It’s six months since Digital Operational Resilience Act (DORA) has been implemented yet it’s clear that gaps remain between what was expected and what is being actioned.
Far too many firms still see compliance as a tick box IT project rather than the cultural, governance and resilience change in the sector that the regulation was intended to bring about. It’s easy to think that existing systems of frameworks and risk processes are “close enough,” but that sense of complacency has left us holding on to a false sense of security.
Rather than get ahead of things, a lot of companies seem to be waiting to be pushed by regulatory deadlines, clients or even vendors before they do anything decisive, an approach that risks leaving them exposed as scrutiny begins to tighten and the cost of inaction grows, especially when there is still too little recognition that technology and automation are critical to simplifying the complexity of today’s overlapping regulatory frameworks.
CEO at Quod Orbis.
The barriers holding firms back
The biggest obstacle of DORA isn’t lack of knowledge, it is the systemic obstacles that prevent firms from making meaningful progress. Organizational silos are the big issue of risk, IT, compliance and security teams all work with conflicting agendas, and so achieving that joined-up resilience that DORA promotes becomes next to impossible.
Legacy systems create another layer of complexity as they are not built for true real-time monitoring, leaving companies relying on increasingly outdated snapshots of their security posture. In a lot of cases, firms may not even be fully aware of all the legacy systems still running in the background, creating hidden gateways for cyber criminals and exposing organizations to compliance failures.
The other issue is they are so used to working from spreadsheets and point-in-time information that can take days to collate, often involving multiple people and systems. By the time it is gathered, it is already out of date. What’s perhaps most concerning is a lack of board-level engagement.
Where oversight is lacking, investment decisions are left stuck in the mud, putting security postures and business resilience in danger of being regarded as something that can be embedded at the operational level of a company rather than the strategic one at which it sits.
Far too often there is little interest until an incident occurs or a third-party breach forces action, by which point organizations are already working from outdated information the moment it has been gathered - keeping cybersecurity and regulatory compliance trapped in a frozen state of reactivity rather than proactivity.
A lack of visibility makes the challenge worse, as supported by a recent Forrester study which found that nine in ten financial services institutions now say they must prioritize working with partners who can provide comprehensive visibility to mitigate risk and meet regulatory obligations. There’s a lot to be gained from collaboration.
Where the strain shows
The gap between where organizations are at and where they need to be to comply with DORA standards are most apparent where DORA raises expectations much above what might be deemed as standard practice.
While the regulation expects near real-time oversight, many firms are still stuck with manual audits and periodic checks which are processes that may once have sufficed, simply cannot keep pace with today’s operational and cyber risks.
Third and even fourth party risk management is another sticking point as firms contend with complex supplier networks and limited visibility into subcontractors and critical dependencies.
Threat-based penetration testing is more difficult than many realize as it requires a level of maturity and preparation most systems aren’t ready for. Incident detection and reporting add further pressure, with uncertainty around classification thresholds and tight timelines leaving many unprepared.
Layered on top of these challenges is a wider sense of “compliance fatigue” where DORA overlaps with other frameworks such as NIS2, GDPR and PSD2. A prime example of this is organizations that have ISO 27001 in place thinking they automatically have the degree of risk management in place as required by DORA.
As a result, firms are not only dealing with rising cyber threats but also struggling to keep track of where responsibilities begin and end.
Turning compliance into resilience
Despite all of the challenges, DORA should be viewed as less of a burden and more of an opportunity as it provides a clear structure to develop the level of resilience that financial institutions have long required yet have often found challenging to prioritize.
That means unifying teams through cross-functional working groups, ensuring board engagement, interrogating third-party risks and investing in the right technology to automate processes a continuous view of resilience. Success will hinge on removing internal silos and persuading the IT Security, Cyber, Risk and Compliance functions to work together in common cause.
Automation and integration are equally vital as without them, firms will remain trapped in cycles of manual oversight and fragmented reporting. Real resilience also means looking outward: mapping and continuously monitoring third-party dependencies, not just trusting supplier assurances.
Most importantly, companies require a definitive guide of investment in filling fundamental gaps with measurable assurance. Done well, DORA compliance is not ticking the regulatory boxes or staying out of trouble.
It is about building trust, protecting the wider financial ecosystem and embedding resilience as a competitive advantage in a market where confidence and continuity matter most. With criminals growing more sophisticated and AI strengthening their capabilities, operational resilience must now be front of mind and tackled proactively.
We've featured the best online cybersecurity course.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.