\/Giles Inkson, Director of Services EMEA at NetSPI
With the 17th of January DORA (Digital Operational Resilience Act) compliance deadline well behind us, financial institutions are now focusing on what lies ahead. While many have ticked the initial boxes, updating contracts, improving incident reporting procedures, and introducing basic resilience testing, regulators have clarified that true operational resilience is an ongoing commitment, not a one-and-done exercise.
In the UK, where local regulations already emphasise operational resilience, DORA’s post-deadline phase has created fresh impetus for organisations to embed best practices.
In this article we’ll examine how institutions can move beyond tick-box compliance by embedding resilience into their daily operations and working proactively with regulators. We’ll also explore how emerging testing frameworks, along with strengthened third-party oversight, can transform DORA’s requirements into opportunities for sustainable growth.
Where organisations should be now
Surveys in early 2025 revealed that a notable segment of UK banks and insurers were still scrambling to address the finer points of DORA, particularly around third-party oversight and advanced threat-led penetration testing (TLPT). Although not fans of delays, regulators are open to ‘good faith’ remediation plans showing clear progress.
Many of these organisations are still determining which measures to prioritise next. An initial step should be to refine existing processes. This includes conducting follow-up reviews of incident reporting capabilities and ensuring they align with DORA’s timelines for notifying authorities. Senior leaders must closely monitor these updates, assessing whether their institutions can handle these incidents.
Importantly, resilience must be integrated into daily routines. While many firms approached the run-up to DORA as a one-time push, focusing intensely on the January deadline, those that see it as a permanent mindset will fare better. From continuous risk assessments to regular staff training, organisations should embed resilience into their operational DNA, ensuring they remain agile in the face of disruptions.
Strengthening third-party relationships
One of the most significant changes under DORA is the requirement for more robust oversight of external providers. Outsourcing has become key to modern financial services, but any vulnerability in a supplier’s system can spread through an entire organisation.
To address these risks and solidify vendor relationships, forward-thinking institutions should promote transparency by moving beyond cursory due diligence and sharing more detailed risk information with key partners, clarifying each side’s responsibilities to better prepare for continuity challenges. Stepping up validation is also essential: insist on frequent attestations or security posture reports rather than relying on a single annual review, and introduce on-site audits to ensure verifiable compliance, especially for critical data centres or cloud partners.
Equally important is establishing collaborative communication: regular touchpoints, such as quarterly risk workshops or joint incident response exercises, help identity issues early. Where vendors once assumed they ‘had it covered,’ a culture of proactive dialogue now ensures everyone understands how a disruption could affect the entire chain.
Vendors providing core infrastructure must be as prepared as financial entities, and firms that adopt a rigorous, collaborative approach with suppliers are better positions to protect customers and meet regulatory requirements.
Proactive engagement with regulators
While much of the recent DORA focus has been on establishing the right systems and processes, dialogue with regulators has become a critical differentiator in this post-deadline era.
Rather than waiting for an audit or an investigation, institutions should proactively share progress updates with regulators, highlighting measures to strengthen resilience. This transparency helps build trust and allows for swifter adjustments if any new guidance emerges.
It’s worth noting that oversight is evolving. Regulators across Europe, and, by extension, the UK, are focusing on specific areas, such as the accuracy of third-party provider registers and the quality of threat-led testing programmes. Those that show a clear roadmap for improving these areas can often head off more invasive scrutiny. At the same time, a lax approach or radio silence can trigger deeper inspections and the possibility of penalties.
TIBER 2.0: preparing for the next wave of testing
Regular testing has long been a staple of good cyber hygiene, but DORA formalises advanced exercises like TLPT for all key financial entities. In 2025, this will align more tightly with TIBER 2.0, the updated European framework that introduces stricter timelines and more immersive “purple teaming” exercises.
For many firms, the learning curve is steep. Threat-led exercises can be disruptive if not planned carefully, especially for institutions with limited experience in scenario-based testing. Yet, early adopters report that these simulations help them pinpoint overlooked vulnerabilities and refine their response procedures in a safe, controlled environment.
With TIBER 2.0, now is the time to invest in people and processes to handle these advanced tests. Allocating the budget for specialised consultancies, training staff to manage mock attacks, and ensuring boards are fully briefed on the results will be key to successful implementation. Equally important is developing a plan to incorporate lessons learned from each round of testing into broader operational improvements.
Turning compliance into an opportunity
Amid ongoing enhancements to DORA, including evolving technical standards and updated guidelines, organisations should be prepared for further changes. This fluid environment rewards those who treat compliance as an opportunity to innovate, not as a burden to endure.
In practice, that might mean using DORA’s requirements as a catalyst for broader digital transformation, upgrading legacy technology, improving data management, or introducing advanced monitoring tools powered by AI. Real-world examples show that institutions that invest in resilience initiatives often report fewer service disruptions and stronger customer retention.
Progressive organisations are forging deeper partnerships with their suppliers in the context of third-party risk. By pooling resources and information, they meet regulatory expectations and strengthen the supply chain. The same holds for regulator relationships. Engaging in sector-wide roundtables and sharing lessons learnt from significant exercises can help shape future guidance practically and beneficially.
The road ahead
The January 2025 deadline wasn’t a finish line, it was the start of an ongoing journey. Cyber threats, from ransomware to supply chain attacks, are relentless, and DORA aims to embed perpetual vigilance, ensuring rapid detection, swift containment, and effective recovery. This aligns with the UK’s operational resilience rules, allowing firms working across jurisdictions to avoid patchwork solutions and build trust.
Meeting initial obligations was merely the first step; regulators expect continuous improvement. Those who stay proactive and transparent, refining internal processes, strengthening vendor oversight, and engaging openly, will gain regulatory goodwill and a competitive edge. True resilience takes shape beyond the deadline, and the journey is only beginning.
