The Digital Operational Resilience Act (DORA) has emerged as a transformative regulation within the financial services sector. While its initial implementation date is an essential regulatory milestone, industry experts argue that DORA's impact extends far beyond compliance deadlines and geographical locations. It represents a comprehensive shift in how financial institutions must operate, think about risks, and safeguard their systems against an increasingly volatile threat landscape.
The Cybersecurity Imperative
David Turmaine, Head of International Consulting at Broadridge, succinctly captures the urgency: “It’s not a case of if. It’s not a case of when. Significant cyberattacks and ransomware are happening right now.” Financial institutions are prime targets for attackers, whether small-time hackers or sophisticated criminal organizations. These attackers aim to exploit vulnerabilities and access sensitive data for financial or strategic gain.
The rise in cyber threats has created an environment where resilience is no longer optional. Organizations must assume that breaches are inevitable and prepare to withstand, mitigate, and recover from them effectively.
A Global Ripple Effect
Although DORA is a European regulation, its implications are global. Many financial institutions operating across borders have found themselves unexpectedly affected. Turmaine refers to this as the “regulatory tsunami.” Financial entities in the U.S. and Asia who provide services in Europe must now align their practices with DORA standards.
This development underscores the growing interconnectedness of global financial markets, the increased role of Fintech companies supplying services into the sector, and the universal nature of cyber risks. As regulators worldwide introduce similar measures, resilience is becoming an integral, non-negotiable aspect of financial operations.
The Challenges of Implementation
DORA poses significant challenges to both large and small financial organizations, albeit for different reasons.
For major banks and investment firms, the task lies in managing extensive and interconnected technological ecosystems. Turmaine explains: “Sometimes you’re talking about an estate of technology cobbled together over 20, 30 years... Most banks wouldn’t build what they have today if they were starting from scratch.” These legacy systems are difficult to overhaul, and their complexity can amplify vulnerabilities.
Smaller entities, like some hedge funds and asset managers, face a steep learning curve. Often operating with limited budgets and experience in regulatory compliance, these firms must adapt quickly. For many of these organizations, DORA may be their first exposure to stringent resilience requirements. They are essentially at the beginning of the journey.
“We see three areas that smaller firms need from a partner to help them build their operational resiliency over time,” explains William Young, Senior Consultant, EMEA at Broadridge. “First, they need a partner who understands the evolving landscape and can implement the correct building blocks to allow for future change. They also need someone who knows how to interrogate a third party so that firms can understand the risk they are carrying through the third party ‘black box.’ Last, it is valuable to employ experts who can assure that the internal and third-party work has been undertaken and confirm it meets the intended purpose.”
Beyond the Checkboxes
DORA is not merely a compliance exercise; it is about cultivating a resilient, adaptive operational mindset. Turmaine critiques the box-ticking mentality: “Anyone can do that. What we help firms do is understand the regulation, why it’s important, and what steps are necessary to genuinely reduce risk and enhance resilience.”
The regulation demands more than documentation—it requires active engagement. Firms must regularly test controls, assess their risk profiles, and ensure that their operational defenses are robust. Young stresses the importance of “understanding both the letter and the spirit of the regulation.”
This approach emphasizes that compliance is not a static achievement but an ongoing process. Resilience must be embedded as a “heartbeat” in an organization's operational DNA, involving continual reassessment and adjustment to evolving threats and regulatory demands.
Continuous Monitoring: The New Normal
Central to DORA’s framework is the concept of continuous monitoring. This doesn’t mean having a 24/7 surveillance team scrutinizing every detail but rather maintaining an ongoing awareness of risks across multiple parameters. Key risk indicators (KRIs) must be established and regularly reviewed to ensure the organization’s risk profile remains manageable.
Turmaine elaborates: “The idea is to make yourself as hard to hit as possible. Cyber threats are becoming more sophisticated, and even small vulnerabilities can be exploited.” He also emphasizes the importance of collaborative learning, where firms share lessons from incidents and collectively improve their defenses.
Mindset and Culture Shift
For many organizations, adopting DORA entails more than technological upgrades—it requires a cultural transformation. Employees at all levels must understand their roles in fostering operational resilience, from adhering to security protocols to participating in simulation exercises.
Turmaine and Young both advocate for making resilience a core business value. “It’s about embedding these principles into your policies, procedures, and overall mindset,” Young says. The goal is to align resilience efforts with business objectives, transforming them into a competitive advantage.
Commercial and Reputational Implications
DORA is not just about avoiding fines or regulatory censure. Firms that demonstrate strong resilience measures can gain a competitive edge. “For asset managers, it can be a differentiator,” Turmaine observes. “Clients want to know their assets are safe. Firms that can showcase robust defenses will be more attractive to investors.”
In contrast, there are severe consequences for those that fail to adapt. Data breaches can lead to significant reputational damage, eroding client trust and destabilizing operations.
The Journey Ahead
DORA marks the beginning, not the culmination, of a long journey. As the regulatory landscape evolves and cyber threats grow more sophisticated, financial institutions must remain agile. The key to success lies in proactive, continuous improvement rather than reactive, compliance-driven actions.
Resilience must become the foundation of financial operations, supported by robust systems, a vigilant workforce, and a commitment to excellence. As Turmaine aptly puts it, “Investing in protection isn’t just about meeting requirements—it’s about safeguarding the future of your business.”
By embracing DORA as a mindset and a framework, rather than a one-time hurdle, organizations can build a safer, more stable financial ecosystem. In doing so, they ensure not only their survival but also their ability to thrive in an era defined by uncertainty and change.
For further insight, read Broadridge’s white paper Building Resilience Across Borders.