The Digital Operational Resilience Act (DORA) came into effect on January 17, 2025. Financial services institutions (FSIs) across the EU must now fully comply with its stringent cybersecurity and operational resilience requirements. But achieving compliance is not just about meeting regulatory expectations. DORA represents a fundamental shift in how financial institutions approach digital security, ensuring they can withstand cyber threats, operational disruptions, and third-party vulnerabilities.
For firms that have already established a compliance framework, the focus now moves to long-term resilience and continuous improvement. For those still catching up, the urgency to close security gaps has never been greater. Failing to meet DORA’s requirements carries not only financial penalties but also the risk of operational restrictions and reputational damage. In this new era of cybersecurity regulation, FSIs must go beyond basic compliance measures and embed resilience into their core strategies.
Chief Security Officer for EMEA at Okta.
A shift in cyber resilience thinking
For years, financial institutions have relied on traditional cybersecurity approaches, primarily focused on perimeter security to keep external attackers at bay. However, recent cyber incidents have made it clear that threats do not always come from outside an organization. Many damaging breaches have originated from within digital supply chains, through third-party vulnerabilities, or from internal weaknesses. In 2023, third-party attacks led to 29% of breaches with 75% of third-party breaches targeting the software and technology supply chain. This evolving threat landscape has forced financial institutions to rethink their approach. The future of cyber resilience isn’t about building higher walls – it’s about securing every layer, inside and out.
You may like
DORA mandates a resilience-first mindset, shifting the focus from prevention alone to a more comprehensive strategy that includes rapid response and recovery. It is no longer enough to defend against cyber threats; organizations must assume that breaches and disruptions will happen and ensure they can respond swiftly and effectively. This change means cybersecurity is no longer just the responsibility of IT management. It is now a board-level priority, requiring CFOs, CIOs, and risk officers to play a direct role in overseeing governance structures, risk assessments, incident response planning, and ongoing security monitoring.
The growing role of automation in compliance
With DORA now in full effect, financial institutions are also navigating additional regulatory frameworks such as the NIS2 Directive and the Cyber Resilience Act (CRA), both of which introduce further security and operational resilience requirements. The increasing complexity of compliance is prompting many organizations to turn to automation to streamline regulatory processes.
Okta’s 2024 Businesses at Work report found that data compliance tools were the fastest growing applications with 120% year-on-year growth. As firms seek to reduce the burden on their security teams while ensuring continuous adherence to evolving regulations, the rising popularity of these tools is unsurprising.
Automating security audits, compliance validation, and real-time threat detection allows financial institutions to maintain compliance efficiently while also enhancing their ability to identify and mitigate risks before they escalate into major incidents. In a landscape where regulatory expectations will only become stricter, automation is important for maintaining both security and operational efficiency.
Addressing digital supply chain risks
One of the most pressing concerns for financial institutions under DORA is the security of their digital supply chains. High-profile cyberattacks in recent years have demonstrated that vulnerabilities often originate not from within an organization’s own IT infrastructure, but through weaknesses in third-party service providers, cloud platforms, and outsourced IT partners. DORA places a strong emphasis on third-party risk management, making it clear that security responsibility extends beyond a firm’s immediate network.
Ensuring supply chain resilience requires a proactive and continuous approach. FSIs must conduct regular security assessments of all external vendors, ensuring that partners adhere to the same high standards of cybersecurity and risk management. It is no longer sufficient to perform security checks only at the beginning of a partnership; ongoing monitoring and real-world scenario testing are essential to ensure that contingency plans hold up under real conditions. The ability to anticipate and respond to emerging threats within the supply chain is critical to maintaining operational stability and regulatory compliance.
Navigating post-implementation compliance challenges
While many FSIs had operational resilience frameworks in place before DORA’s enforcement date, aligning these existing efforts with the regulation’s EU-wide supervisory structure presents new challenges. Firms that have not been closely following the consultation process may struggle to adapt to these additional requirements.
At this stage, financial institutions must prioritize regular compliance evaluations to ensure that their security frameworks remain aligned with DORA’s evolving mandates. Conducting a gap analysis is critical to identifying areas where improvements are needed. Engaging with regulators, industry bodies, and technology partners can provide valuable insights into best practices and common pitfalls. Additionally, collaboration within the financial sector will be essential, as firms can learn from each other’s experiences and share strategies for maintaining long-term compliance.
The cost of non-compliance
The consequences of failing to comply with DORA are severe. Regulators now have the authority to suspend business operations, issue cease-and-desist orders, and demand access to sensitive data for compliance reviews. For critical third-party service providers, non-compliance could result in financial penalties of up to 1% of their global daily turnover for up to six months – a staggering cost that could significantly impact business operations.
Beyond regulatory penalties, the reputational damage of non-compliance may be even more devastating. The financial sector operates on trust, and any failure to meet cybersecurity standards can lead to a rapid loss of confidence from both consumers and investors. A single security lapse or compliance failure can undermine an institution’s credibility, and once trust is lost, rebuilding it can take years. FSIs must recognize that compliance is not just about avoiding fines – it is about preserving their reputation and long-term viability in an increasingly digital financial ecosystem.
The role of identity security
One of the most effective ways to strengthen cybersecurity resilience under DORA is through identity management (IAM). Research indicates that 80% of cyberattacks originate from compromised credentials, making authentication and access control a top priority for financial institutions.
A robust IAM strategy involves implementing multi-factor authentication (MFA), enforcing least-privilege access policies, and continuous monitoring for credential-based threats. The adoption of a zero-trust security model, where no user or system is automatically trusted, further enhances security by ensuring that every access request is verified before granting permissions. As cybercriminals continue to develop more sophisticated attack methods, securing user identities will remain a cornerstone of both regulatory compliance and overall cyber resilience.
An opportunity for long-term resilience
DORA has transformed the cybersecurity landscape for financial services firms. Compliance is no longer a one-time activity – it is an ongoing effort that requires constant adaptation to emerging threats and regulatory updates. Organizations that approach DORA as an opportunity to strengthen their overall cybersecurity posture will be best positioned for success.
FSIs that invest in proactive security strategies today will not only protect themselves from regulatory penalties but will also build stronger, more resilient digital ecosystems. Cyber resilience is now a business imperative, and those that take it seriously will emerge as leaders in the evolving financial landscape. Compliance in itself should not be the security strategy of any organization, but it is a rising tide that raises all ships to a better security foundation to the benefit of all.
We’ve set up a list of the best network monitoring tools.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
Services Marketplace – Listings, Bookings & Reviews