DORA: A defining moment for financial sector cyber resilience

Si West explains what is required as DORA moves from being a new regulation to a standard operating expectation

The Digital Operational Resilience Act (DORA), which came into full effect on 17 January 2025, marks a pivotal shift in how financial institutions within the EU – and those engaging with its markets – must manage digital threats. In an era where cyber attacks are more sophisticated and disruptive than ever, the regulation seeks to ensure the financial sector can withstand, recover and adapt to operational disruptions caused by digital threats.

The need for such action is indisputable. According to the International Monetary Fund (IMF), nearly 20% of global cyber incidents since 2020 have impacted the financial sector, resulting in direct losses of $12bn. However, DORA compliance is not without its challenges.

Managing third-party risk in an interconnected world

DORA is more than a compliance exercise – it is a call to build enduring resilience as threats continue to grow in sophistication and frequency. At the heart of the regulation is a mandate for stricter third-party risk management – a response to the growing dependency of businesses on external vendors, and the risks they pose. Incidents such as the MOVEit and Ivanti-related breaches have made it abundantly clear that even the most secure internal systems can be compromised by vulnerabilities in third-party providers. Our data reveals that, during the first half of 2024, 40% of all insurance claims were attributed to third-party vendor breaches.

“DORA’s emphasis on incident response and vulnerability testing has shifted the financial sector’s focus from reaction to prevention.”

Since DORA came into effect, financial entities have been conducting rigorous due diligence, monitoring performance, and establishing comprehensive vendor contracts, reflecting a significant shift in how third-party risks are managed across the sector. The regulation has also encouraged the quantification of cyber risk to help business leaders ensure that they can prioritise their resources more effectively and make better informed decisions on managing risks. Additionally, there are now stricter incident classification and reporting processes, designed to bring greater transparency to the risks posed by ICT supply chains.

Proactivity and prevention

DORA’s emphasis on incident response and vulnerability testing has shifted the financial sector’s focus from reaction to prevention – an essential step given the speed and scale of modern cyber attacks. Effective incident response plans are key, enabling organisations to identify, contain and recover from cyber incidents swiftly. A fragmented or delayed response, by contrast, can amplify operational disruption, regulatory scrutiny and financial losses.

Crucially, DORA now mandates penetration testing, which simulates real-world attacks to uncover vulnerabilities before malicious actors exploit them. This proactive approach gives financial institutions a clear view of their defences, allowing them to address weaknesses early. In a landscape where cyber risks are inevitable, the ability to test and refine defences is no longer optional – it’s essential.

Addressing compliance challenges

While the objectives of DORA are clear, achieving compliance presents significant hurdles. Smaller financial institutions in particular still face challenges in integrating the regulation’s requirements into existing processes, while balancing limited resources. At the same time, firms must maintain transparency with regulators, boards and stakeholders, without compromising sensitive operational details.

“For firms that embrace DORA as an opportunity, the benefits extend beyond compliance.”

Navigating these complexities demands a holistic approach to cyber-risk management. Continuous monitoring, regular testing and deeper collaboration with external partners will be key to aligning with DORA’s requirements. For many organisations, cyber insurance solutions provide an additional layer of proactive security, helping to manage vendor risks, quantify financial exposures and respond effectively to incidents.

Building cyber resilience

As DORA moves from a new regulation to a standard operating expectation, financial institutions are transitioning from awareness to action. They’ve started implementing more robust internal governance and control measures, developing comprehensive risk management frameworks that encompass strategies, policies, procedures and tools to respond to incidents. In addition, the European Banking Authority (EBA) amended its guidelines on ICT and security risk management on 11th February 2025, simplifying frameworks and providing greater legal clarity. This adjustment has helped institutions better align their operations with DORA’s requirements.

DORA demands more than technological upgrades; it requires a cultural shift – fostering a mindset of continuous improvement, vigilance and preparedness. Training teams, refining incident response protocols, and conducting realistic cyber simulations are essential steps to ensure readiness.

For firms that embrace DORA as an opportunity, the benefits extend beyond compliance. By strengthening operational resilience, they can better protect customer data, minimise disruption, and remain agile in a volatile digital landscape. The institutions that act decisively now will be best positioned, not only to comply with DORA, but to thrive in an increasingly complex and uncertain world.