The
Digital Operational Resilience Act (DORA) has officially come into effect on 17 January 2025. In light of the changes now in effect, financial institutions, fintechs and other players in the sector are voicing a mix of optimism, concern, and frustration.
Finextra has gathered and analysed industry commentary from Capgemini, Tribe Payments, Forrester, Sonatype, Pinsent Masons, and other industry experts to identify key themes and sentiments as firms navigate this new regulatory landscape.
Overall, the sentiment across the industry is mixed. Responses to DORA show a combination of apprehension - driven by fears of fines, regulatory scrutiny, and resource strain, as well as optimism among those firms ready to leverage DORA for competitive advantage.
One of the key takeaways identified is that a stark contrast of sentiment between larger and smaller organisations. Large firms may feel more confident, viewing DORA as a manageable challenge and an opportunity for leadership in resilience. Small firms and
suppliers, however, are more likely to feel overwhelmed, fearing exclusion from the supply chain if they fail to comply.
And while many organisations express relief at having met minimum compliance requirements, many are concerned that the DORA deadline is only the beginning of a larger race for compliance.
DORA as an opportunity for transformation
It’s the organisations that embrace advanced automation and security tools that express enthusiasm about adopting proactive testing frameworks and modernised risk management practices. Stating that DORA can lead to innovation, enhanced resilience, and operational
efficiencies, these organisations praise proactive approaches to risk mitigation and vulnerability management.
Another aspect of DORA that is being praised is the harmonisation of standards across the EU, seen as a wider positive signal for stability and trust. For companies in the UK, prioritising DORA compliance now could also help open more doors across the EU.
Overall, the positive sentiment emphasises enhanced resilience efforts, operational efficiencies, as well as the fact that DORA not only protects financial institutions themselves, but also the overall industry as well as customers.
Key concerns: compliance challenges and complexity
Among the commentary expressing concerns and fears around DORA’s deadline, the main challenges organisations face lie in meeting the requirements due to financial penalties and operational challenges. Small and medium-sized organisations especially fear
they lack resources to fully comply.
Revising internal governance frameworks and aligning third-party contracts are further burdens (despite outsourcing to experienced third parties being recommended). For firms juggling multiple existing and upcoming regulatory frameworks and standards (e.g.,
GDPR, ISO 20022, Instant Payments regulation), DORA has been another hurdle as organisations are facing a wave of incoming requirements.
Even for organisations that have implemented previous regulatory requirements specific to outsourcing or cloud, DORA adds another layer of requirements. Commentary mentions that DORA includes detailed requirements for subcontracting, which not only need
to be considered by the regulated entities, but for their third-party suppliers and overall supply chain as well.
Lastly, concerns over potential personal liability from the personal fines DORA introduces is another factor mentioned. DORA has significant penalties for non-compliance, as well as the implicit possibility of criminal liability for negligent board members,
designed to ensure compliance with key obligations such as risk management, implementing adequate security measures, and timely reporting of incidents and vulnerabilities.
DORA is officially in effect – what’s next?
Commentary shows that whether institutions view DORA as a burden or a strategic advantage depends strongly on the internal resources to address and implement regulatory requirements, but also on the willingness to embrace resilience and innovation in the
evolving financial landscape.
After meeting initial compliance requirements, the industry now faces the task of integrating DORA into daily operations, managing resourcing constraints, and adapting to future regulatory updates – especially for those organisations that have only aimed
at meeting the minimum requirements necessary.