DORA: Resilience in a Digital Era
Foreword: In this article Stephanie Phelps, Operational Resilience Specialist for RGA, explores the Digital Operational Resilience Act (DORA), its influence on resilience, and what the future holds.
DORA: let's explore what it's about!
While up until now resilience has mostly been a voluntary endeavour for many organisations (think about the honour an ISO 22301 certification brings!), the EU has decided to do what it does best and regularise the resilience landscape with its Digital Operational Resilience Act (DORA)[1]. DORA focusses on areas of high societal impact by targeting the financial industry (including banks, insurers, investment firms, and even crypto service providers) and its dependency on Information and Communication Technology (ICT) assets.
DORA came in force in January 2025 and is structured around 5 key pillars (ICT Risk Management Incident Reporting, Testing, 3rd Party Risk Management, and Information Sharing) to provide direct regulatory oversight to uphold one solid goal: ensuring that financial institutions can withstand, respond to, and recover from ICT-related disruptions. This is a wise move from the EU, bearing in mind how the risk landscape has evolved over the last decade and how technology and cyber risks consistently rank in the top 10 on world risk reports.[2]
Why DORA matters beyond finance
While only financial institutions are currently regulated by DORA, there is a tendency for the broader corporate landscape to match up to the expectations these regulations impose on the financial sector, albeit through optional voluntary best practices. For example, the Civil Contingencies Act (2004)[3] in the UK officially required public sector bodies and Category 1 and 2 responders to conduct risk assessments, emergency planning, and other business continuity arrangements, all which now are best practice recommendations for resilience across all sectors, not just emergency services. Alternatively, remember how banks used to be the only organisations that would stress-test their processes, especially after the financial crisis of 2008[4]? Now, any self-described ‘resilient’ organisation has a testing and exercising programme, regardless of their industry.
DORA offers a blueprint for resilience by showcasing a structured, proactive approach to managing digital risk. The regulation’s focus on timely themes such as supply chain risk, cyber risk, and concentration risk comes at a time when organisations are not only outsourcing IT spending[5] but also relying more and more heavily on ICT-based assets, such as software and applications dealing with data, to deliver their products and services.
Beyond the ICT lens, DORA’s focus on 3rd parties aims to normalise contractual clarity, risk assessments, and contingency planning, practices that are universally applicable and desirable. While other sectors may not need to implement the strict practices DORA preaches, all could benefit from its spirit and may be inspired by its mission.
Swiping the fruits, the regulation has pitfalls
Like any compliance endeavour, DORA has it’s share of doubters. While it was founded on strong ideals, the prescriptive nature of the regulation (over 1000 pages of reading including technical standards and wider lore) has given it a poor image compared to more well-received guidance such as the CBI’s Cross Industry Guidance on Operational Resilience[6] or even the ISO multiverse[7]. DORA also faces backlash in its inability to be a team-player: while designed to complement existing EU directives, multinational firms are struggling to navigate not only the highly bureaucratic EU landscape but also the confusion and potential duplication across regulated scopes, leaving global companies wondering whether to scale back EU operations to save themselves the compliance mental arithmetic.
Another dissuading factor is the price of non-compliance. DORA isn’t here to play and charges a lot for breaking the rules (up to 2% of global turnover for financial entities and €5 million for ICT providers)[8]. Critics of the regulation have also raised concerns around the fairness of these penalties, implying that smaller ICT providers may be disproportionately punished compared to larger financial sector counterparts with bigger profit margins. However, as regulators have not yet started any compliance checks yet, no fines have been issued, which gives us hope that, as the regulation evolves, it may address some of the points raised by critics.
What’s next for DORA and friends?
While still in its infancy, DORA is already making its mark on the global stage. While DORA itself applies to EU firms and any companies that provide services to EU financial institutions within EU boarders, other geographies are keeping the pace, with countries like South Africa (with their Joint Standard 2 of 2024 on cybersecurity and cyber resilience[9] being comparable to a “mini-DORA” coming into effect in June 2025) and the UAE (with the Dubai Financial Services Authority (DFSA[10]) Cyber Resilience Guidelines coming into effect in January 2026) implementing similar directives in the months following DORA’s implementation date.
DORA marks a turning point in how we think about digital resilience, by moving beyond reactive cybersecurity to a holistic, proactive model that integrates not only governance, but also a more digital-era appropriate focus on testing and third-party oversight. While its immediate impact is heavily felt in the financial sector, its principles are universally relevant in an era where digital disruptions can cripple entire economies.
For business continuity professionals, DORA is more than a regulation, it’s an invitation to rethink resilience and bring it into the digital age. If one can see past the lengthy bureaucratic articles, the spirit of DORA has what it takes to inspire organizations to be not only compliant, but truly resilient.
More on
About the author
Stephanie Phelps
Operational Resilience Specialist
