by Richard Evans, UK&I Country Manager at WSO2
With the Digital Operational Resilience Act (DORA) in force since January 2025, financial institutions across the EU are under growing pressure to boost their digital resilience, maintain uninterrupted services, and tighten oversight of their Information and Communication Technology (ICT) partners. While not every software provider falls under the category of “Critical ICT Third-Party Service Provider,” many, like WSO2, still play a vital role in supporting regulated entities, which brings with it a shared responsibility.
Technology providers can help financial institutions meet DORA’s requirements by embedding secure development practices, building resilient system architectures, managing third-party risks effectively, and offering deployment strategies that align with regulatory expectations. These efforts go a long way in helping organisations reduce digital risk and maintain operational continuity without sacrificing agility or innovation.
But before diving into how vendors can support compliance, let’s take a closer look at what DORA demands.
What is DORA?
DORA is the EU’s regulatory framework designed to strengthen digital operational resilience across the financial sector. It outlines a structured approach to managing ICT risks, enabling financial institutions to withstand, respond to, and recover from disruptions, caused by cyberattacks, system failures, or other technology-related incidents.
The regulation applies to a wide range of financial entities, including banks, insurers, investment firms, payment providers, and crypto-asset service organisations. It also brings third-party technology providers, like cloud platforms and software vendors, into scope. With DORA now active, organisations must align their operations with its compliance requirements within the set timeline.
In today’s rapidly evolving risk landscape, DORA couldn’t be timelier. Financial institutions are facing an unprecedented surge in cyber threats, operational disruptions, and regulatory scrutiny, all against a backdrop of increasing digital dependency. DORA provides a unified framework to help organisations not only respond to these challenges but proactively build resilience into their operations. By setting clear standards for ICT risk management, incident response, and third-party oversight, DORA ensures that financial entities are better equipped to protect customer trust, maintain service continuity, and safeguard the stability of the wider financial system.
Breaking Down DORA: The Key Pillars of Digital Operational Resilience
To stay compliant, financial institutions need to demonstrate their ability to prevent, withstand, recover from, and adapt to ICT-related disruptions. DORA breaks this down into several key areas:
- ICT Risk Management and Governance: Institutions must identify critical IT assets, assess threats, and implement controls. Business continuity and disaster recovery plans should be regularly updated to ensure resilience during crises.
- Incident Reporting: Organisations must detect and report major ICT incidents, such as outages or cyberattacks, within a defined timeframe. This includes initial alerts, interim updates, and final reports to regulators, helping promote transparency and sector-wide awareness.
- Digital Operational Resilience Testing: Regular testing of IT systems is essential. This includes vulnerability assessments, simulations, and for critical services, threat-led penetration testing. Any weaknesses must be addressed swiftly.
- Third-Party Risk Management: DORA places strong emphasis on oversight of external ICT providers. Financial entities must maintain a register of providers, assess risks, and ensure contracts include clauses for security, audit rights, and exit strategies. Ongoing monitoring is key, especially for high-risk services.
- Information Sharing: Institutions are encouraged to join trusted platforms for sharing intelligence on cyber threats and incidents. This collaborative approach helps strengthen collective resilience across the sector.
Supporting DORA Readiness
Even if a vendor isn’t classified as a “Critical ICT Third-Party Service Provider,” they still play a vital role in helping financial institutions meet their compliance obligations. Here’s how:
- Third-Party Compliance Oversight: Many ICT providers rely on external platforms that process customer data, including personally identifiable information (PII). These third parties must follow strong data governance practices and demonstrate operational resilience in line with DORA’s standards.
- Product Lifecycle Management: Vendors must maintain robust software lifecycle processes, including timely delivery of patches, security updates, and support services. This helps customers meet DORA’s expectations regarding technology risk and service continuity.
- Deployment Guidance: Providers can support customers by offering architecture reviews, deploying best practices, and risk assessments. This helps financial institutions evaluate the resilience and dependencies of their technology environments and align with DORA’s digital resilience goals.
By adopting these practices, technology providers contribute to the development of secure, resilient, and trustworthy digital infrastructure, giving financial institutions the confidence to meet DORA’s demands without unnecessary risk exposure.
Partnering for Resilience: Technology’s Evolving Role in DORA Compliance
DORA marks a significant shift in how financial institutions approach digital resilience. It’s no longer just about ticking compliance boxes; it’s about building systems that can withstand disruption and recover quickly. This shift presents a valuable opportunity for technology providers to become trusted partners in resilience. By aligning with DORA’s principles and supporting customers through secure development, robust governance, and smart deployment strategies, vendors can help shape a more stable and secure financial ecosystem.
As the regulatory landscape continues to evolve, collaboration between financial institutions and their technology partners will be key to staying ahead of risk and maintaining trust in a digital-first world. Providers with a strong focus on secure software delivery and operational continuity, are well-positioned to support this journey.