DORA: A Catalyst for Bolstered Business Resilience

by Effie Bagourdi, Global Head of Service Management at Adaptavist

If well implemented, the EU’s upcoming Digital Operational Resilience Act (DORA) presents an opportunity for financial institutions and their critical service providers to generate momentum in strengthening their overall operational resilience.

However, while the regulation primarily targets EU financial institutions and their third-party providers (within and outside the EU), its implementation raises important questions about business impact, efficiency, and innovation for any organisation in the wider business ecosystem of these financial institutions. These questions are particularly urgent for smaller organisations with a diminished pool of resources compared to their larger counterparts.

For DORA to be successful, both directly affected organisations and those at the fringe must find a way to comply with DORA that prevents it from negatively impacting their business models or stifling innovation. Rather than allow the regulation to dictate the direction of travel, organisations must use DORA as a driving force to invest in and reform their IT management practices to achieve greater robustness, helping them stand up to the threat of cyber attacks, outages, and human error.

Effie Bagourdi

Promoting a culture of security and resilience

Several global events in recent history, such as Meta’s seven-hour outage in 2021 (which happened as a result of a bug allowing all the company’s data centres to be disconnected during routine maintenance), and the 2024 Crowdstrike outage – which exposed vulnerabilities in the IT infrastructure of thousands of organisations – have led to a watershed moment for digital resilience.

At the regulatory level, frameworks such as DORA are establishing digital resilience as a core business imperative, providing international standards for organisations to follow. Within organisations themselves, shifting priorities are being reported, with research from Adaptavist revealing that 86% of organisations affected by the CrowdStrike outage are now planning to strengthen their incident response training and boost their vendor risk management.

However, regardless of motivations, the true measure for any piece of regulation lies in its implementation. While DORA provides important guidance, organisations need the flexibility to develop resilience strategies that align with their specific operational needs. Yet DORA’s individual liability clauses present a challenge. While accountability matters, excessive penalties risk creating a culture of fear that could discourage the type of transparent incident reporting necessary to overcome operational challenges.

Instead of letting these provisions dictate process, organisations must reframe DORA as an opportunity – to build robust resilience practices and a ‘resilience-first’ culture from the ground up. Combined with adaptable best practices, this will be crucial in preventing future outages or cyber incidents of large scale and impact, and achieving competitive advantage as digital resiliency becomes a stronger priority for partners and customers.

Implementing an effective service management strategy can help teams work better together. The right approach will improve visibility and insights via proactive monitoring, and allow IT teams to utilise automation to improve processes and workflows. This, in turn, supports organisations to focus on what matters—safe in the knowledge that their processes will hold up to regulatory scrutiny.

The operational strain DORA places on smaller businesses

While DORA presents a unique opportunity to investigate and strengthen operational foundations, compliance demands significant investment and resources from organisations of all sizes. While larger institutions have the time and money to implement DORA strategically on their terms, smaller firms face the dual constraints of tight deadlines and limited budgets. As a result, smaller companies may be forced into reactive compliance measures, potentially sacrificing long-term operational efficiency for immediate regulatory adherence.

This poses a significant challenge for international adoption of DORA since countries with a strong SME economy tend to champion innovation and creativity. DORA’s potential to stifle this may lead to push-back on enforcement, as evidenced by NIS2’s delayed adoption across 23 member states.

Therefore, it is imperative for small organisations to adapt, think outside the box, and approach DORA proactively if they want to emulate the successes of larger organisations that harness regulatory requirements as an impetus to make strategic improvements.

How to implement DORA successfully

Building a culture of resilience and adhering to DORA doesn’t have to be painful. If approached in the right way, businesses can not only mitigate risk but gain a competitive advantage at a time when resilience is becoming a major differentiator.

Success lies in implementing advanced monitoring systems and cross-functional response teams that satisfy DORA’s requirements and address a range of potential business disruptions, rather than designing processes just to meet its minimum requirements. Companies must prioritise their team training and data protection practices, which requires organisations to go beyond compliance checklists and embed resilience into their daily operations.

For example, mandatory incident reporting is one of DORA’s key requirements. Organisations can implement incident management frameworks that integrate with training modules and resilience testing to ensure teams are fully prepared to meet DORA’s reporting and response requirements. Regular drills and collaborative exercises will improve response times, reduce disruptions, and align teams toward resilience goals.

Regulation should not be treated as a generic checklist of do’s and don’ts but rather a push to think critically about your business needs. By addressing areas that may fall outside DORA’s direct scope, such as legal and operational functions, companies can ensure a more holistic and future-proof approach to resilience.

spot_img
Ad Slider
Ad 1
Ad 2
Ad 3
Ad 4
Ad 5

Subscribe to our Newsletter