DORA Compliance: A Strategic Imperative for Enhancing Digital Resilience

In the fast-paced world of financial services, compliance with the Digital Operational Resilience Act (DORA) is no longer just an option, but a paramount strategic necessity. DORA, officially known as "Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector," is a comprehensive regulatory framework aimed at strengthening the security of information and communication technology (ICT) and the operational resilience of financial entities both within and outside the European Union. Six months after its entry into force last January (with the actual application date being January 17, 2025), research has revealed that 96% of financial services institutions in Europe, the Middle East, and Africa (EMEA) are still striving to improve their resilience to meet DORA's stringent requirements.

DORA focuses on three main pillars to enhance digital operational resilience: incident reporting, third-party risk management, and resilience testing. However, these institutions face significant challenges in achieving full compliance with these critical requirements.

One of the most prominent challenges is the increasing pressure on IT and security teams, with 41% of institutions reporting that this pressure poses a significant barrier to DORA compliance. The cybersecurity sector, in general, has suffered from stress and burnout due to the high-pressure, fast-paced nature of the work. However, this issue can be mitigated by adopting a more holistic approach. Instead of treating DORA as an additional project, organizations should integrate its requirements into a broader data resilience plan, utilizing data resilience maturity models (DRMM). This approach not only reduces immediate pressure on teams but also leads to overall improvement in data resilience and enhanced cybersecurity.

The Challenge of Testing and Operational Resilience

Operationally, the biggest technical point of contention in DORA law has centered on testing. Nearly a quarter (24%) of financial institutions in the EMEA region have not established data recovery and business continuity tests, and 23% have not yet conducted digital operational resilience tests. With the increasing prevalence of security breaches, institutions cannot postpone testing any longer. There is no point in implementing new measures if their first use occurs during an incident, where they may fail when most needed. DORA mandates rigorous operational resilience testing, including threat-led penetration testing (TLPT), to ensure financial institutions can proactively and effectively identify and address security vulnerabilities (Source: IBM, Published: July 29, 2025).

The Importance of Testing in Enhancing Data Resilience

Conducting the first test can be daunting, fearing what weaknesses it might reveal, but it is often the best starting point for addressing data resilience. Not only does DORA mandate this, but it also enhances resilience beyond other regulatory requirements, contributing to building a strong cybersecurity culture and long-term risk management, which benefits business continuity and protects the institution's reputation.

Challenges of Third-Party Oversight and DORA Requirements

One of the most perplexing requirements in DORA has been third-party oversight. More than a third (34%) of institutions described this as "the most difficult to implement," and 20% have not yet been able to do so. This is because most institutions simply underestimated the scope of their third-party networks. While a single institution works with an average of 88 third-party partners, the number of network connections rapidly spirals out of control. Key challenges in managing third-party risks under DORA include the difficulty of tracking all third-party service providers, uniformly assessing their security risks, and ensuring compliance with DORA standards across the entire digital supply chain (Source: Entrust).

Previously, financial institutions might have been content to rely on external vendors offering "black box" solutions, but DORA demands a deeper investigation. Institutions might have previously relied on solutions that assumed resilience was built-in, while in reality, they were vulnerable. Now, financial services institutions are required to delve deeper, demanding shared responsibility models that define the security responsibilities of each party in the partnership to ensure comprehensive digital operational resilience.

There is no easy solution to this problem. Financial services institutions across the EU will need to renegotiate Service Level Agreements (SLAs) with all third-party partners. This is no easy task and will require the involvement of security, risk, management, and legal teams to achieve, but it is a fundamental part of improving data resilience and securing sensitive digital supply chains.

Building Trust and Comprehensive Resilience for DORA Compliance

Financial services institutions in the EMEA region cannot build confidence in data resilience overnight. The path will be long, and there are likely to be some obstacles. However, if they start working now and adopt a holistic approach to data resilience instead of a "regulation-by-regulation" approach, their teams and data resilience will receive a significant boost, ensuring DORA compliance and contributing to a more secure digital financial future.

Instead of postponing it for another day, institutions should ask tough questions about their resilience today. By using DORA law as a starting point and a wake-up call, they can assess their own capabilities as well as those of their third-party supplier networks. No matter how much advice they receive, they will not be able to address their unique data resilience vulnerabilities until they know what they are, and this can only be revealed through rigorous and continuous testing.

This may shake an institution's confidence in the short term, as many have already discovered. But if the right action is taken, in the long term, it will build stronger trust than ever in data resilience, both regarding DORA and beyond, enhancing stability and security in the financial sector.