The Digital Operational Resilience Act (DORA) has been in force across the EU since January 2025, and it has changed what "resilience" means for financial institutions. For years, operational resilience was treated largely as a continuity and disaster-recovery concern. DORA reframes it as an ongoing, testable, board-level discipline — with explicit expectations about how firms manage technology risk and the third parties they depend on.

The shape of the obligation

DORA organises its requirements around a few connected themes:

  • ICT risk management — a structured framework for identifying, protecting against, detecting, and recovering from technology risk.
  • Incident reporting — consistent classification and timely reporting of major ICT-related incidents.
  • Resilience testing — regular testing of systems, up to and including threat-led penetration testing for the most significant firms.
  • Third-party risk — active management and oversight of the ICT providers a firm relies on, rather than trusting the contract and looking away.
  • Information sharing — cooperation on cyber threats across the sector.
DORA treats resilience as something you continuously demonstrate, not something you assert in a policy document.

Why this is an engineering and process challenge

It is tempting to read DORA as a compliance programme, but most of its weight lands on how systems are actually built and operated. Testable resilience requires real observability, dependable recovery, and quality engineering practices that hold under stress. Incident reporting requires detection and classification that only work if the underlying monitoring is sound. And third-party risk management requires understanding your true dependency map — including the providers behind your providers.

What good looks like

  • A dependency map that reflects reality, including critical ICT third parties and concentration risk.
  • Resilience built and tested as an engineering property, not described in a binder.
  • Incident detection and reporting wired into the same monitoring that runs day to day.
  • Clear ownership and governance, so resilience has an owner rather than being everyone's and no one's job.

The firms treating DORA as an excuse to genuinely strengthen how they build and run technology — rather than as a reporting exercise — are the ones getting durable value from it, well beyond the regulation itself.