The journey to EMEA-wide financial services cybersecurity regulation, DORA (Digital Operational Resilience Act), underscored a fundamental truth: robust cybersecurity is no longer just an IT concern; it’s a core operational imperative.
There was a lot of discussion, planning, cost, and people management involved for all of those in the financial sector in bringing DORA into effect.
In January 2025, Rubrik Zero Lab’s research reported that the strains on businesses were not always obvious. In addition to costing nearly half (47 per cent) of businesses over a Million Euros, 79 per cent of employees reported an impact on mental health, and 58 per cent of CISOs reported increased stress.
It was no secret, though; the work in preparing a business for DORA was always going to be significant.. DORA’s five pillars included ICT risk management, incident reporting, digital operational resilience testing, third-party risk management, and information sharing. A significant undertaking and expense for any business.
In the last six months, financial institutions have had to pivot from preparing for DORA to actively integrating its requirements into their daily operations. The initial months have seen a strong emphasis on solidifying ICT risk management frameworks, ensuring they are comprehensive, well-documented, and continuously monitored. The tasks involve mapping critical ICT assets, identifying vulnerabilities, and establishing clear risk appetite statements.
A significant shift has been observed in incident reporting. Firms are currently facing the challenge of meeting strict requirements for classifying, notifying, and providing detailed reports on major ICT-related incidents to competent authorities within tight deadlines. These requirements have necessitated refining internal processes, improving monitoring tools, and establishing clear communication channels to ensure the timely and accurate flow of information.
Perhaps one of the most challenging areas has been digital operational resilience testing, particularly the highly prescriptive Threat-Led Penetration Testing (TLPT). While many firms had planned for these tests, the post-go-live period has seen the initiation and execution of complex simulations that mimic real-world attacks. These tests are not just about finding vulnerabilities but assessing the institution’s ability to withstand and recover from severe disruptions, pushing internal teams and third-party testers to their limits.
Last but not least, third-party risk management has moved from a siloed function to a central focus. DORA mandates that financial entities oversee the entire lifecycle of their reliance on critical ICT third-party providers, which includes meticulous due diligence, robust contractual arrangements, and ongoing monitoring of their third parties’ resilience. Many institutions have been reassessing their entire vendor landscape, identifying critical dependencies, and, in some cases, diversifying providers to mitigate concentration risk. The regulatory spotlight on critical third parties means firms are demanding greater transparency and assurance from their suppliers than ever before.
None more so, the breadth of the regulation has also meant financial institutions have seen DORA touch almost every aspect of their businesses – IT and cybersecurity, to legal, compliance, risk, and even business operations. The human element is having an impact on upskilling and training staff, expanding roles and responsibilities, and increasing workload.
Do you feel ready for when an attack does take place?
After the work is undertaken to help your organisation fall in line with DORA or other cybersecurity standards or regulations, the practical question to ask yourself is: ‘Do I feel resilient enough to bounce back from an attack and maintain business continuity in the wake of an attack?’
- Putting the process in place helps, but have you road-tested it within your organisation?
- Have you thought about every eventuality? Or at least pre-planned for those you can?
- What new risks can you identify now that you have assessed the gaps and resolved your security ecosystem?
Inevitably, it’s not a case of if an attack will take place, but when. Working through regulations supports your journey to cyber resilience, but if the honesty, the practice and the continual testing fail, then so will your defence system.
What does the future look like for DORA? And what does this mean on an international stage?
The first thing to realise is that DORA is one of many cybersecurity regulations that have come into place in recent months and years. Six months after implementation is very early, and as organisational frameworks mature, businesses will continue to invest, improve and adapt their work to maintain what is in place.
Costs, while substantial, are viewed not as mere compliance burdens but as strategic investments. The financial and reputational damage from a major cyber incident—potentially reaching into the hundreds of millions or even billions of euros in a severe scenario, not to mention regulatory fines—far outweighs the upfront investment in DORA compliance.
DORA’s principles of robust ICT governance, rigorous testing, and vigilant third-party oversight will be critical for navigating the ever-evolving cyber threat landscape. By deeply embedding these practices into their operational DNA, financial institutions can not only meet regulatory obligations but also fortify their defences, ensuring business continuity and maintaining customer trust in an increasingly volatile digital age.
Discussion about this post