SUMMARY: DORA sets strict expectations for how financial institutions handle data across its entire lifecycle. This guide explains what the regulation requires, how secure erasure fits into ICT risk management and why proper wiping is essential for preventing data exposure. You will learn how to define a data lifecycle policy, use trusted data wiping tools, maintain audit-ready erasure reports, include erasure requirements in vendor contracts and integrate data discovery to locate sensitive financial information.
DORA data management compliance should now be a priority for financial organizations across the EU. With banks and other financial entities managing huge amounts of sensitive data, failure to protect this information throughout the data lifecycle will now be penalized under DORA.
To help financial institutions comply with the new regulation, this blog will break down what DORA says about data handling, where secure erasure fits in, and the steps organizations can take to stay onside.
DORA in a Nutshell
What Is DORA?
The Digital Operational Resilience Act (DORA) is an EU regulation that sets requirements for how financial institutions manage and withstand ICT disruptions. While GDPR and NIS2 address privacy and cybersecurity more broadly, DORA focuses specifically on ensuring that financial entities can maintain critical operations during cyberattacks or system failures. It establishes clear expectations for ICT risk management, incident handling, resilience testing and oversight of technology providers.
When Did DORA Come Into Effect?
Adopted in November 2022, DORA came into force in January 2025.
Who Does DORA Apply To?
DORA applies to a wide range of financial entities—banks, insurers, investment firms, payment providers and more—as well as to ICT third-party service providers that support the financial sector. While micro-enterprises are exempt from some of DORA’s more taxing requirements, most organizations operating within the EU’s financial system fall under the regulation’s scope. This includes non-EU financial entities operating in the EU, and non-EU firms providing ICT services to European financial institutions.
Failure to comply with DORA requirements will lead to significant fines that will be overseen and imposed by national authorities. ICT third-party service providers that violate the regulation, for example, will be liable to pay up to 1% of their average daily worldwide turnover from the preceding year.
Example: Mid-Size ICT Provider (Annual revenue: €150 million)
- Daily turnover: €410,000
- Daily fine (1%): €4,100
- Maximum penalty over 180 days: €738,000
How DORA & GDPR Align
While DORA is specifically aimed at strengthening the digital resilience of financial organizations, it’s important to note that GDPR still applies to anything that involves the handling of EU citizens’ personal data. In practice, nearly every organization within DORA’s scope also processes large amounts of such data, which means they have to comply with GDPR too.
So, for financial entities, you shouldn’t think of DORA as replacing GDPR. Rather, it complements it. GDPR already requires organizations to securely erase personal data when it is no longer needed, and that obligation provides a strong foundation for meeting some of DORA’s broader expectations for ICT lifecycle management. We’ll take a look at those below.
What DORA Says About Data Handling
The following table highlights how DORA expects companies to approach data handling as a core component of ICT risk management:
| DORA Articles | Key Requirement | Relevance to Secure Erasure |
|---|---|---|
| Articles 5-14: ICT risk management | Ensure confidentiality and integrity of data throughout its lifecycle | Securely erase information when it’s no longer needed, plus the residual data |
| Articles 15-20: ICT incident handling | Detect, manage and report ICT-related incidents | Data retained improperly or exposed from old systems can classify as non-compliance |
| Articles 21-27: Operational resilience testing | Test capabilities to recover, restore and decommission systems safely | Testing should include verifying that data can be securely wiped during system retirement or rebuild |
| Articles 28-44: Third-party risk management | Ensure ICT providers meet security obligations and follow contractual requirements | Contracts must mandate secure deletion or return of data when a service ends to avoid exposure on third-party networks |
How to Comply with DORA Using Data Wiping
To comply with DORA’s data handling measures, organizations can put together a structured, verifiable approach to data erasure. Here’s a wiping checklist for DORA data management compliance:
1. Define a Data Lifecycle Policy
Putting together a data lifecycle policy is an important preparatory step for organizations getting ready to comply with DORA. When creating a data lifecycle policy, companies should include data retention schedules and specify when and how data needs to be erased. As an example, you could say that certain kinds of documents older than 5 years must be wiped.
2. Use Trusted Data Erasure Software
Deleting files by normal means is not enough to make them disappear for good, as widely available recovery software can be used to restore data that’s been erased in this way. Instead, financial organizations must use appropriate measures, in this case certified data erasure software, to protect data confidentiality across the lifecycle.
3. Maintain Audit Trails
DORA requires organizations to show evidence of how ICT risks are managed, which includes proper data disposal. Certificates of erasure provide verified evidence of sanitization and support regulatory audits or internal reviews.
4. Include Erasure Requirements in Vendor Contracts
Since DORA places strong emphasis on third-party risk, contracts should specify how data is handled, protected and deleted at termination. This will prevent sensitive information from remaining on external systems after business relationships end.
5. Integrate Data Discovery
Before you’re able to protect anything, data discovery is a vital step in understanding what needs protecting and where it’s located. By using a data discovery tool, companies can quickly identify sensitive financial documents and more easily enforce data retention and erasure policies.
Use BCWipe to Comply with DORA
Trusted by the U.S. Department of Defense for over 20 years, Jetico’s BCWipe software naturally aligns with DORA’s expectations for secure data lifecycle management.
BCWipe: For Active Systems & Data Discovery
With Jetico’s software for securely wiping files and folders, financial organizations can:
- Wipe files and free space beyond forensic recovery
- Generate certificates of erasure for compliance and auditing
- Use BCWipe’s integrated Search feature to easily locate financial documents by category, including AI-powered grouping for advanced document detection
BCWipe Total WipeOut: For Decommissioning
For systems at the end of their lifecycle, you can use BCWipe Total WipeOut to:
- Wipe traditional hard drives, SSDs and NVMe drives beyond forensic recovery
- Prevent data leakages when devices leave your environment
- Generate certificates of erasure for DORA compliance and auditing
Digital Resilience in the Financial Sector
DORA raises the bar for digital resilience across the financial sector, and secure data handling with proper erasure plays a critical role in meeting its requirements. It’s a fundamental part to governing data integrity, preventing incidents and managing third-party risks.
Ready to get started with BCWipe in order to comply with DORA’s data handling requirements? Request a free trial or learn more about our solutions by contacting our Data Protection Specialists.
Frequently Asked Questions (FAQs)
DORA is the Digital Operational Resilience Act, an EU regulation that strengthens how financial institutions manage ICT risks and cyber threats. It sets uniform rules for resilience, incident reporting, testing and oversight of ICT providers.
Yes. DORA applies to non-EU financial entities operating in the EU, as well as to non-EU ICT service providers that support EU financial institutions.
Micro-enterprises with fewer than 10 employees and under €2 million in turnover or balance sheet total receive simplified obligations. Some small or non-complex financial entities may also be partially exempt from specific requirements.
DORA focuses on operational resilience for financial services, ensuring systems can withstand ICT disruptions. GDPR focuses on protecting personal data and individual privacy rights.
DORA expects financial institutions to ensure the confidentiality and integrity of data across its entire lifecycle. This includes securely deleting information when it is no longer needed and removing any residual data from old systems, backups or devices being decommissioned.
DORA requires evidence of how ICT risks are managed. Certificates of erasure and audit-ready reports generated by tools like BCWipe and BCWipe Total WipeOut help demonstrate that sensitive information was permanently removed and that sanitization followed a documented process.
Since DORA places strong emphasis on third-party risk, contracts must clearly define how data is stored, protected and erased at termination. Secure wiping should be required when services end to prevent sensitive information from remaining on external systems.
Before wiping, organizations need to know where sensitive data is stored. Jetico’s integrated discovery tools help financial institutions identify financial documents, categorize data by type and locate overlooked or duplicate files so nothing is missed during sanitization.