The Digital Operational Resilience Act (DORA) has now been in effect since January 17, 2025, marking a significant transformation in how financial institutions approach operational resilience across the European Union.
After several months of implementation, financial firms have faced both expected and unforeseen challenges in their compliance with this new regulation.
Jonathan Evans, Founder of IT Security Locksmith and former Head of Global IT Security at Rothschild & Co, reconnected with Dan Haagman, CEO of Chaleit, to discuss the real-world impact of DORA, key lessons learned, and practical advice for organisations still dealing with compliance challenges.
Read the key insights from their discussion below.
DORA's original purpose: A brief recap
DORA was designed to ensure the digital operational resilience of the EU financial system against various technological threats and vulnerabilities.
The Digital Operational Resilience Act emerged in response to the increased reliance on technology within the financial services sector, coupled with the growing interconnectedness of these technologies.
EU regulators were concerned about the potential for a cascade effect, where a resilience issue affecting one bank could propagate to impact more financial services, ultimately undermining the stability of European financial markets.
Regulators were also wary of concentration risk, where numerous financial institutions use the same third-party service, potentially leading to simultaneous disruptions across multiple organisations.
Key challenges and insights of DORA’s implementation
The implementation of DORA has revealed specific challenges depending on the institution's size and complexity.
For larger organisations, the precision required for the Register of Information demands exceptional attention to detail. Jonathan notes that "the act is very precise about the format the information needs to be in. The European Supervisory Authorities (ESAs) have provided a lot of guidance and even some tools to ensure data quality and integrity. Still, compiling and maintaining the Register of Information requires focus, precision and attention to detail."
Smaller entities face a different hurdle entirely: they struggle to define their contractual cyber security needs. Some simply demand compliance with the Act, while others perform thorough ICT risk assessments to articulate specific requirements. This gap highlights a lack of in-house cyber and ICT expertise among these firms.
Regulatory enforcement approach
"The regulators are starting to gear up. You can see they are in hiring mode with the high-level hires already in position," Jonathan observes.
CTPP designation, expected by year-end, marks a serious effort to improve digital resilience through continuous enforcement, Jonathan explains, adding that "this isn't GDPR; it's financial regulation, implying ongoing oversight that will either mandate improvements or impose fines."
He highlights an important distinction between organisations accustomed to regulation and those encountering it for the first time: while large CTPPs are accustomed to regulation, this will be a challenging learning process for newly designated CTPPs.
Gaps in the regulatory framework
Despite DORA's comprehensive approach, implementation has revealed some gaps that weren't apparent during the planning phase: "While we're big fans of the act's high bar for digital resilience, a crucial oversight affects ICT Third Party Providers (TPPs) not designated as Critical (CTPP) by an ESA. For these TPPs, the contract is paramount. If the financial entity fails its duties, the contract won't be fit for purpose."
He elaborates that financial entities often simply tell TPPs to comply with the act. However, a TPP might be compliant from their perspective, while the financial entity isn't, because it hasn't clearly defined what the TPP must do to ensure the financial entity's compliance.
Jonathan hopes that "the ESAs will provide more support to smaller financial entities that are struggling — they need help and not inflict punitive measures."
Implications for service providers
DORA extends regulatory oversight beyond financial institutions to include third-party service providers, ensuring they meet specific operational resilience standards if they support financial services within the EU.
Third-party service providers are expected to enhance operational resilience and align with DORA’s requirements to continue supporting financial services. This shift requires these providers to adapt and improve their resilience measures in line with regulatory expectations.
Providers outside the EU are also subject to DORA compliance if they wish to maintain business relationships with EU financial institutions. Although penalties may not directly apply, compliance is necessary to sustain commercial relationships.
Third-party risk management in practice
One of the central components of DORA is the management of third-party risks, which presents particular challenges for organisations operating across multiple jurisdictions.
"The only question that tends to arise in this space is how do we comply with the various regulatory requirements in two or more jurisdictions and specifically the overlap between DORA and the FCA/PRA requirements when it comes to digital resilience," Jonathan explains. "For firms that have multiple regulators, aligning your internal controls to the more stringent obligation is standard operating procedure but still requires assessment, alignment and coordination of activities."
He advises managing regulatory relationships:
"In my experience, regulators are straightforward to interact with, it takes respect, dialogue and attention to detail — if any of these are missing, you will have challenges. So keep in constant contact with your regulators and keep talking to eliminate surprises. Attend their briefing sessions, follow them on social media and keep up to date with their activities and their issues."
Effective testing methodologies
When it comes to meeting DORA's threat-led penetration testing requirements, Jonathan recommends a progressive approach.
"My advice would be to expand any penetration testing activities to include purple team testing. This will give your cyber defenders (blue team) the opportunity to tune their systems (with the red team) to detect attacks better than they currently do," he advises.
"If you go straight to a TLPT or red team exercise, the defenders may get overrun and demoralised. Better to build capabilities and confidence before raising the bar — that way, they grow even stronger after the TLPT, which is the purpose of the exercise. Don't set up your team to fail - help them to succeed!"
For effective defence, Jonathan highlights two critical areas:
"Clearly, a SOC identifying attacks is critical, so it's essential that the Service Level Agreement for this is suitably aggressive and tuned. Another key area is network segmentation — this might be difficult or costly in terms of support, but it's highly effective at slowing or stopping an attack in its tracks."
Measuring DORA's effectiveness
Assessing the impact of DORA in its early stages presents challenges similar to other preventative measures.
"It's a bit like demonstrating the worth of house insurance. It only demonstrates its true worth when your house burns down," Jonathan says. "It's much too early to assess its impact. We need to go through a number of iterations of oversight by the lead overseer and allow the financial entities’ audit teams to report to their respective boards."
He envisions a positive long-term outcome:
"This, I suspect, will lead to an increase in the perceived ICT Risk, which in turn should result in more controls, more oversight and more testing. In time, this should result in an enhanced level of digital resilience for the financial services system as a whole."
Practical advice for DORA implementation
For organisations still working toward DORA compliance, Jonathan offers advice based on organisation size and significance.
"If you're a systemic or significant financial entity, ensure you perform a regular GAP analysis against DORA and the supporting documents as evidence. The 2nd line of defence undertakes this," he recommends. "The 3rd line of defence should audit the results as part of the audit plan, signed off and authorised by the Management Body as required by the act. All that sounds easy, but even the GAP analysis will take two months or longer to complete, even for a modest-sized firm."
Small financial entities and ICT TPPs supporting critical functions must nail the basics: implement robust ICT Governance and Internal Control Frameworks, ICT Risk Management, Internal Control Policies, Digital Resilience Testing, ICT Third-Party Management, Reporting, and cybersecurity awareness and digital resilience training.
Risk perception and accountability issues
Jonathan has observed a fundamental misalignment in how risk is perceived between financial entities and their service providers.
"Some ICT Third-party Providers perceive the risk they run as being that of their client. This means that controls are not commensurate with the ICT risk. Equally, some financial entities see the risk as being that of the ICT TPP," he points out. "DORA has changed that and clearly articulates and reaffirms that it's the Financial Entities' ICT risk — some firms have not reacted yet!"
This disconnect creates a dangerous gap in risk management that DORA specifically aims to address. Jonathan believes regulators could better support this transition: "I would like to see the regulators providing some seminars on this in clear and simple language with some practical examples of contractual clauses."
The new regulation also demands clarity around ownership and accountability, which creates significant organisational friction.
"Both financial entities and ICT TTP should not underestimate how much time will be taken to work out and agree on who is responsible for what," warns Jonathan. "DORA demands clarity in this area, so you should expect some tough discussions with managers and staff who will not want to be accountable."
Evolution of DORA
Jonathan believes DORA's implementation is still in its early stages, with significant developments yet to come.
"It's a steep learning curve not just for the financial entities and their ICT TTPs but also the European Supervisory Authorities (ESAs), the National Competent Authorities (all 27 of them) and others, including the European Union Agency for Cybersecurity (ENISA). It will take at least 2 years until all the different players work out efficient ways of working to get things done."
He predicts long-term industry shifts where "it will become more difficult and costly to be an ICT TPP for financial entities, raising the entry bar. I expect commensurate increases in cyber security and digital resilience capabilities, likely driving ICT TPP mergers or takeovers. Firms will seek economies of scale to afford dedicated staff and meet new regulations."
In conclusion, a reminder of what's at stake:
"Cyber security and digital operational resilience are part of doing business today for financial entities and their ICT TPPs — the costs will not break the bank, but a major ICT incident might!"
As intended, DORA significantly improves the EU financial sector's digital resilience by requiring proactive risk management, strong operational controls, and rigorous testing.
If you'd like to discuss the implications of DORA for your organisation or want help overcoming GRC challenges, contact us.
