In the run up to DORA going live, we have published a number of articles relating to the regulation. For example, in this comment piece, Alasdair Anderson, VP, EMEA at Protegrity, sets out the key steps to ensuring DORA compliance. Moreover, he argues that DORA compliance can not only be simplified – done right, it offers new business opportunities.
And in another article, Chip Strange, Chief Strategy Officer at Ookla explores what banks have done and they still need to do in order to prepare for the new regulation.
Go deeper with GlobalData
It is no great surprise to learn that a number of firms are not quite ready to comply with the new regulation. What happens next will be fascinating to observe. A number of industry experts give their opinion on how things may pan out (comments in alphabetical order by company name).
Sean Tilley, Senior Director of Sales for EMEA at 11:11 Systems
DORA non-compliance could cost your business
Prompted by a new era of cyber-attacks surging downtime and data breaches, the Digital Operational Resilience Act (DORA) regulation came into force on 17 January to reshape how organisations approach security, privacy and cybersecurity. Cybercriminals are becoming increasingly daring and creative, with an expected rise in the exploitation of new vulnerabilities in 2025.
Recent trends highlight an alarming increase in cybercrime. Research by Security Scorecard revealed that 78% of Europe’s largest financial institutions experienced third-party data breaches in the past year of which 84% were exposed to fourth-party breaches, underscoring the extensive reach of cyber threats within the financial sector. Further, according to the World Economic Forum’s Global Cyber Security Outlook Report, supply chain vulnerabilities are emerging as the top ecosystem cyber risk with 54% of large organisations identifying supply chain challenges as the biggest barrier to achieving cyber resilience.
As organisations adopt hybrid work models and shift towards cloud-based infrastructures, they inadvertently expose themselves to a greater volume of cyber-attacks. These threats are increasingly sophisticated, often employing AI technologies to automate attack vectors. In this context, DORA is not merely a legal obligation but a crucial strategy for organisations to reinforce their cybersecurity frameworks and achieve operational resilience.
Ransomware dominates as the top threat across 92% of industries, according to the 2024 Verizon Data Breach Investigations Report, making rapid patching and exposure management more critical than ever for organisations striving to stay ahead. DORA’s regulatory framework is designed to improve the integrity and resilience of digital systems in financial entities and Information and Communication Technology (ICT) third-party service providers across Europe. Harmonising how organisations detect, handle and report ICT-related risks to mitigate the ever-growing risk of breaches.
Understanding the consequences of non-compliance
As businesses increasingly face a rising tide of cyber threats, DORA has emerged as a pivotal framework designed to enhance the cybersecurity posture of financial institutions within the European Union.
Although, many large financial firms, which already operate within a highly regulated sector, typically have robust cyber resiliency integrated into their systems, compliance concerns continue to weigh heavily on the UK financial services sector. A report by Orange Cyberdefense revealed that 43% organisations were expected to miss the DORA compliance deadline. Even more striking, delays are projected to last at least three months due to complexity of regulatory requirements.
As DORA is already here, bringing strict mandates to areas like ICT risk management, incident reporting, testing, threat information sharing, and third-party risk management cannot be overlooked without facing substantial fines. Organisations must notify the relevant competent authority of “major” incidents (relating to the impact of critical services) within just four hours of determining that the incident meets this classification. Following the initial notification, a detailed intermediate report must be submitted within 72 hours of classifying the incident as major. DORA additionally requires firms to collate information about their contracts with IT providers into a register.
Failure to comply with these regulations can have severe repercussions. The act requires EU member states to implement appropriate penalties for breaches, which may include fines of at least 2% of the average daily worldwide turnover for up to six months or individual fines reaching up to €1m. Critical third-party ICT service providers that fail to adhere to DORA’s requirements risk facing even steeper fines, operational restrictions, and irreparable reputational damage.
Regulatory authorities possess the power to limit or suspend the business activities of non-compliant financial firms until full compliance is achieved. The competent authority also has the right to request data traffic records from telecommunications operators if there is reasonable suspicion of a breach. Public notices identifying those involved and the nature of the breach may be additionally issued. Such penalties might have a more significant financial impact than fines alone.
Notably, DORA introduces individual liability for business leaders regarding their firm’s compliance failures, with a maximum penalty of €1m.
A call for robust compliance strategies
A recent data reporting dry run conducted by the European Supervisory Authorities (ESAs) involving 1,039 financial firms revealed that only 6.5% reported no data reporting failures. The majority of reporting errors were attributed to gaps in reporting accuracy with 84% of reporting failures stemmed from missing data in mandatory fields, with a further 6.5% due to faulty Legal Entity Identifiers (LEI) also contributing to compliance challenges.
Therefore, companies and firms must provide the correct information to avoid reporting failures and data quality issues. It is also essential that organisations obtain an LEI to enable them to participate in data reporting.
Organisations that do not adopt proactive and comprehensive cybersecurity strategies and fail to comply with DORA face a spectrum of significant consequences that could jeopardise not only their operations but also their reputation and client trust.
Moving forward
The DORA framework offers a structured approach for financial entities and its third-party providers to manage operational resilience in an increasingly digital landscape. Collaborating with specialised compliance partners can aid organisations in navigating the complexities of these regulations, ensuring adherence that translates into genuine operational strength.
Considering the evolving threat landscape and the severe consequences of non-compliance, organisations must prioritise compliance with DORA while reinforcing their cybersecurity frameworks. The stakes are high, but the right measures can lead to a more resilient and secure operational environment for all stakeholders involved.
Guy Mettrick, Industry VP Financial Services, Appian
To comply with DORA’s stricter third-party risk management, FSIs must update service-level agreements (SLAs) for incident response and reporting. DORA requires FSIs to provide regular audits and reports with the ability to provide evidence of governance and control measures on demand.
The greatest challenge lies within the complexity and scale of these requirements, which may necessitate FSIs to implement new systems and processes, onboard new vendors to provide those capabilities or renegotiate existing contracts with software and service providers. As a result, institutions may face operational disruption as they strive to meet these new standards.
Given the complexity and scope of DORA, financial institutions will need to shift toward a more centralised approach to regulatory compliance. This involves integrating compliance efforts across the organisation rather than treating them as isolated tasks within individual departments.
Intelligent automation can play a vital role in helping organisations overcome these challenges.
By utilising automation, the heavy lifting of regulatory change will be subsidised, with automation streamlining processing and ensuring consistency across different lines of business. As mentioned, DORA emphasises systematic approaches to regulatory compliance. Here, automation can assist organisations in staying updated with regulatory changes and swiftly addressing any material impacts on data classification and/or service criticality.
For example, an organisation could use process automation to manage the assessment and impact of regulatory change across their organisation and integrate a horizon scanning tool to alert them to upcoming regulatory events. Automating incident management orchestration would also reduce response times and ensure firms are more capable of meeting the DORA requirements for incident response and reporting.
Andy Norton, European Cyber Risk Officer at Armis
Many financial institutions are woefully unprepared for DORA’s upcoming January deadline. In fact, 35% of UK IT leaders within the financial services sector acknowledge that their firms lack sufficient budget allocations for cybersecurity programs, people and processes.
To meet DORAs stringent requirements, firms must first prioritise cybersecurity basics, like shoring up multi-factor authentication (MFA), firewalls, network visibility and regular software updates. Equally important is adopting automation and bringing all security tools and processes under a unified management system to create better visibility and faster, more streamlined operations.
Once these fundamentals are sorted, advanced solutions like AI-powered threat intelligence enable firms to transition from reactive cybersecurity measures to a proactive defence strategy, identifying and neutralising threats before they occur.
Can Taner, CPO, Bitpace
DORA’s impact will ultimately herald new levels of transparency in the industry and prove a positive step for building consumer trust in digital payments. DORA can help providers set the stage for straightforward borderless financial commerce, where accepting, sending, and storing digital payments is as smooth as possible.
In its digital state, commerce requires a constant transfer of data, and in an era when cyber threats and outages are mounting, customers need assurances that their money is in safe hands. This is why DORA is important across the board, encouraging companies to take a more proactive approach to security, building out a robust data strategy, rather than mitigating operational risks by allocating capital to cover losses.
For crypto specifically, DORA, in parallel with the recently introduced MICA guidelines, will also provide the strong regulatory framework needed to legitimise the asset class as a viable and trusted payments solution for businesses. At a time when many European businesses are dealing with operational challenges and high costs as a result of various geopolitical and macroeconomic factors, crypto offers them the critical alternative gateway they need to remove barriers and continue trading globally.
Marija Devic, Consultant, Capco
The EU’s Digital Operational Resilience Act (DORA) regulation came into effect today (Day 1). With a focus on information and communication technology (ICT) risks, DORA has raised a bar and imposed prescriptive requirements for a broad range of financial entities and third-party service providers. The regulation aims to enhance their operational resilience and ensure robust measures are in place to prevent, detect, respond to, and recover from ICT-related incidents and disruptions. Whilst firms have made progress for Day 1 go-live, there is a substantive book of work to complete in 2025 and beyond (Day 2) to ensure compliance with the regulation and build strategic operational resilience capability.
As firms plan their Day 2 remediation activities, they need to ensure they can demonstrate to their customers, regulators and other stakeholders their commitment to maintaining a high level of digital operational resilience. Below outlines common areas where we expect firms to focus in 2025 to achieve DORA compliance effectively and efficiently and drive broader transformational change.
Third-party risk management
Augmentation of ICT third-party risk management practices, including completion of registers of information and negotiation and amendments to contracts for all remaining ICT third-party service providers, enhancements of concentration risk frameworks, and development of exit plans and testing for all ICT third-party service providers supporting Critical or Important Functions (CIFs).
ICT Risk management framework and tools
Enhancement of internal governance and control frameworks, processes, systems, tools and measures / key performance indicators (KPIs) and key risk indicators (KRIs) to enable effective management of all ICT risks. Implementation of gaps related to technology and cyber provisions, such as network segmentation, encryption and cryptographic controls, anomalous activity detection and logging protocols and tools.
Testing: Expansion of scope, alignment and level of sophistication of existing practices and tests under the overarching “digital operational resilience testing” program, for example, scenario testing, TLPT.
Incident management and reporting: Alignment of incident management processes, classification and reporting format and process to DORA’s requirements.
Integration and efficiency: Integration of global operational resilience and risk capabilities in response to EU DORA and other regulatory requirements. Definition of a sustainable framework and operating model and streamlining and realising efficiency gains through use of technology and GenAI.
Desre Sheen, Head of UK Financial Services Consulting Practice, Capgemini
As we hit the deadline for DORA, financial institutions are signaling that they have achieved the minimum required for compliance. However, the main challenge will be sustaining and evolving the underlying culture over time. Additionally, all plans need to be living documents, as the definition of a critical business service may change. It’s also important to be mindful that all regulations require a certain level of interpretation, and that means not every firm will be equally compliant.
Joe Vaccaro, Head of Cisco ThousandEyes
What’s key about DORA is the broadening of digital resilience to include the ICT suppliers that financial services companies rely on to deliver their services to customers.
In an Internet-centric architecture, you can’t go and reboot the Internet. So businesses need a new operational posture to manage disruptions. They need to understand what their hidden dependencies are. For example, you might be using a third-party service for voice and messaging features in your application, but do you know the dependencies of that service, like which cloud provider it’s hosted on?
For financial services organisations, this means they will need to understand how they can discover and inventory their third-party dependencies, to map them, and to deploy processes to track that connectivity on an ongoing basis.
Not just financial transactions but all digital experiences today are powered by a digital supply chain that spans across owned and unowned networks. While DORA may apply to the financial services sector, achieving digital resilience in the face of disruptions is a boardroom issue no matter what industry you’re in.
Jason Smith, Senior Principal, Strategy & Transformation, Conga
DORA was designed to reduce the likelihood of operational disruption. Initially, leaders expressed concerns over the scope of the fines and complexity of aligning with DORA’s mandates. The penalties for noncompliance are severe, especially for those businesses that are considered critical third parties (CTPs). For organisations, fines include 2% of a firm’s total annual worldwide turnover; for individuals fines can reach €1m. Whereas for third-party providers, penalties can be as much as €5m. Naturally, fines vary depending on the severity of the violation and the entity’s cooperation with authorities.
Ahead of the deadline, organisations have scrambled to ensure that their systems, governance structures and reporting processes meet the new standards. Financial institutions have accelerated investments in cybersecurity infrastructure, conducted rigorous testing of their IT frameworks, and enhanced third-party risk management practices. The more effective firms would have implemented a centralised contract lifecycle management (CLM) system to automate vendor risk assessments and ensure contractual agreements meet the new standards. Firms without the technologic infrastructure may still have gaps in their third-party risk oversight.
Now, as the transition period draws to a close, organisations must remain vigilant. Whilst the main concern is whether financial institutions and their partners are fully compliant, DORA is not a one-time effort; firms must continuously refine their resilience strategies and stay prepared for potential regulatory updates. Organisations should remain proactive, ensuring they meet the current requirements but are also in the best position to adapt to future legislation. The post-DORA landscape highlights a clear lesson: operational resilience is now a strategic imperative.
Elliott Limb, CEO and founder, Cubed
In its current form the Digital Operational Resilience Act (DORA) is trading innovation for resilience. It is enforcing strict compliance burdens and putting financial pressure on the startups and scaleups within the fintech and banking industries. Europe is home to over 35% of the world’s fintech startups which have a combined revenue of over $31bn so we must consider what this regulation means for them. Whilst resilience and security are extremely important, DORA feels like a knee-jerk reaction to the industry’s resilience and security problems rather than a regulation which complements the industry’s innovative nature and fosters growth.
Bob Wambach, VP Product Portfolio at Dynatrace
With the Digital Operational Resilience Act (DORA) deadline finally here, financial institutions across Europe and beyond face a critical moment. While DORA is an EU regulation, it has far-reaching implications for UK-based financial entities. Europe remains a key market for many of the UK’s largest banks and insurers, so compliance is essential to maintain trust and strengthen their relationships with customers.
A failure to meet the same standards as banks in Europe risks creating a two-tier market divided into providers that are resilient by default and those that represent a risk to the customers that rely on them.
However, compliance will only take banks so far. Financial services firms both in Europe and the UK must be prepared not just to meet the baseline requirements of DORA, but to empower their teams to respond instantly to operational disruption and cyber incidents. This means going beyond checkbox compliance measures. Organisations must prioritise continuous testing of their services and embrace a culture of resiliency first. Converging observability and security data to support real-time, AI-powered anomaly detection is the optimal way to rapidly assess risks before they escalate into full-blown incidents that breach compliance thresholds and leave customers exposed.
It remains to be seen how strictly EU regulators will enforce the rules surrounding DORA, but one thing is certain: no financial institution wants to be the first to fall short.
Bart Salaets, EMEA Field CTO, F5
The consequences of not complying with DORA can be very severe for financial institutions and the companies that operate with them.
Most financial institutions will, from a pure resiliency perspective, go for multicloud adoption when it comes to information storage and cybersecurity, because they do not want to put all their eggs in one basket. They will have their applications deployed in multiple ways, including private data centres and different public clouds.
In order for organisations to keep their applications and APIs protected, it will therefore be essential to have a multicloud-enabled solution in place that can protect APIs in any of these environments. Centralised configuration and visibility will be essential for financial institutions and companies to be fully on top of their reporting obligations.
Tim Wright, partner and technology lawyer, Fladgate
Many financial institutions not prepared for DORA deadline
DORA is a significant step in raising the bar for operational resilience and Information Communication Technologies (ICT) risk management across the financial sector. The European Supervisory Authorities (ESAs) are poised to begin comprehensive supervision, with a focus on assessing DORA compliance, handling major ICT incidents, and reviewing license applications.
However, judging from the activity we are still seeing, many FIs are not fully prepared for DORA implementation, suggesting varying levels of readiness.
Smaller firms in particular face greater challenges due to resource constraints and the complexity of DORA’s 500-plus requirements, as well as having to deal with a wide range of third-party service providers.
This is compounded because DORA casts such a wide net catching a wide range of providers who do not supply typical IT service and are often seeing firms gold plating DORA’s extensive requirements and taking a one-size fits all approach. Where a firm faces issues meeting full compliance by the deadline, they should demonstrate good faith efforts and maintain open communication with regulators. Authorities are likely to take a targeted approach to enforcement, focusing on significant and visible breaches.
‘Punitive measures for non-compliance’
In term of potential punitive measures for non-compliance, it’s the usual EU approach of less carrot, more stick, with the risk of mega fines for the worse cases. On top of that, periodic penalty payments of up to 1% of average daily worldwide turnover can be imposed for continued non-compliance, lasting up to six months. Other potential sanctions include sanctions include public reprimands, business activity restrictions and potential license suspensions.
Implementation costs ‘substantial’
While the initial implementation costs will be substantial, especially for smaller firms (relatively speaking). The expectation is that the longer-term benefits of enhanced operational resilience and improved risk management will pay back the investment as implementation will lead to a more secure and resilient financial ecosystem. DORA will also create a surge in demand for cybersecurity professionals, particularly those with expertise in financial sector regulations and ICT risk management, but in the longer term, the increased demand presents significant opportunities for career advancement and recognition for cybersecurity professionals.
Dr. Ilia Kolochenko, CEO, ImmuniWeb
DORA is a fairly complex and comprehensive cybersecurity regulation, which enacts a diverse spectrum of technical, operational and human controls into the existing data protection, cybersecurity monitoring and incident response strategies. The situation is somewhat similar to 2018, when GDPR became effective: virtually no single large company or financial institution was fully compliant with numerous GDRP requirements.
Today, with numerous third-parties having privileged access to critical business data, multicloud or hybrid data storage environments, vulnerable mobile and smart/IoT devices utilised for business purposes, and the rapid proliferation of untested or unreliable AI tools, DORA compliance may be either cost prohibitive or simply impossible from a technical viewpoint.
The situation will quite unlikely substantially improve in 2025 because – despite the harsh penalties for non-compliance with DORA – risks of being caught are pretty low. Therefore, we will probably see a progressive but slow improvements on the both sides of the Atlantic. Whilst some financial institutions will deliberately prefer do nothing, waiting for the first enforcement actions to see whether it would be less expensive to pay a fine rather than implementing full DORA compliance.
Grant Harper, Global Lead for Financial Services at ITRS
DORA comes at a time when scrutiny over operational resilience continues to intensify. Operational resilience isn’t just about ticking regulatory boxes, it’s about safeguarding reputation and maintaining trust in a competitive market.
A core requirement under DORA is for financial entities to establish robust processes to identify and assess ICT risks, ensuring they can pre-empt and respond to potential threats effectively. Firms therefore need complete visibility over their IT stack. This is no small task, particularly for financial entities with complex, multi-cloud environments. Implementing monitoring and observability solutions will provide visibility and real-time insights into system performance, detect anomalies, and support identification of vulnerabilities before they escalate. If they haven’t already, firms need to consider investing in these tools to help them comply with the new requirements.
Anecdotally, industry readiness is high. Firms have had years to prepare, and the various supervisory authorities responsible for the implementation have been proactive in providing education and resources to ensure all participants understand the requirements. However, as is the case with any big change, I expect there to be some bumps along the road and it will inevitably take the industry a bit of time to fully adapt.
Arnaud Malardé, Smart Procurement Expert at Ivalua
Until now, many procurement teams might have mistakenly viewed compliance with the regulation as solely an IT responsibility – but this Friday will act as a serious wake up call for many organisations. The fact is that procurement plays a crucial role in managing the third-party risks at the heart of digital operational resilience. Without robust supplier oversight, organisations risk non-compliance that can result in crippling fines, legal liabilities, and exclusion from markets they rely on.
To play catch up and overcome these challenges, organisations must urgently embrace procurement digitalisation. For example, cloud-based Source-to-Pay platforms create a centralised repository for contracts, DORA-specific reporting, and supplier data, allowing for real-time risk monitoring and automated compliance tracking. By embedding resilience into procurement strategies, businesses will not only meet DORA’s demands, but also strengthen supply chains, mitigate cyber risks, and unlock long-term competitive advantages.
Nathaniel Lalone, Financial Markets and Funds partner, Katten Muchin Rosenman UK LLP
As with most major regulatory implementation deadlines, we all seem to be fumbling towards the finish line. DORA introduces very specific and prescriptive requirements and has lots of moving pieces, but we have seen two key compliance challenges.
First, in terms of updating contracts, there is a “battle of the forms” between financial entities, who want all their services providers to use their standard form of agreement, and service providers, who want all their financial entities to use their own standard form of agreement. The question is: who has the stronger negotiating power and who blinks first?
Second, the compliance burden ratchets up for service providers supporting “critical or important” functions, and there’s some push-and-pull between financial entities and their service providers over the proper criteria and process to use when making that decision. This leaves open the risk that some providers of a given service are designated by their financial entities as supporting “critical or important” functions and subject to heightened obligations, whereas providers of a nearly identical service are not. That seems inequitable and it’s not clear how to solve for those discrepancies with the rules as they currently stand. Alongside these challenges, the ongoing DORA obligations remain with firms grappling to integrate compliance with existing requirements and internal systems, while managing resourcing constraints.
Chris Erven, CEO and co-founder, KETS Quantum Security
With the DORA deadline looming large on financial businesses, and two fifths set to miss it, the question is whether the regulations are fit for purpose.
One of the key requirements of DORA is to ‘ensure the security of the means of transfer of data’, and those not considering quantum computers will have no means of protecting their information until they do.
The tech industry seems convinced quantum computers are a decade away or more. This is an incredibly risky assumption. A cryptographically relevant quantum computer will come online in the next five years. The only question is which country will develop one first. Whoever creates a functional quantum computer will inevitably target financial institutions as one of the most critical sectors, so those taking DORA seriously must consider the threat now.
Encryption is the cornerstone of data security. Once the first quantum computer is live, traditional encryption algorithms will become redundant, allowing cyber attackers free access to data once assumed secure, including any information sent and saved up until that point.
There are new hardware solutions, like quantum key distribution, that can keep us safe however. The main advantage of QKD is that it provides a level of security that is based on the laws of physics, rather than computational complexity. This makes it an attractive solution for applications where high security is critical.
Cybersecurity is at a cross-roads. There are those protecting against existing threats, and those that are preparing for the potential danger of a quantum computer. We know a quantum computer will be capable of breaking all traditional cyber defences we currently use, so some are actively harvesting financial data now, to decrypt later. Any financial institutions that are taking DORA seriously need to also act immediately to protect against the threat of quantum computers
Anna Carrier, Senior Government and Regulatory Affairs Advisor, Norton Rose Fulbright
DORA becomes applicable on 17 January 2025, two years after its official adoption. It means European financial entities will now face a large number of new requirements for the management of ICT risks, including any risks stemming from third-party agreements.
The scope of DORA is very broad, it applies to all types of European financial entities with very limited exemptions for only the smallest institutions. It will also capture some of the biggest unregulated ICT third-party service providers, which is a novelty in European law.
DORA puts a heavy compliance burden on the businesses affected. Most will have to review and update their internal governance arrangements, and documentation, as well as assess any contractual arrangements with external ICT suppliers and uplift contract terms to reflect the new DORA requirements.
To complicate things, some of the secondary legislation is not ready yet and part of the eagerly awaited Q&A guidance is also pending. Despite this, there is no transition period and in-scope entities are now expected to be ready to report ICT-related incidents in line with the DORA rules. They will also need to submit their duly completed registers of information on third-party contractual arrangements in early Q1 to their competent authorities.
Richard Lindsay, Principal Advisory Consultant at Orange Cyberdefense
Frankly, the regulatory landscape in the EU is heavily congested right now, with several overlapping standards and laws, with more in the pipeline. Remember, only three months ago, another significant EU regulation, the Network and Information Systems Directive 2 (NIS2), took effect. This persistent need to address broader compliance demands with similar requirements might explain why nine in ten UK financial services CISOs felt optimistic about their organisation’s preparedness ahead of the DORA deadline. In reality, however, a little less than half (43%) of respondents will miss that deadline, with 20% expecting to do so by at least three months.
‘DORA will significantly enhance digital resilience’
With so much to navigate, it was almost inevitable that many firms would struggle with meeting initial compliance deadlines. However, at the very least, CISOs recognise that, despite the initial headaches, DORA will significantly enhance digital resilience across the EU business ecosystem.
Remaining non-compliant is likely to have severe ramifications. Firstly, the financial services industry is an attractive target for bad actors, and the likelihood of breach has never been higher. Secondly, DORA is not toothless – fines of up to 1% of worldwide daily turnover and over €1m for individual senior leadership are significant and can certainly be used by IT and security leaders to reiterate the importance of cybersecurity and compliance to the board.
All in all, DORA doesn’t mandate anything by way of revolutionary requirements. Most can be addressed by investing in comprehensive cyber risk assessments, integrated incident reporting, cyber resilience testing and cross-framework governance. However, amid the tangle of new regulations, it’s understandable that many firms are taking a more reactive approach to compliance requirements once the threat of reprisals becomes tangible.
Eduardo Crespo, VP EMEA, PagerDuty
The implementation of the Digital Operational Resilience Act (DORA) in the EU this January 2025 will stress test the resilience of the financial services sector as a whole, helping to improve operations in the long term by protecting consumers and preserving market integrity. With an increased reliance on digitalised financial and banking services, customers require assurance that their money, assets and transactions are in safe hands. This is why providers in this space need to prevent, adapt, respond to, recover and learn from operational disruptions.
In the wake of global outage incidents in 2024, which on average cost over $800,000 per major incident to companies, disruptions remain a critical concern for IT and business executives. Our recent research highlights that 88% of executives in the EU and UK expect another major incident will occur in the next 12 months. In context of the wake-up call, the ever-growing interconnected nature of systems, and the pressing need to safeguard financial data and customer trust, this regulation provides welcome control for the market.
With DORA, financial services have to develop operational resilience at scale, comply with rigorous audits, reporting and ultimately be accountable for the services they provide. As such, firms must respond to negative disruptions, like easy access on mobile apps for online banking customers, or uptime of trading platforms for securities trades, communications and ATM availability. Given the complexity and wide spanning requirements, FS firms ought to rely on technology and automation to empower its employees and operations to be compliant.
What’s key to remember now is that time is of the essence. The implementation of DORA in the EU on 17 January will be followed closely by the UK on 31 March. It is now critical for FS leaders to work alongside trusted IT partners with AI and AIOps capabilities, to reduce or avoid the impact of an outage and accelerate the time to restore normal service.
Marios Joannou, Head of Digital Risk and Privacy, payabl.
DORA signals the end of the “move fast and break things” fintech era
In many ways, DORA is a step by regulators to address the vulnerabilities exposed by the rapid innovation of fintech.
It signals the end of the “move fast and break things” era that accelerated growth but often left critical resilience gaps, exposing institutions and markets to significant operational risks.
While it may look cyber security oriented, the reality is that DORA addresses a wide range of risks. These include service availability, business insolvency, and hostile takeover as the framework seeks to balance the need for innovation with sustainable growth.
DORA is the right step to improve resilience but it has placed a significant burden on fintechs. The high compliance costs and heightened scrutiny of third-party providers demand significant resources, which may be challenging – especially for start-ups and scale-ups.
For larger, multinational institutions like payabl., the harmonisation of resilience rules between the UK and the EU reduces the need to navigate divergent frameworks. At the same time, dual compliance frameworks still create significant operational obstacles.
Although it has presented an enormous challenge for the industry, it is a necessary growing pain as the industry matures and shifts its focus toward long-term stability.
Adam Preis, Director, Ping Identity
Brittle legacy identity access management (IAM) represents one of the most significant hurdles to achieving DORA compliance. These outdated solutions increase the risk of unauthorised access, customer lockouts, or service disruptions – issues that can disrupt critical operations, affect millions of customers and irrevocably damage trust.
As DORA comes into effect, firms should prioritise transitioning to converged IAM solutions to establish identity and access security as a linchpin of digital operational resilience. These systems embed advanced threat detection, real-time monitoring tools and failover mechanisms all of which align with DORA’s emphasis on transparency and rapid response.
DORA isn’t just about avoiding fines; it’s about ensuring trust in firms’ digital operations and safeguarding their reputations.
James Hughes, VP of Solutions Engineering and Enterprise CTO, Rubrik
Given the increasing threat of ransomware and third-party compromise, the implementation of regulations is required and expensive. Understanding what data is the most critical, where that data lives, who has access to it, is essential to identifying, assessing, and mitigating ICT risks. If good hygiene practices like these are not followed, organisations can now receive fines from the Financial Conduct Authority (FCA).
There is a critical gap between board-level understanding and reality. While regulators are increasingly stringent, many CISOs feel their budgets don’t adequately reflect the board’s commitment to compliance. This disconnect jeopardises not only organisations’ security posture but also their ability to meet evolving regulatory demands.
Mitun Zavery, Vice President of Solution Architecture at Sonatype
If GDPR taught us anything, it was that last-minute compliance efforts lead to headaches and half-measures. As the Digital Operational Resilience Act (DORA) comes into force this week, we may see that same scramble to tick the compliance box as we did when GDPR came into force in 2018.
Like many EU laws, UK companies may be pulled into scope as the Act extends beyond European financial institutions and deep into their software supply chains. This is a big problem for UK businesses whose European customers fall under the regulation’s purview. The stern financial penalties for non-compliance are enough motivation for EU financial institutions to tell partners, ‘If you aren’t compliant, we need someone who is.’
Rather than a burden, UK organisations should see DORA as an opportunity to streamline systems and processes by leveraging automation, reinforcing their software supply chains, and adopting a proactive approach to risk mitigation and vulnerability management. If DORA becomes like GDPR, then prioritising compliance now will open doors as forms of this standard are adopted in the UK.
Ev Kontsevoy, CEO, Teleport
The journey to achieving compliance with DORA will surely be long and challenging for the financial services sector. For instance, the first pillar of DORA pertaining to risk management concerning Information and Communication Technology (ICT) will see financial institutions having to rework their risk management from reactive to proactive.
Unfortunately, many financial institutions still struggle to gain visibility into their IT and infrastructure environments. The consequences for lagging behind on infrastructure access security are substantial. Our research found that security novices experienced 42% higher compliance costs than companies that performed well in their security efforts.
Visibility into infrastructure assets and associated access permissions is crucial to enforce ICT risk management policies and conduct ongoing risk assessments. In financial services, we’re talking about a significant volume of access relationships, spread across disparate systems. Without a centralised platform, organizations are unable to audit who has access to what. Enforcing policies that support compliance regulations becomes impossible.
Transforming access and security models will help financial services organisations both reduce their attack surface and streamline compliance. For example, enforcing just-in-time access depends on visibility into the minimum access needed for a user to do their job. Moving from standing privileges towards ephemeral, task-based access, coupled with secretless authentication, will enable financial institutions to reduce the risk of unauthorised access – a key principle of DORA. This approach eliminates the potential for credential misuse and provides the visibility that organisations need to achieve compliance.
Muneer Taskar, EMEA Growth, Teleport
The EU has always erred on the side of caution when regulating the financial services industry but there has been an uptick in the amount of regulation focused on the cybersecurity of financial institutions, whether it be NIS2, PSD2, DORA, etc. These regulatory frameworks are starting to overlap, which is shifting the compliance burden overwhelmingly onto cybersecurity and tech vendors.
Take DORA and NIS2, for example, which both outline rules for cyber risk management and governance. Whereas DORA leaves no room for interpretation at member-state level, NIS2 allows each member state to develop rules at their own discretion. There is no clear guidance on how financial institutions should resolve these discrepancies. This likely means that financial institutions will turn to vendors who can help them navigate these challenges with robust security solutions that are ‘out-of-the-box compliant’ with those disparate regulatory frameworks. The vendors that step up to this challenge will help establish mutually beneficial relationships with financial institutions that need to meet these regulations.
Lee Wright, Senior Security Consultant, tmc3
DORA is set to shake up the financial services industry, making firms even more accountable for improving their security maturity to ensure they can weather the storm of cyberattacks and IT disruptions. In our connected age, digital resilience is a business-critical priority – just look at the now infamous Crowdstrike outage which impacted banks and payments systems and brought the need for resilience back up the global agenda.
But building resilience is more than just box ticking. It’s about proving to clients, partners, and regulators that your organisation takes security seriously. Although DORA has gone through a lengthy approval process, the reality is only hitting home now about the huge task at hand. DORA zeroes in on security maturity, requiring organisations to demonstrate robust processes and practices, rather than just meeting baseline standards. This shifts the narrative from compliance to a deeper commitment to operational resilience.
A continuous process – not a one-off project
Environments shift, new technologies, users and systems are added daily. The only way to build resilience is by having a strong and adaptable security foundation. If a business doesn’t understand which users are accessing what systems and why, or what controls they have in place, or where their most critical assets are, they’re never going to be able to deliver a good security framework.
With Dora, these fundamentals are recognised and by adhering to its framework, businesses are better positioned to respond effectively to any incidents. Armed with the right documentation and processes, organisations can prove to customers and regulators they took all reasonable steps to prevent a breach.
Fadl Mantash, Chief Information Security Officer, Tribe Payments
A date that has been circled in the calendars of EU financial institutions for two years, today marks the official arrival of the Digital Operational Resilience Act (DORA). Whether firms are making final adjustments or racing to address outstanding gaps, the focus must now be on ensuring their compliance strategies are robust enough to withstand future challenges.
Recent disruptions like the CrowdStrike outage and increasingly complex cyberattacks are stark reminders of the risks embedded in our digital infrastructures. To protect against them, DORA compels firms to go beyond superficial defences and confront vulnerabilities at their core – scrutinising systems, dependencies, and supply chains with renewed intensity. Key to its success, DORA emphasises harmonisation, ensuring that third-party partnerships don’t become weak links. This is a key move for payments firms, whose reputations hinge on delivering uninterrupted, secure services.
In my opinion, seeing DORA as more than a compliance checkbox is what will separate the leaders from the laggards. Proactive resilience testing, agile incident response, and closer collaboration with regulators and ICT providers will take compliance to the next level – building trust, safeguarding operations, and setting the stage for a stronger financial ecosystem.
Paulo Rodriguez, Head of International, Vanta
With the cyber threat landscape rapidly evolving, the final 17 January compliance date for DORA promises to improve digital resilience within the EU. The regulation introduced a robust framework to support financial institutions in their efforts to withstand, respond to and recover from cyber threats and other disruptions. However, many financial institutions are facing challenges adapting to the new regulations.
This shouldn’t come as a surprise. GDPR, the EU’s other great effort to improve digital resilience, was introduced six years ago and businesses are still struggling to grapple with the regulation to this day. Achieving and maintaining compliance demands a significant overhaul of business practices, as well as resource-heavy monitoring and auditing. No doubt DORA is leaving financial institutions and their third-party vendors facing similar headwinds.
For those still to get in line with the new framework, there may yet be a saving grace. AI has proven particularly effective at automating manual tasks and could be the perfect companion for security teams dealing with DORA. The technology has the potential to make achieving and maintaining compliance a far more straightforward task for financial institutions, ensuring greater digital resilience.
Andre Troskie, EMEA Field CISO, Veeam
Unlike other sectors that also have to comply with NIS2, the financial service industry is no stranger to stringent regulation. These organisations have worked hard on their data resilience and cybersecurity strategies. So, while they have an additional regulation to comply with in DORA, the gap between where they are now and where they need to be should be manageable, at least with their internal operations.
It’s a whole other ball game when it comes to third-party service providers and the wider supply chain. It doesn’t matter how ahead of the game you are internally, if you can’t guarantee the compliance of your relevant partners, you’ll struggle with demonstrating compliance, resulting in potential fines or other negative repercussions.
At a minimum, organisations need to ensure that third-parties implement robust risk management processes. As part of this, organisations need to require the renegotiation of all third-party service level agreements (SLAs) to cement DORA compliance as an essential prerequisite for work. Although time-consuming, organisations can’t afford to underestimate the importance of securing third-party compliance.
