The Digital Operational Resilience Act (DORA) arrived on 17th January 2025. DORA is a regulation introduced by the European Union to strengthen the digital resilience of the financial sector. It is part of the EU’s broader efforts to enhance the stability and security of financial markets, aims to ensure that financial institutions can withstand and recover from ICT (Information and Communication Technology) disruptions. This regulation focuses on enhancing the ability of financial entities to prevent, detect, respond to, and recover from cyberattacks, system failures, and other technology-related disruptions.
As organisations adjust to these new requirements, industry experts have weighed in on the implications of DORA, offering insights into how firms can navigate its demands and build a more secure and resilient future. Here’s what some of them have to say:
Fadl Mantash, Chief Information Security Officer at Tribe Payments, a leading digital payments and infrastructure orchestrator that specialises in issuer and acquirer processing commented
“It’s a date that has been circled in the calendars of EU financial institutions for two years. Whether firms are making final adjustments or racing to address outstanding gaps, the focus must now be on ensuring their compliance strategies are robust enough to withstand future challenges.
Recent disruptions like the CrowdStrike outage and increasingly complex cyberattacks are stark reminders of the risks embedded in our digital infrastructures. To protect against them, DORA compels firms to go beyond superficial defences and confront vulnerabilities at their core – scrutinising systems, dependencies, and supply chains with renewed intensity. Key to its success, DORA emphasises harmonisation, ensuring that third-party partnerships don’t become weak links. This is a key move for payments firms, whose reputations hinge on delivering uninterrupted, secure services.
In my opinion, seeing DORA as more than a compliance checkbox is what will separate the leaders from the laggards. Proactive resilience testing, agile incident response, and closer collaboration with regulators and ICT providers will take compliance to the next level – building trust, safeguarding operations, and setting the stage for a stronger financial ecosystem.”
Helen Barge, Senior Risk and Resilience Consultant at Barnett Waddingham “DORA may have crossed the finish line, but the race for compliance is far from over. Organisations with European connections must now navigate a complex landscape of interconnected risks.
“The shadow of DORA casts a long reach, extending deep into business’ supply chains. While financial institutions are increasingly aware of this, many suppliers, particularly those further down the chain, may not fully grasp the implications impacting them. And many organisations may not have fully realised that if they serve clients or partners within the EU, they are also subject to DORA’s requirements.
“Perhaps most importantly, this is not solely a problem for the IT department, and requires a comprehensive business approach. This regulation incurs an organisation-wide challenge but is also a unique opportunity for risk leaders to refresh outdated practices, while embracing continuous risk management.
“Relying on infrequent risk assessments is no longer a tenable strategy in today’s rapidly evolving risk landscape. A proactive, continuous approach to risk management is imperative, and shouldn’t be solely prompted by new regulation. Neglecting this crucial shift could leave organisations vulnerable to unforeseen cyberattacks.
“Sharing information and best practice around DORA will also be critical. DORA encourages collaboration through initiatives like the CISP (Connect, Inform, Share, Protect), which is a platform for cyber security professionals in the UK to collaborate on cyber threat information in a secure and confidential environment. However, many organisations struggle to effectively gather and analyse information from their vast network of suppliers. Ultimately, a coordinated effort across the organisation, involving procurement, IT, and business units, is crucial for achieving and maintaining DORA compliance.”