DORA has arrived, writes Ellie Hurst at the information security governance and awareness consultancy Advent IM. Here’s what to know about digital resilience.
On January 17, the Digital Operational Resilience Act (DORA) came into force across the European Union. This landmark regulation now sets the standard for how financial institutions manage digital risk, ensure system continuity, and protect customer trust in an increasingly volatile and risk-laden digital world. Whether or not a financial firm is based in the EU, the impacts of DORA are wide-reaching — and UK financial firms are no exception. For those operating in or with the European market, compliance is no longer a future target. It is now an enforceable requirement.
We at Advent IM have always viewed legislation, regulation and compliance as opportunities to do things better, not as an unwieldly or unnecessary requirement. Building resilience should always be a business activity because it is the route to secure growth within your risk appetite. DORA is no different. And so to try and support those who are looking at this new Act, here is some guidance on what DORA is, what it requires, and why it matters to your business — even if you’re not a cybersecurity specialist.
What is DORA?
The Act is a regulation introduced by the European Commission to ensure that all in the financial sector can withstand, respond to, and recover from operational disruptions caused by information and communication technology (ICT) issues. DORA applies to a broad range of financial entities: banks and credit institutions, insurance and reinsurance companies, payment service providers, investment firms and asset managers, crypto-asset service providers and their ICT third-party suppliers.
All in-scope organisations are expected to meet DORA’s requirements in full. Why it matters: although the UK is no longer part of the EU, DORA affects any UK-based financial organisation that:
• operates a branch or legal entity in the EU
• serves EU clients or markets
• works with EU-based ICT third-party providers
Even beyond direct legal obligations, many UK institutions are choosing to align with DORA voluntarily. Why?
• It strengthens operational resilience against cyber threats and technology failures
• It complements existing UK regulatory expectations from the FCA, PRA, and Bank of England
• It facilitates trust with EU clients, regulators, and cross-border partners
In short, DORA is becoming the de facto standard for digital risk management in financial services, regardless of jurisdiction.
Five pillars
Here is a non-technical overview of what DORA requires from firms:
1) Risk management
Organisations must have clear governance structures and internal controls to manage risks to their digital systems. This includes regular assessments of potential threats, policies to mitigate the associated risks, and plans for responding to ICT disruptions. Boards and senior leaders are expected to take active responsibility for this, not just the IT department. This is something required everywhere, nor just in Finance.
2) Incident Reporting
Firms must detect and classify ICT-related incidents (such as system outages, ransomware attacks) and report significant ones to the appropriate national authority within tight timeframes. This ensures transparency and allows regulators to monitor systemic risks in real time.
3) Digital Operational Resilience Testing
Organisations must test how well they can withstand disruptions. This can range from regular stress tests to threat-led penetration testing (TLPT) that mimics real-world cyberattacks.
These tests help identify weaknesses before they’re exploited by threat actors.
4) Third-Party Risk Management
If your firm uses third-party suppliers for ICT services — for example, cloud storage, payment processing, or trading platforms — DORA requires robust oversight. Contracts must include clear roles, responsibilities, and exit strategies. Critical service providers must also meet resilience standards, with specific rules for outsourcing. Given the part third parties have played in the growth of data breach and security failures, this should be top of mind for all boardrooms in the finance space.
5) Information sharing
Firms are encouraged to share knowledge and intelligence about cyber threats with industry peers. This collective defence approach aims to reduce systemic risk across the financial sector. Hostile actors share information, tools, lists and much more, and have done for years. This approach has served them well and now these successful tactics should be adopted by legitimate businesses to help defend and build resilience. There has long been a reluctance to show and tell but those days are over.
What if you’re behind?
Despite the two-year transition period, many firms are still catching up. Research in early 2025 indicated that up to 43 per cent of UK financial institutions may have fallen short of full compliance at the deadline (ComputerWeekly, 2024). If your organisation is late or only partially compliant, there are risks:
• Regulatory penalties in the EU
• Reputational damage, especially if an incident occurs
• Strained commercial relationships with EU partners or suppliers; and
• Reduced ability to bid for or retain EU business.
Falling behind on DORA is not just a compliance issue — it’s a strategic weakness in a digital economy.
Broader impact
DORA is not just a task for cyber teams or IT professionals. It requires widespread engagement across the business, especially from leadership. Here’s how non-technical teams are expected to contribute:
Board members and executives must understand operational risk to their digital systems and ensure it is being managed effectively. Risk and compliance teams should ensure ICT risks are integrated into the wider risk framework and compliance reporting. Procurement and legal teams need to assess contracts and vendors to ensure resilience obligations are met. Business operations and HR play a role in incident readiness, communication, and ensuring staff understand their responsibilities.
Practical steps
Whether you’re catching up or refining your existing programme, here are practical actions to take now:
1) Assess your current position
Review your information security, business continuity, and supplier risk practices against DORA’s requirements.
2) Engage cross-functional stakeholders
Create a DORA task force that brings together IT, legal, procurement, risk, compliance, and senior leadership.
3) Update internal policies and contracts
Ensure your security policies, vendor agreements, and risk assessments reflect DORA’s expectations.
4.) Document your compliance efforts
Regulators expect to see evidence of governance, planning, and accountability. Maintain a clear audit trail of decisions, testing, and control improvements.
5) Educate your people
Train staff on what resilience means, how to spot potential issues, and how their role supports compliance.
Looking ahead
Regulation often feels like a burden — but DORA also presents a strategic opportunity.
• By embedding resilience into your operations, you:
• Improve trust with customers, partners, and regulators
• Strengthen your ability to recover from disruptions
• Align with the global direction of financial supervision
• Stand out as a mature, well-managed organisation
We have always said resilience is a business enabler — not just a control measure. DORA puts structure and accountability around that concept, making it clear that digital failure is no longer acceptable as ‘part of doing business’.
DORA is now in force — and the financial sector must rise to meet it. For UK firms, this is both a regulatory and a strategic moment. Compliance is important, but the bigger picture is about protecting customers, services, and reputation in a connected and vulnerable world.
Whether you’re regulated under DORA directly, or simply influenced by its principles, the message is the same: digital operational resilience is no longer optional. It’s essential.
See also the Advent IM blog.
