Across all industries, digital developments are moving at a rapid pace. The financial sector is no exception. IT solutions are no longer merely supporting tools; they form the backbone of many core processes, from transactions to events. This creates a wide range of opportunities, but also introduces greater vulnerability. That’s why the European Union introduced the DORA regulation.
With DORA, digital resilience becomes a requirement. Financial organisations must be able to demonstrably maintain control over their IT landscape as well as the software partners they work with. Event software plays a role in this too. After all, digital resilience doesn’t stop at core systems: events are part of the broader digital ecosystem.
So what exactly does DORA entail? And why is it wise to take it into account when organising events? In this article, we explain this and more.
DORA stands for the Digital Operational Resilience Act. Although DORA entered into force in 2023, full compliance with DORA and the Regulatory Technical Standards has been required since 17 January 2025. As outlined above, the goal of DORA is to make the financial sector more resilient and robust in the face of cyber threats. Oversight is provided by the Netherlands Authority for the Financial Markets (AFM) and De Nederlandsche Bank (DNB).
The DORA regulation applies broadly across the financial sector. The organisations in scope range from payment institutions and crowdfunding service providers to crypto providers and insurance companies. In addition, DORA also applies to ICT service providers that supply services to financial organisations, with a distinction made between critical and non-critical ICT services. Providers of critical services are subject to direct supervision, meaning they too must comply with DORA’s requirements.
Events are usually not considered business-critical processes. But that doesn’t mean they are completely separate from the IT landscape of your financial organisation. Events also involve data, which is why it’s recommended that the systems and software used meet clear security requirements.
With event software, you typically process:
personal data of attendees, speakers and VIPs
payment details for ticketing or invoicing
data shared through integrations with CRM and marketing systems
In addition, events are often organised in collaboration with multiple internal and external stakeholders, all working within the same software environment. That combination of large volumes of data and many users makes it important to assess whether your event software also complies with DORA requirements.
DORA is structured around five pillars. Each of these pillars plays a key role in strengthening the resilience and robustness of financial organisations. These pillars are:
ICT risk management: clear insight into ICT systems, the risks they carry, and how those risks can be prevented or mitigated.
Incident management:if something goes wrong, everyone knows their role, what actions to take, and when incidents must be reported.
Resilience testing: systems are tested on a regular basis to assess whether they can withstand disruptions, for example through audits or security tests. This is also referred to as operational resilience.
Third-party ICT risk management: similar to standard risk management, but with a specific focus on external ICT service providers.
Information sharing: organisations that fall under DORA are encouraged to share information and knowledge about cyber threats and vulnerabilities with each other, provided clear agreements are in place.
What should you consider when choosing event software?
DORA doesn’t necessarily introduce more rules, but it does require greater control and resilience. When selecting event software, there are a number of practical aspects to consider:
Certifications: does the provider hold recognised certifications such as ISO 27001 or a SOC 2 report? These demonstrate that security and processes are structurally and demonstrably embedded.
Security testing: is the software tested on a regular basis, for example through penetration tests, audits or ethical (white-hat) hacking?
Incident response: is there a clear incident response policy in place? And are there clear agreements on how and when the provider will respond in the event of an incident?
Documentation & agreements: does the provider offer clear documentation, such as a Data Processing Agreement (DPA), outlining responsibilities and data processing arrangements?
Roles and permissions: can you define who has access to which data and functionalities within the software itself?
We’re of course familiar with other legislation designed to address digital risks. The GDPR (General Data Protection Regulation), for example, has become a widely recognised framework. GDPR primarily focuses on the privacy of individuals, with the goal of protecting consumers.
Key questions related to GDPR:
Which personal data do you process?
Are you allowed to process this data?
Can individuals exercise their rights (such as access, deletion or correction)?
DORA, on the other hand, takes a more organisational perspective. It focuses on how you ensure your IT systems remain reliable — even when something goes wrong.
Typical DORA-related questions include:
How robust is your IT landscape?
Are you able to prevent, manage and recover from incidents?
Can you demonstrate that these processes are structurally and effectively in place
What is event management? Learn about the process, the role of an event manager, and discover everything about event management, from planning to...
Increase the visibility and impact of your event with effective event marketing. Learn what it is, why it’s important, and how to apply it...
From registration to follow-up: with the right event software, your event runs smoothly. Compare smart software and make the best choice.