– Notis Iliopoulos, VP of Managed Risk and Controls at Obrela
Few financial organisations are not already be aware of DORA – the Digital Operational Resilience Act that became applicable on 17 January 2025. It essentially created a unified EU-wide framework for ICT risk management, incident reporting, resilience testing and third-party oversight across core financial services.
By incorporating previous financial sector-specific rules under one directive, DORA underscores that digital operational resilience is foundational to economic stability, extending obligations to banks, insurers, investment firms, payment institutions and critical ICT providers.
Recent surveys highlight strong awareness and engagement, but; however, the picture is not as positive when it comes to readiness. Although over 90 per cent of financial institutions had launched DORA programmes by April 2024, only one-third felt fully prepared by the enforcement date. And according to the UK Financial Institutions’ DORA Readiness Survey by S&P Global Market Intelligence, nearly half of UK organisations missed the January 2025 deadline, highlighting that there were lingering challenges in data collection, board training and contract realignment.
The cyber resilience imperative
DORA elevates cyber resilience into a boardroom priority. Executive teams must identify and catalogue critical business functions and underpinning ICT assets, embed threat detection and response playbooks with defined reporting timelines and enforce continuity plans that guarantee rapid recovery. New contractual clauses also specify rigorous due diligence of cloud and technology vendors to reduce risk and preserve operational continuity should a key supplier fail.
During the two-year grace period from adoption in December 2022 to enforcement in January 2025, many larger organisations completed asset inventories, updated incident classification schemes and renegotiated vendor agreements in line with the new regulatory technical standards. Many of the smaller institutions implemented baseline measures just to hit the deadline and now need to reinforce those foundations by conducting maturity assessments and embedding the latest technical standards.
Global implications
DORA’s EU-specific resilience requirements sit alongside the UK’s operational resilience regime and various U.S. cybersecurity directives. Institutions that are operating across borders must weave DORA-compliant controls into broader, jurisdiction-agnostic risk architectures, ensuring consistent reporting, auditability and governance across all entities while respecting local thresholds for incident notification and third-party scrutiny.
Sustained resilience
True operational resilience under DORA is all about an ongoing and sustained cycle of assessment, adjustment and enhancement. Organisations must maintain live inventories of critical assets and ICT suppliers, document decisions on risk appetite, and conduct annual stress-testing of incident response plans. As EU supervisors shift from specifying technical standards to active enforcement, transparent governance and demonstrable improvements will make leaders stand out.
Steps to compliance
Financial institutions should start with a formal gap analysis against the finalised Regulatory Technical Standards. This will enable them to quantify any residual risks across people, processes and technology. The analysis also informs board-level training on evolving DORA obligations, ensuring executive ownership of resilience planning.
Incident classification and reporting workflows should also be revised to incorporate any lessons learned from real-world events and audit findings. Third-party risk management frameworks must be expanded to include concentration-risk monitoring and contractual right-to-audit clauses. Finally, resilience metrics should be integrated into enterprise-wide dashboards, guiding budget prioritisation and driving ongoing enhancement.
Leveraging technology for streamlined compliance
Transforming DORA compliance from a burdensome checklist exercise into a strategy that improves resilience starts with the right technology. A purpose-built compliance platform, such as Obrela’s MRC, brings together ICT risk registers, incident response plans, third-party oversight and recovery testing into a single, intuitive interface, also supported by the relevant cybersecurity advisory services.
The enterprise governance and compliance management capability of MRC smoothly connects all major elements of Information Security Management & Compliance from framework establishment and maintenance to continuous monitoring and reviewing, delivering a robust platform specifically designed for Information Security Governance and Compliance. With embedded content and a vast number of applications and connectors, MRC enables organisations to dynamically manage their security framework, orchestrate governance and compliance procedures, assess compliance with regulations, policies and standards, and analyse information risks in real time – all under a single interface carefully designed for ease of use, easily customisable to fulfil different organisation views and roles.
In this way, DORA compliance shifts from a one-off thing to a continuous, insight-driven process, turning operational resilience into a true competitive advantage.
