The Digital Operational Resilience Act (DORA) marks a significant evolution in the European Union’s regulatory approach to ICT risk within the financial sector. While financial institutions have long been subject to requirements relating to operational risk, outsourcing, and cybersecurity, DORA introduces, for the first time, a harmonised and enforceable framework specifically focused on digital resilience.
This shift reflects a broader regulatory recognition that financial entities are no longer exposed solely to traditional operational risks, but to increasingly complex and interconnected digital vulnerabilities driven by technological dependence, third-party providers, and cross-border infrastructures.
As a result, DORA is not simply an additional compliance obligation. It represents a structural change in how firms are expected to design, operate, and oversee their ICT environment.
A Structural Shift in Regulatory Expectations
DORA establishes a comprehensive framework covering ICT risk management, incident reporting, operational resilience testing, and third-party risk oversight. Its objective is not limited to ensuring that firms maintain adequate policies, but to ensure that they are capable of withstanding, responding to, and recovering from ICT disruptions that may impact critical or important functions.
This reflects a transition from fragmented regulatory requirements to a unified model that places digital resilience at the core of supervisory expectations. Increasing reliance on external ICT providers, particularly cloud services, has also introduced new dimensions of systemic risk, prompting regulators to extend their focus beyond individual firms to the stability of the financial system as a whole.
In this context, DORA introduces a level of rule-based approach and operational depth that goes beyond previous frameworks, requiring firms to move from theoretical compliance to demonstrable resilience.
Implementation Is Not Merely Technical
Despite the clarity of its objectives, many firms continue to approach DORA as a technical or documentation-driven exercise. In practice, this approach often leads to frameworks that are formally aligned with regulatory requirements but lack operational effectiveness.
A key challenge lies in the fact that DORA is not limited to IT functions. It requires coordination across risk management, compliance, internal audit, and senior management, as well as alignment with business strategy and operational processes. Where ICT risk remains isolated from broader organisational decision-making, firms face difficulties in achieving the level of integration required by the regulation.
The implementation of DORA therefore requires a shift from isolated structures to a holistic and integrated approach, where ICT risk is embedded across all relevant functions.
Common Pitfalls in Practice
In practice, several recurring challenges have emerged across financial entities implementing DORA.
A primary issue is the tendency to prioritise policy development over operational capability. While firms may establish comprehensive ICT risk management frameworks on paper, these frameworks are not always supported by effective processes, tools, and controls capable of functioning under stress conditions. This disconnect between documentation and execution undermines the core objective of ensuring continuity of critical services.
Fragmentation also remains a significant concern. Many organisations continue to operate with separate frameworks for cybersecurity, IT operations, outsourcing, and business continuity, resulting in inconsistencies in how risks are identified, assessed, and managed. DORA requires these elements to be integrated into a single, coherent framework, capable of addressing risks in a consistent and comprehensive manner.
Another area frequently underestimated is the integration of ICT risk into governance structures. DORA places clear responsibility on the management body, requiring active oversight and involvement in ICT risk management. Where senior management engagement is limited, decisions relating to outsourcing, technology, and operational models may not fully reflect resilience considerations.
Operational Challenges: Incident Reporting and Testing
The requirements relating to ICT incident reporting introduce a level of complexity that many firms have not previously encountered. DORA requires the classification of incidents based on defined criteria, as well as the submission of initial, intermediate, and final reports within strict timelines. Implementing these requirements requires not only clear internal procedures, but also the ability to detect incidents promptly, assess their impact accurately, and ensure effective internal escalation.
Similarly, the expectations surrounding resilience testing have significantly increased. DORA requires firms to adopt a risk-based approach to testing that reflects their operational dependencies and threat landscape. This includes scenario-based testing and, for certain firms, advanced techniques such as threat-led penetration testing. Basic technical testing alone is insufficient to capture the broader operational impact of disruptions, particularly in environments characterised by interconnected systems and external dependencies.
Third-Party Risk: A Central Regulatory Focus
One of the most significant areas of focus under DORA is ICT third-party risk management. The growing reliance on external providers, particularly in the context of cloud computing and technology platforms, has introduced new forms of concentration and systemic risk.
DORA requires firms to maintain a detailed register of ICT third-party providers, including information on services provided, criticality, and contractual arrangements. In practice, many organisations face challenges in obtaining a complete and accurate view of their outsourcing landscape, particularly where subcontracting chains are involved.
Importantly, DORA reinforces that outsourcing does not transfer responsibility. Financial entities remain fully accountable for ensuring that outsourced services meet regulatory expectations, requiring continuous monitoring, robust contractual arrangements, and effective oversight mechanisms.
Assurance, Continuity, and Ongoing Compliance
The effectiveness of the ICT risk management framework must be supported by independent assurance. DORA requires regular internal audit and review processes to assess the adequacy and effectiveness of controls. This introduces additional expectations in terms of expertise, independence, and the integration of ICT risk into audit planning.
At the same time, DORA is not designed as a one-time implementation exercise. The regulation introduces a continuous obligation to monitor, review, and update frameworks in response to changes in the firm’s operations, technological environment, and threat landscape. A static approach to compliance is incompatible with the dynamic nature of ICT risk.
A Strategic Perspective on Digital Resilience
Beyond its technical and regulatory dimensions, DORA reflects a broader strategic shift in the financial sector. It recognises that digital resilience is not only a matter of individual firm stability, but a key component of financial system integrity.
The increasing interconnection between financial institutions and shared ICT infrastructures means that disruptions can extent rapidly across markets. As such, DORA requires firms to consider their role within a wider ecosystem, extending beyond internal risk management to the management of systemic dependencies.
Firms that approach DORA solely as a compliance obligation may achieve formal alignment with the regulation, but risk overlooking its broader implications. By contrast, those that embed digital resilience within their operating model can enhance operational robustness, improve incident response capabilities, and strengthen stakeholder confidence.
FiveComply’s Perspective
At FiveComply, we observe that the primary challenge in DORA implementation is not the interpretation of the regulation itself, but its practical application across complex organisational structures.
Firms increasingly recognise that achieving compliance requires more than aligning documentation with regulatory requirements. The focus has shifted towards ensuring that ICT risk frameworks are operational, integrated, and capable of supporting real-world resilience under stressed conditions.
Our experience shows that the most effective implementation approaches are those that prioritise:
- alignment between ICT risk management and business strategy,
- clear governance structures with active management body involvement,
- comprehensive mapping and oversight of ICT third-party providers, and
- the development of testing and incident response capabilities that reflect actual operational dependencies.
DORA implementation is therefore not a standalone exercise, but part of a broader process of strengthening operational resilience and regulatory positioning. Firms that approach it strategically are better positioned to adapt to ongoing regulatory developments and evolving technological risks.
Looking Ahead
DORA represents a fundamental transformation in how ICT risk is regulated within the European financial sector. Its implementation requires more than policy updates or procedural adjustments; it requires a reassessment of how risk is identified, managed, and integrated across the organisation.
The distinction between compliance and resilience is central. While compliance can be achieved through documentation and formal alignment, resilience requires operational capability, integration, and continuous adaptation.
As regulatory expectations continue to evolve, firms that successfully operationalise DORA will be better positioned to navigate an increasingly complex and technology-driven environment, where the ability to withstand disruption is not only a regulatory requirement, but a defining characteristic of sustainable financial institutions.
Get in touch with our team to discuss your DORA implementation or regulatory strategy:
📞 +357 25 34 00 25
📧 regulatory@fivecomply.com