The Digital Operational Resilience Act (DORA) has been in effect since 17 January 2025, with a mandate to shore up the digital resilience of financial institutions.
DORA sets out clear standards for digital compliance, compelling financial institutions to assess the risks that exist in their IT systems, gaps in their approach to cybersecurity, and the reliability of their digital supply chain.
The regulation ushers in a new era of compliance and best practices for IT teams. Naturally, DORA places an additional burden on IT teams within financial organizations, who are under pressure to shore up their digital defenses and sharpen their approach to reporting potential incidents.
Crucially, though, it also applies to IT firms that work alongside financial institutions.
These ‘Critical ICT Third Party Providers’ (CTPPs) include cloud service providers (CSPs), data center operators, and other IT service providers whose contribution to financial services firms is deemed important enough that their security could have a serious impact on financial firms that are their customers.
Strengthening the entire supply chain
At its heart, DORA is about keeping the financial sector and, by extension, the economies of entire nations safe from the potentially devastating effects of cyberattacks. It seeks to address not only the common cybersecurity failures at financial institutions but, as outlined above, the potential risks of IT interdependencies and the potentially poor practices of third-party providers.
Any organization’s compliance efforts can only be as effective as the compliance efforts of its partners, and the EU Commission has recognized this with its extensive CTPP requirements.
This classification can include software developers who create critical applications for financial institutions, data analytics firms whose products are essential to the running of a financial institution, and telecommunications firms on whose networks the financial sector relies.
As emerging technologies such as AI become more important in the financial sector, developers who supply critical foundation models or machine learning algorithms that form a core operational role at financial firms will also need to ensure their compliance with DORA.
As it’s already being enforced, leaders at organizations affected by DORA should already have a good understanding of the teams within their business that are responsible for meeting the requirements of the legislation and how effectively they are doing so.
Veeam understands that resilience is an ongoing process and that meeting it with any level of effectiveness requires focus, a careful adoption roadmap, and a comprehensive framework for improving security processes.
This is where Veeam’s Data Resilience Maturity Model (DRMM), a framework through which IT leaders can assess their resilience and take the necessary steps to reduce risk.
One of the reasons DORA can feel disconnected from IT providers is that they may feel they’re already resilient enough. Nevertheless, every organization must carefully consider if it’s really taking the steps necessary to keep itself and its business dependents safe in the event of a cyberattack.
Veeam research, carried out with McKinsey, demonstrates a clear disconnect between how leaders perceive the resilience of their organization and how resilient they actually are. Almost a third (30%) of surveyed CIOs stated their organization has above-average resilience, whereas fewer than 10% do.
Part of the reason for this disconnect is that organizations are simply not utilizing all the resilience best practices, with 74% of surveyed organizations rated ‘basic’ or ‘intermediate’ in data maturity. This means they’re not following best practices when it comes to data resilience, which are outlined in the DRMM in detail.
The DRMM helps businesses to identify these gaps in their posture, to best allocate their resources, and devote their time when it comes to becoming DORA compliant.
It’s not just about simply knowing what you’re lacking, though; leaders can struggle to adapt their existing systems when they take on critical changes in a linear order. If you’re in a supermarket, you don’t blindly follow your shopping list, going back and forth between aisles regardless of how efficient — or inefficient — that strategy is. You think ahead for each aisle, picking up what you need in the order that best makes sense for your walking route.
Adopting new approaches to resilience, probing your digital supply chain, and testing the worth of your incident reporting strategy are more complex problems than picking up milk and eggs, but the same principle applies. Leaders have to map out their own needs and follow best practices to get the results they want and fulfill DORA requirements.
The DRMM gives leaders this optimal path to boost their cyber resilience. It was designed to provide businesses with holistic improvements to their resilience across their risk strategy, technology such as backup, reporting, and recovery systems, as well as how to upskill staff to uphold cyber resilience best practices.
Adopting DORA means embracing change
With the right approach, DORA can be the wake-up call that those across the financial sector and adjacent IT roles need to improve their resilience, data preparedness, and willingness to adapt their organizational strategy to chase stronger security controls.
Firms that treat DORA as a to-do list, rather than a legal recognition of the bare minimum steps they must take to secure their operations, will miss out on huge security benefits and expose themselves to further attacks.
The fines associated with the legislation can be eye-watering, with the potential of fines up to €5 million for third-party noncompliance. This pales in comparison to the economic and reputational damage associated with cyberattacks, however.
Put simply, the requirements in DORA instruct firms on how to avoid being compromised by threat actors and potentially passing on the damage to the finance sector. Those who follow these steps aren’t just courting the approval of European supervisory agencies, but taking the first step in strengthening their entire organization.
This can, of course, be easier said than done, which is where frameworks such as the Veeam DRMM can prove so instrumental.
The right hands-on approach to meeting DORA requirements is a great first step, with experts such as Veeam waiting in the wings to help leaders go from keen to compliant in the next instance.
-
Helping customers adopt a multi-cloud infrastructure and accelerate their modernization journeySponsored Content We outline what shifting to a subscription model means for your business
-
UK firms are 'sleepwalking' into smart building cyber threatsNews The convergence of operational technology and IT systems is posing serious risks for property firms.
-
DORA 6 months on: What’s still left to learn and do?Compliance doesn’t have to be a scramble, and choosing the right vendor can be the difference between success and failure
-
A CSO’s perspective on DORA compliance and where to go from hereAnalysis With DORA coming into force, here’s what security leaders should know about pain points and planning
-
UK financial services firms are scrambling to comply with DORA regulationsNews Lack of prioritization and tight implementation schedules mean many aren’t compliant
