The Digital Operational Resilience Act (DORA) is now very much in play across the EU, setting a new standard for cyber and operational resilience in financial services. While it is a European regulation, its implications are anything but local. Any organisation
working with EU-based financial institutions is now part of the DORA conversation, no matter where they operate.
Why DORA Matters for Financial Services
The EU is home to more than 22,000 regulated financial entities, including globally significant banks. The Euro is the world’s second largest reserve currency. When the EU takes steps to strengthen financial stability, the rest of the world takes note. DORA
aims to ensure that a cyber incident at one institution or supplier does not ripple across the financial system. In an environment this interconnected, resilience is not optional.
Third Parties in the Spotlight
DORA recognises that many incidents do not begin inside a bank or insurer. They start with suppliers. Recent research shows that around 30 percent of breaches originate from third parties.
To address this, DORA requires EU financial institutions to assess and manage the security posture of all suppliers. That means clear expectations around risk management, incident response, and continuity planning. And it means vendors need to be ready to demonstrate
they meet those standards.
Responsibility at the Top
Another defining feature of DORA is accountability. Executive teams and boards are now expected to take ownership of digital resilience. This shifts cybersecurity out of the IT department and into the strategic core of the organisation.
Firms must document their resilience programmes, test regularly, and maintain evidence of ongoing improvement. These requirements apply not only to internal operations, but also to every organisation in the supply chain.
A Global Effect, Not Just a European One
DORA may be an EU regulation, but its effects extend far beyond the region. It follows a model similar to GDPR, which reshaped global data privacy practices by focusing on EU citizens’ rights, regardless of where companies were based. The same is now happening
with operational resilience. Financial institutions are being held responsible for their suppliers, which in turn forces those suppliers to meet EU standards.
This dynamic, often called the Brussels Effect, is already playing out. Multinational companies prefer to align with the highest standards to simplify compliance across markets. As a result, DORA is quickly becoming a global benchmark.
What Financial Organisations Need to Do to Be Prepared
With the clock ticking on compliance, financial institutions must act quickly and decisively.
Key actions include:
-
Map your third-party ecosystem: Identify all critical suppliers, assess their risk profiles, and classify them according to impact and exposure.
-
Tighten contractual terms: Ensure supplier agreements include clauses around service continuity, security controls, incident reporting, and audit rights.
-
Implement continuous monitoring: Move beyond point-in-time assessments. Build systems that provide ongoing visibility into vendor risk and performance.
-
Run resilience testing across the chain: Stress test your operational capacity and include key third parties in your scenario planning and incident response drills.
-
Elevate board-level oversight: Ensure that executive stakeholders understand their responsibilities under DORA and have governance frameworks in place to track progress.
Raising the Bar for Everyone
In a globally connected financial system, no organisation can afford to be the weakest link. DORA is raising the baseline for operational resilience across borders. For any business in the financial services ecosystem, being DORA-ready is fast becoming a competitive
advantage.
