DORA 2025: What Does it Mean for Financial Services?

2025 has already presented a wealth of cyber challenges for organisations sector-wide, impacting not just their funds but their operational stability as well.

However, the Digital Operational Resilience Act (DORA) represents a pivotal moment in how financial organisations approach operational risk management.

The January 2025 deadline has since passed, so what does this mean for financial institutions? Let’s explore what DORA demands of such institutions and how their requirements can be leveraged for long-term operational stability and success.

What is DORA and What is Its Purpose?

DORA is a regulation introduced by the European Union (EU) mandating that financial institutions take better care of managing their technology risks and ensure their operations remain disruption-free.

DORA came into effect in January 2025, representing the first piece of cyber security legislation of its kind. It creates a unified regulatory focus and approach across financial services companies in the EU and independent partner nations.

The scope of DORA is remarkably broad, covering over 22,000 financial entities operating within the EU, ranging from high-street banks and financial technology (FinTech) firms to insurance providers and crowdfunding platforms, to name a few. Fundamentally, however, it also extends to ICT (information and communications technology) service providers supporting such institutions, creating a framework that addresses the risks that the financial sector is susceptible to. It doesn’t ignore or overlook the fact that the sector is increasingly reliant on technology, and such dependency can make firms more vulnerable to cyber attacks and severe security breaches.

DORA builds upon five fundamental pillars:

1. ICT risk management: Establishing comprehensive procedures to identify, protect against, detect, respond to, and recover from IT-related disruptions or incidents
2. Incident management and reporting: Creating standardised systems and approaches to classify and report threats
3. Operational resilience testing: Implementing rigorous testing programmes like penetration testing
4. Third-party risk management: Ensuring resilience extends to critical service providers that support the financial sector
5. Information sharing: Promoting transparency and open exchange of threat intelligence and best practices

What Impact Does DORA Have on Financial Companies?

Financial institutions trading in the EU or with DORA-regulated companies should view the legislation as representative of both challenges and opportunities. While its requirements necessitate a thorough examination and objective review of existing operational programmes and gaps, the benefits of improved and broadly-regulated security requirements can offer full reassurance and peace of mind.

Many organisations in the financial space will need to enhance their capabilities, not least those which encompass incumbent resilience testing and existing ICT infrastructure. Financial entities must establish thorough, more stringent reviews of ICT partners and providers, possibly even enhancing their due diligence processes. For companies offering complex services like making tax-efficient investments through channels like VCTs, EIS and BPR, among others, third-party systems often form a vital component of their service offering. As such, these must be carefully scrutinised and updated to reflect new enhanced levels of security compliance.

Standardised reporting frameworks imposed by DORA will require financial entities to adjust their existing incident response, vulnerability management, escalation and threat containment procedures. These procedures and other associated paperwork must be securely documented and accessible.

For UK-based financial institutions, DORA creates additional complexity. While existing UK operational resilience regulations share common elements with DORA, the latter introduces more prescriptive requirements around ICT and cyber resilience. UK entities must determine if their EU operations fall within DORA's scope and align their compliance strategies accordingly.

Leveraging DORA for Long-Term Success

DORA represents more than simply a tick-box compliance exercise. It provides a framework that can drive meaningful improvements in a financial services provider’s resilience. For example, DORA is very much aligned with other regulatory frameworks like GDPR and NIS2, meaning organisations can leverage such preparations to strengthen their overall resilience and posture.

Manual processes for maintaining documentation and monitoring third-party risks are becoming increasingly unsustainable. Investing in approved automation tools can turn compliance from an administrative headache into a competitive advantage through improved efficiency and visibility.

Organisations that can break down silos between business, security, and technology functions stand a better chance at creating a more unified, coherent approach to resilience, while responding more effectively to disruption. Perhaps most importantly, however, DORA provides an opportunity to embed resilience thinking throughout the organisation.

The Path Forward

Organisations that approach ‌DORA regulations methodically and thoughtfully will find themselves in a better position to navigate complex security challenges as well as regulatory obstacles. Embracing the principles of operational resilience that underpin DORA will empower financial institutions to build a genuine, attainable competitive advantage through stronger resilience, improved customer trust, and more efficient and productive operations.