 17, 2025. Its goal is to strengthen the digital resilience and cybersecurity of financial institutions by establishing uniform requirements for dealing with information and communication technology (ICT).
Although DORA was primarily designed for financial institutions (e.g. banks, insurance companies, payment service providers), the regulation also affects external (critical!) ICT service providers and vendors that provide critical technologies to these institutions (ICT third parties).

For manufacturers of video surveillance technologies, DORA presents new opportunities – but also obligations. In this article, we examine what DORA specifically means, what requirements arise, and how they can be used strategically.

“For manufacturers of video surveillance technologies, DORA presents new opportunities – but also obligations.”

Jürgen Seiler, Head of Business Development at Dallmeier electronic GmbH & Co.KG

The five pillars of DORA – and their relevance for video surveillance technology
DORA structures its requirements around five core areas: ICT risk management, incident management, resilience testing, third-party risk, and information sharing.

  1. ICT risk management
    • Financial institutions must establish a comprehensive framework for managing IT risks: identification, classification, controls, monitoring, business continuity plans.
    • For manufacturers of video surveillance systems, this means: devices, software, and services can become part of this risk policy. If systems are critical to the infrastructure of financial clients, they will likely be examined closely.
       
  2. ICT incident management & reporting obligations
    • Major ICT disruptions must be classified and reported; interim and final reports are required.
    • The manufacturer should implement processes to quickly detect, analyze, and inform partners about incidents in components (e.g. camera failure, cyberattack on management software). Only then can the manufacturer support customers in fulfilling their own reporting obligations.
       
  3. Digital resilience testing
    • Regular penetration testing is mandatory.
    • This means for the manufacturer that video surveillance systems must not only be functionally secure, but also tested under realistic threat scenarios. Vulnerabilities (e.g. in firmware, network protocols) must be proactively identified and resolved.
       
  4. Management of third-party risks
    • Financial institutions must carefully monitor their ICT third-party providers (e.g. cloud providers, software vendors).
    • If the manufacturer provides its solution through third parties (e.g. cloud-based video management, hosting, maintenance providers), appropriate contractual provisions should be taken into account.
       
  5. Information sharing
    • DORA promotes cross-sector sharing of cyber threat information among financial actors.
    • Manufacturers can benefit by actively joining such networks or forming partnerships with financial institutions. This way, the manufacturer can stay informed about new threats in the video domain and proactively further develop its solutions.

Video technology and DORA
Video surveillance can be operated in a way that complies with DORA requirements – through careful system selection, secure architecture, contracts, and governance. However: There are no specific “DORA cameras” (at least not yet as a formal standard). For banks, it is important to consider DORA-relevant aspects when procuring video technology, especially since cameras can be seen as part of the ICT third-party ecosystem.
“Of course, the DORA regulation presents challenges for manufacturers of video security technology: resilience testing and incident management systems require investments. But it can also be an opportunity: providers who achieve early DORA compliance can position themselves as preferred partners for financial institutions and gain a competitive advantage,” says Jürgen Seiler, Head of Business Development at Dallmeier. “In addition, DORA can be a driver of innovation. The need for regular tests, such as penetration tests, drives the development of more secure and robust systems.”

Conclusion & outlook
DORA is more than just a regulatory hurdle – for financial customers and manufacturers of video surveillance technology, it can be a strategic lever for enhancing security. When manufacturers align their products and services with DORA, they not only fulfill regulatory requirements but also create real added value for their financial customers.
Especially in the environment of financial institutions, where security, stability, and resilience are top priorities, (security) technology is a key component. Financial customers are therefore looking for trustworthy partners and manufacturers.

Our personal offering
With cyber-secure video security technology “Made in Germany”, with IT security features at the product level and proprietary, ISO 27001-certified, regularly audited security processes, Dallmeier supports DORA-affected and regulated customers from the financial sector in meeting their security requirements under DORA.
If you would like to learn more about how we as a video surveillance solution provider can actively support your DORA strategy – from resilient and cyber-secure systems to compliance services – feel free to contact us. Our experts are ready to develop a DORA-compliant solution together with you.

Are you planning a video surveillance project and unsure how to consider DORA, NIS2, and the KRITIS umbrella law?

Book your free 30-minute 1:1 online session with our KRITIS expert Jürgen Seiler – well-founded and practical.

Further information and links:

About the Author: