Linkedin
IT security against network attacks, Layer 7 as well as IPv6 and infrastructure protection - DDoS stress test simulation platform by zeroBS GmbH
IT security against network attacks, Layer 7 as well as IPv6 and infrastructure protection - DDoS stress test simulation platform by zeroBS GmbH

DORA – Digital Operational Resilience Act

Standardisation and regulation of cybersecurity, ICT risks and digital resilience in the European financial sector

DORA is an EU-wide, uniform regulation covering cybersecurity, ICT risks and digital operational resilience in the financial sector.
It came into full effect on 17 January 2025 and requires financial institutions, other financial companies and participating service providers to demonstrate their ability to respond to cyber attacks and incidents in the field of information and communication technology (ICT) through transparent accountability, flexible strategies and rigorous testing (DDoS, Layer 7) in six key areas:

  • ICT risk management 
    (Chapter II, Articles 5 to 16 DORA)
  • Handling, classification and reporting of ICT-related incidents 
    (Chapter III, Articles 17 to 23 DORA)
  • Testing digital operational resilience, including threat-led penetration testing (TLPT)
    (Chapter IV, Articles 24 to 27 DORA)
  • Management of third-party ICT risk,  including information registers and notification requirements
    (Chapter V, Section I, Articles 28 to 30 DORA)
  • Supervisory framework for critical third-party ICT service providers
    (Chapter V, Section II, Articles 31 to 44 DORA)
  • Agreements on information sharing and cyber crisis and emergency exercises
    (Chapter VI, Article 44 and Chapter VII, Article 49 DORA)
Complete EUR Lex
DORA – Compliance challenges

Almost every technical team has a contingency plan in place for ongoing operations and the protection of its infrastructure: processes that must be strictly followed in the event of a cyber attack or operational disruption.
However, according to DORA, the financial sector has a much tougher nut to crack due to the complexity of the task, particularly with regard to cyber resilience (Layer 7and ICT in addition to compliance for its own technologies and systems, every DORA-compliant company must also take this into account for all systems and/or services it obtains from third-party providers!
This approach will quickly reveal risks in existing plans or procedures and inevitably expose existing gaps, which is both a blessing and a curse: the effort involved is much greater, but the process is more efficient overall.

DORA – Non-compliance

In the event of non-compliance with the regulations, the competent supervisory authority may impose ‘proportionate’ measures. These range from fines to injunctions or public announcements.
The latter leads to a loss of reputation in the industry: a damaged reputation is not only more expensive ... the damage can be irreparable.

We will gladly advise you!

zeroBS \ DORA: Here's what we can do for you!

DORA readiness: Layer 7 DDoS resilience in the financial sector

The Digital Operational Resilience Act (DORA) requires financial institutions to demonstrate the resilience of critical ICT services against cyber threats.
One of the biggest – and often underestimated – challenges here is Layer 7 DDoS attacks at the application level. These attacks target business-critical applications, APIs and authentication processes directly, often bypassing traditional network-based protection mechanisms.

From 2026 onwards, supervisory authorities will explicitly assess resilience to such scenarios.

Layer 7 DDoS attacks exploit application logic, APIs and authentication processes, making them difficult to detect based on volume thresholds. Here, affected companies in the sector need to develop a clear understanding of which business processes a) are particularly exposed and b) how they react to malicious traffic: Reveal bottlenecks and sources of error through controlled Layer 7 stress and DDoS testing! kontrollierte Layer-7-Stress- und DDoS-Tests sichtbar!

DORA attaches great importance to resilience testing that reflects realistic threat scenarios. The integration of Layer 7 DDoS attacks into such tests for critical services simulates, among other things, low-and-slow attacks, bot-driven request floods and the misuse of legitimate application functions. Such tests validate not only technical controls, but also detection capabilities, escalation paths and recovery objectives under attack conditions at the application level.

Many financial institutions rely on cloud platforms, CDNs and managed security providers to protect the application level. However, according to DORA, the responsibility lies directly with the financial company. Independent validation of Layer 7 DDoS protection measures – across internal systems and third-party dependencies – helps demonstrate that defence strategies work in practice and meet regulatory requirements.

Conclusion

Resilience to Layer 7 DDoS attacks has become a critical compliance and operational priority for financial institutions. With regulatory scrutiny set to intensify from 2026 onwards, organisations must go beyond assumptions and documentation to both demonstrate and achieve measurable, tested resilience. By integrating realistic Layer 7 DDoS testing into their DORA programmes, financial institutions can address a key vulnerability while confidently demonstrating their compliance and operational robustness.

Operational resilience thus becomes not just a compliance issue, but a strategic factor in stability and trust.

Save the date
en_GBEnglish
de_DEGerman en_GBEnglish

Your request

Contact us

IT security against network attacks, Layer 7 as well as IPv6 and infrastructure protection - DDoS stress test simulation platform by zeroBS GmbH