With the Digital Operational Resilience Act (DORA) now in effect, organizations must pivot from preparation to active compliance and ongoing risk management,
That’s according to Carl Leonard, EMEA cybersecurity strategist at Proofpoint. In an interview with PYMNTS, Leonard said that true organizational resilience requires ongoing effort beyond compliance, with regular risk assessments and integration of third-party providers into long-term security strategies.
Effective Friday (Jan. 17), DORA will impose stricter regulations on banks and their IT providers across the EU, requiring enhanced IT risk management, resilience testing and third-party risk oversight. The law mandates that financial institutions assess the “concentration risk” relating to the outsourcing of critical functions to third-party providers.
DORA aims to prevent incidents like the CrowdStrike outage, which disrupted financial services and other sectors, underscoring the importance of managing third-party dependencies in maintaining operational resilience.
“During this analysis of existing processes, organizations likely identified gaps and have worked fast to close these gaps,” Leonard said. “It’s important to remember that true organizational cyber resilience is a continuous journey, not a one-time fix achieved with compliance. Achieving DORA compliance is not a destination, but a crucial step on the ongoing path to robust security.”
With that in mind, he noted organizations still heading toward the finish line should seek “quick wins” and consider risk on a priority basis to help minimize exposure and ensure compliance, leveraging external expertise.
“Managed service providers can offer specialized knowledge and support, helping navigate the complexities of DORA at speed and freeing up internal teams to focus on core business functions,” Leonard said. “A critical and often overlooked aspect of maintaining resilience is continuous risk assessments. This is especially crucial when integrating new technologies, services or third-party suppliers. Thorough due diligence and proactive risk evaluation are essential to avoid new vulnerabilities and maintain a strong security posture.”
While exploring the latest technologies, particularly those powered by artificial intelligence (AI), Leonard told PYMNTS that businesses must “avoid the trap of focusing solely on the latest technologies while neglecting fundamental security practices. Strong cyber hygiene, comprehensive employee training and well-defined contracts with third-party providers remain foundational to an organization’s security posture and should be iteratively refined and refreshed. Prioritize future efforts based on a thorough and evolving understanding of your vulnerabilities and be prepared to adjust budgets accordingly.”
DORA is changing the way financial institutions in Europe manage operational risk, according to Philip Benton, principal analyst at Omdia.
“DORA is designed to harmonize requirements for the security of network and information systems of organizations within the financial sector across the EU,” Benton told PYMNTS. “Specifically, it creates a regulatory framework on digital operational resilience with the goal of reducing information and communications technology (ICT)-related disruptions and threats. The regulation applies to a broadly defined set of financial services organizations and ICT service providers.”
Benton noted the “overriding goal” of DORA is to improve operational resiliency.
“Financial entities are required to monitor ICT risk to ensure a dynamic understanding of their risk landscape,” he said. “This requires tracking and assessing all risks associated with ICT systems, applications and infrastructure. By establishing a process and a methodology to conduct ICT risk assessment, organizations can identify vulnerabilities and threats that make up their attack surface, and that may affect business functions, ICT systems and supporting ICT assets.”
Officials in the financial services sector realize industry standardization, collaboration and transparency are the best forms of defense for an issue that can’t be tackled in silos, Benton said.
“Cyber risks will continue to evolve, with the sector already being urged to prepare for ‘Q Day’ — a quantum cyberattack,” he said. “It is a problem that outsourcing can’t solve. Legacy modernization is an ongoing challenge within financial services organizations, but it is important to understand DORA specifically calls out the risk associated with legacy ICT infrastructure and that DORA requires all legacy systems to be included in ICT risk assessments. The identification and control of legacy ICT systems is, in fact, a key DORA requirement, as is the management of risks related to outdated or unsupported legacy ICT assets.”
As cyber threats become more sophisticated, financial institutions are investing in cybersecurity, Benton noted, adding one-third of banks are increasing their IT spend in this area.
“Globally, financial services organizations face a host of cybersecurity threats,” Benton said. “Some threats are industry-agnostic, so organizations may deploy many of the same security controls seen in other large organizations. But financial services organizations also need to protect against targeted and sophisticated forms of fraud, much of it utilizing digital infrastructure.”
As the complexity of these threats grow, companies must adapt their strategies to stay ahead of emerging risks, according to Loren Johnson, senior director of product marketing at Aravo.
“DORA is a game-changer for operational resilience in financial services,” Johnson told PYMNTS. “For the first time, the EU has drawn a hard line in the sand, saying: ‘If you want to do business here, your ICT systems must be battle-ready.’
“This isn’t about optional frameworks or vague best practices anymore — it’s about a legal mandate with teeth,” he added. “Financial institutions must ensure they can withstand, respond to, and recover from everything from a sophisticated cyberattack to a basic service outage.”
The real challenge, Johnson noted, is that compliance is complex.
“It’s not just about plugging security gaps,” he added. “It’s about creating a resilient ecosystem. Financial firms need to test their systems rigorously, report incidents promptly and ensure that every tech partner, no matter where they’re based, is operating at the same high standard. For some, this will mean overhauling risk management programs, evaluating each third party as either a risk asset or a risk liability, and likely losing key vendors that can’t keep up. And the stakes? Let’s just say a fine of 1% of daily global revenue isn’t pocket change.”
Success under DORA relies on transparency and communication, Johnson said.
“Banks need to be crystal clear about what DORA expects, embedding those expectations into contracts and service-level agreements,” he said. “But it won’t be easy. Smaller vendors might struggle with the resources to meet DORA’s standards, and banks may need to invest in helping them level up. DORA also includes an allowance for proportionality, assuring financial entities can focus their diligence on where the risks lie and pursue a risk-based approach.”
Johnson added a “silver lining” exists.
“This regulation forces a shift from reactive firefighting to proactive resilience building,” he said. “By working closely with their suppliers, financial institutions can strengthen not just their own operations, but the entire ecosystem they rely on.
“DORA puts cybersecurity front and center, but it’s not just about stopping attacks. It’s about building systems that can take a hit and keep going,” he added.