The Digital Operational Resilience Act (DORA) is poised to transform the financial sector, addressing a reality that can no longer be ignored in today’s technology-driven economy. As financial services deepen their reliance on interconnected digital ecosystems, sophisticated cyberthreats have positioned regulations like DORA as essential.
Although the UK has exited the EU, the implications of DORA are set to resonate within its financial sector – and more broadly into IT and cybersecurity businesses. DORA therefore presents both a challenge and an opportunity to align with global best practices, safeguard operations, and build trust in an interconnected digital world.
Director of Cyber Operations at Bitdefender.
Why DORA Matters in the Digital Era
DORA is more than a compliance mandate; it’s a framework for operational resilience tailored to address modern threats. By introducing unified standards, DORA seeks to mitigate IT risks and ensure financial stability across the EU’s financial ecosystem and its third-party providers.
It isn’t just a compliance box to tick. The act’s objectives are clear: to reinforce operational resilience across financial entities, address cybersecurity risks proactively, and unify risk management approaches across the EU. This vision comes against a backdrop of increasingly frequent and severe cyber incidents that have demonstrated how unprepared many organizations are when disruptions strike.
The fallout from recent ransomware attacks on financial institutions and third-party providers across the UK highlights the urgent need for a coordinated, industry-wide approach to resilience. By closing regulatory gaps, DORA ensures that the financial sector can withstand and recover from digital disruptions.
The Building Blocks of Resilience
DORA provides financial institutions with a blueprint for building robust digital resilience. Its provisions ensure financial institutions establish comprehensive strategies that integrate risk management practices into their core operations. Boards are also now directly accountable for ensuring resilience measures are effectively implemented and continuously monitored.
The regulation also impacts incident reporting, with transparency positioned as a leading principle behind the regulation. Firms are required to report significant IT incidents to regulators promptly, allowing authorities to assess systemic risks and coordinate rapid responses to minimize wider disruptions.
As the reliance on external Information and Communication Technology (ICT) service providers is growing, DORA also mandates financial institutions to ensure any third-party vendors meet stringent resilience standards. This accountability extends to conducting due diligence and implementing contractual requirements to enforce compliance.
Finally, DORA imposes regular, threat-led testing to help ensure systems withstand and recover from cyber disruptions. This provides a clear picture of vulnerabilities and prompts an informed approach to what is required to ensure corrective measures are applied in a timely manner. Where organizations do not hold the necessary internal skillsets, they need to seek support from a reputable third-party organization that holds specific certifications such as ISO27001, SOC2, as well as CREST.
Additionally, leveraging outsourced support for services, such as Managed Detection and Response (MDR), can help ensure compliance with DORA regulations by providing 24×7 monitoring, threat detection, and incident response capabilities, without the need to hire, train and retain skilled personnel.
This unified approach, outlined under DORA regulations, ensures consistency in resilience measures across member states and creates a level playing field for organizations operating in multiple jurisdictions and fostering stronger collective defense. As such, organizations are able to move beyond reactive strategies to proactive resilience.
What DORA Means for UK Businesses
While DORA directly applies to EU members, its ripple effects are undeniable for UK businesses. Any UK-based organization providing services as part of the supply chain to the financial sector in Europe must comply with these regulations.
Beyond regulatory necessity, DORA represents an opportunity for UK businesses to adopt global best practices to boost operational resilience, enhance stakeholder trust, and position organizations as leaders in cybersecurity.
For fintech companies in particular, DORA’s emphasis on resilience unlocks scalability whilst preserving a sense of agility.
By integrating resilience measures early, firms can confidently expand their digital offerings without compromising security. For larger financial institutions, leveraging DORA as a framework to reimagine their risk management strategies ensures innovation and security are prioritized.
With increased scrutiny, vendors will be required to meet stringent resilience standards. For UK businesses, this means more upfront effort in evaluating and monitoring their partners. While it may strain some relationships, it also provides an opportunity to build trust through more robust and transparent partnerships.
Challenges in the Road Towards Resilience
Implementing DORA’s principles doesn’t come without its challenges and financial constraints represent a significant hurdle. Integrating new systems, conducting regular testing, and enforcing third-party compliance often requires considerable investment. These compliance costs can become a barrier, particularly for organizations with limited resources.
Balancing DORA with existing regulations, such as GDPR, adds another layer of complexity, as incident reporting mandates under DORA may conflict with GDPR’s strict data protection requirements, requiring careful coordination to maintain compliance with both frameworks.
Furthermore, third-party oversight presents a logistical challenge. Organizations must ensure that vendors comply with resilience standards, which may strain partnerships or result in difficult decisions about retaining non-compliant providers.
Finally, cultural resistance to change within organizations delays the adoption of mandated testing and reporting practices.
Developing the necessary structures to support resilience requires strong leadership and sustained commitment, which can take months or even years to fully implement.
A clear compliance roadmap, strategic investment in automation and outsourced expertise support, help to mitigate these challenges.
Businesses should prioritize vendors that demonstrate a commitment to resilience through certifications like ISO 27001 or SOC 2, or where possible, performing detailed assessments against DORA itself. Additionally, evaluate vendors’ ability to recover quickly from disruptions, including their use of redundant systems, secure backup practices, and real-time monitoring and response capabilities.
Broader Industry Impacts
The knock-on effects of DORA will reshape how industries approach resilience. For banks and financial services, governance frameworks will need to evolve to meet DORA’s rigorous standards. Specifically, when looking at fintech firms seeking to adopt DORA, it not only builds resilience but creates a competitive edge by fostering trust with clients and partners.
For tech vendors, like ICT providers working in conjunction with the financial services sector, the emphasis on third-party compliance will redefine existing relationships with a renewed focus on driving demand for resilient, secure services.
Turning DORA’s challenges into opportunities requires strategic action and gives businesses the opportunity to review their current systems and identify vulnerabilities and gaps in resilience measures. This includes assessing the preparedness of third-party providers and supply chain partners. It also provides the chance for improved collaboration with third-party providers to ensure their systems meet resilience standards, with the transparency of these partnerships poised to strengthen the entire ecosystem.
Resilience begins with robust defenses and businesses should perform a gap assessment against all requirements within DORA to understand where the gaps exist. Key activities they should conduct include threat-led testing, resilience driven simulations, and the development of advanced incident response frameworks to stay ahead of evolving threats. Furthermore, an open dialogue with local regulators ensures that businesses maintain a lead on compliance requirements and understand how DORA aligns with existing frameworks.
Turning DORA Compliance into a Competitive Advantage
To turn DORA’s challenges into opportunities, UK businesses should take the following steps:
- Audit and Assess: Conduct a thorough review of existing systems to identify and address DORA requirement gaps.
- Collaborate with Regulators: Engage with UK authorities to ensure alignment with interpretations of DORA’s principles.
- Prioritize Vendor Resilience: Work closely with third-party providers to guarantee compliance and build transparent partnerships.
- Invest in Cybersecurity: Strengthen defenses through threat-led testing, simulations, and advanced incident response frameworks.
DORA sets a high bar for operational resilience, but it is as much about opportunity as it is about regulation. For businesses in the UK adopting DORA’s framework, there is a chance to lead in resilience efforts, secure stakeholder trust, and thrive in an increasingly digital economy. By embracing these changes now, organizations have the chance to future-proof their operations, mitigate risks, and gain a competitive edge in the global financial ecosystem.
We list the best internet security suites.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
