Challenges and implementation strategies for DORA compliance in the financial sector

Welcome reader to a 🔒 pro subscriber-only deep dive 🔒.

Brought to you by:

👉 Cypago - Cyber governance, risk management, and continuous control monitoring in a single platform

🧠 Ridge Security - The AI-powered offensive security validation platform

Forwarded this email? Join 70,000 weekly readers by signing up now.

#OpenToWork? Try our AI Resume Builder to boost your chances of getting hired!

—

Get lifetime access to our deep dives, weekly cyber intel podcast report, premium content, AI Resume Builder, and more — all for just $799. Corporate plans are now available too.

Executive Summary

The Digital Operational Resilience Act (DORA) represents a fundamental shift in how EU financial institutions must approach digital risk management. With full applicability having begun on January 17, 2025, financial organizations face the complex task of implementing robust compliance programs spanning ICT risk management, incident handling, testing, third-party oversight, and information sharing.

Our analysis reveals that organizations are encountering significant implementation challenges across five domains: regulatory alignment, governance structures, technical implementation, third-party oversight, and resource constraints. Larger institutions (>$500M annual revenue) are generally making faster progress than smaller entities or those in less regulated subsectors.

Successful DORA implementation strategies include developing comprehensive risk frameworks, implementing proportional compliance approaches, redesigning workflows alongside technology deployment, centralizing critical governance functions, and establishing robust testing programs. Leading organizations view DORA not merely as a compliance obligation but as a strategic opportunity to strengthen organizational resilience against growing digital threats.

This report provides cybersecurity professionals with a practical roadmap for navigating DORA compliance challenges while building sustainable operational resilience capabilities.

Introduction and Background

DORA's Emergence and Core Objectives

The Digital Operational Resilience Act (DORA), officially Regulation (EU) 2022/2554, emerged in response to the accelerating digital transformation of financial services and the growing sophistication of cyber threats. Adopted in December 2022 and entering into force in January 2023, DORA established a 24-month implementation period culminating in full applicability on January 17, 2025.

DORA introduces uniform requirements across 20 categories of financial entities—from banks and insurers to payment institutions and crypto-asset service providers—as well as their ICT third-party service providers. It harmonizes and extends existing ICT risk and outsourcing guidelines into a comprehensive framework built around five core pillars:

1. ICT Risk Management Framework: Comprehensive governance, strategies, and controls for digital risk

2. ICT Incident Management and Reporting: Standardized handling and notification of incidents

3. Digital Operational Resilience Testing: Regular assessment of security posture and resilience

4. ICT Third-Party Risk Management: Enhanced oversight of technology providers

5. Information-Sharing Arrangements: Voluntary exchange of threat intelligence

Unlike many EU regulations, DORA provided no transitional grace period after its application date, underscoring regulators' expectations for timely compliance. It is also lex specialis to horizontal EU laws like the NIS2 Directive, overriding those regulations for financial sector entities.

Implementation Timeline and Regulatory Development

The implementation of DORA has followed a structured timeline with several critical milestones:

• December 14, 2022: DORA Regulation adopted and published

• January 16, 2023: DORA enters into force, launching 24-month implementation period

• January 17, 2024: ESAs submit first batch of technical standards to European Commission

• July 17, 2024: ESAs submit second batch focusing on incident reporting, testing, and oversight

• November 29, 2024: Commission adopts Implementing Technical Standards for Register of Information

• January 17, 2025: DORA applies in full with comprehensive compliance expected

• Q1 2025: Financial entities submit registers of ICT third-party arrangements to authorities

• April 30, 2025: National authorities report aggregated information to ESAs

• H2 2025: First designations of Critical ICT Third-Party Providers (CTPPs) expected

• 2025-2027: Significant entities must conduct first threat-led penetration test

This timeline illustrates the progressive implementation approach while highlighting the challenging schedule for financial institutions, which had to prepare for compliance with limited final guidance until close to the application date.

Key Challenges in DORA Implementation

Regulatory Complexity and Alignment

Financial institutions face significant challenges navigating DORA's complex regulatory landscape:

1. Compressed implementation timeline: With final technical standards being adopted throughout 2024, organizations had limited time before the January 2025 deadline. According to industry surveys, 78% cited timeline compression as a primary challenge.

2. Integration with existing frameworks: Organizations must harmonize DORA with multiple existing regulations:

   • Alignment with EBA/EIOPA/ESMA ICT risk and outsourcing guidelines

   • Consistency with broader operational resilience requirements

   • Coherence with horizontal regulations like GDPR and NIS2

   • Compatibility with sector-specific requirements

3. Cross-border application: Financial groups operating across multiple jurisdictions face:

   • Different interpretations by national competent authorities

   • Varying maturity of regulatory expectations

   • Challenges in applying group-wide approaches

   • Potential conflicts with non-EU regulatory regimes

4. Interpretation ambiguities: Several DORA areas remain subject to interpretation:

   • Scope of "ICT service providers"

   • Definition of "critical or important functions"

   • Thresholds for "major" incident classification

   • Application of proportionality principles

Organizations are making implementation decisions with incomplete information while balancing compliance needs with the desire for efficient, sustainable solutions.

Governance and Organizational Structure Challenges

Implementing DORA requires substantial governance changes:

1. Board-level expertise and engagement: DORA explicitly makes the management body responsible for ICT risk governance. However:

   • 42% of organizations report insufficient ICT risk expertise at board level

   • Many struggle to effectively translate technical risks into business terms

   • Board agendas are already crowded with competing priorities

   • Responsibility for DORA oversight is often unclear

2. Organizational structure decisions:

   • Organizations must determine the optimal balance between centralized and decentralized approaches

   • Research shows varied centralization across DORA elements:

     • 57% fully centralize risk and compliance

     • 46% centralize data governance

     • Only 23% centralize technology adoption solutions

   • Reconciling local autonomy with group-wide consistency is challenging

3. Role clarity and accountability:

   • Clear ownership for each DORA requirement must be established

   • New roles may be needed (e.g., Digital Resilience Officer)

   • Existing roles like CISO, CRO, and CIO must be aligned with DORA responsibilities

   • Many organizations struggle with overlapping responsibilities

4. Cross-functional coordination:

   • DORA implementation requires unprecedented collaboration across IT, risk, compliance, legal, procurement, and business functions

   • Traditional silos often impede effective collaboration

   • Communication barriers between technical and non-technical stakeholders persist

Organizations making the most progress have established dedicated DORA steering committees with senior executive sponsorship, documented responsibility matrices, and strong cross-functional working groups.

Technical Implementation and Operational Challenges

Beyond governance, financial institutions face numerous technical challenges:

1. Legacy infrastructure limitations:

   • Many institutions operate with aging core systems lacking modern resilience capabilities

   • Technical debt complicates implementation of enhanced controls

   • System interdependencies are often poorly documented

   • Limited automation capabilities hamper efficient compliance

2. Security monitoring and incident detection:

   • Establishing comprehensive 24/7 monitoring is resource-intensive

   • Many organizations lack advanced threat detection technologies

   • Correlating alerts across multiple security tools remains challenging

   • Skills shortages in security operations persist

3. Incident classification and reporting:

   • Translating DORA's criteria into operational processes

   • Building capabilities to report within strict timelines (initial notification within 24 hours or 4 hours of classification)

   • Developing reliable mechanisms to estimate financial impact during incidents

   • Creating efficient approval workflows for regulatory notifications

4. Testing program implementation:

   • Securing specialized resources for threat-led penetration testing

   • Safely testing critical systems without risking disruption

   • Developing realistic attack scenarios based on threat intelligence

   • Establishing mechanisms to track remediation of findings

5. Documentation and evidence challenges:

   • Creating and maintaining comprehensive documentation

   • Establishing evidence collection mechanisms

   • Mapping controls to regulatory requirements

   • Ensuring consistent quality across the organization

Organizations addressing these challenges effectively have adopted phased approaches, prioritizing high-risk areas while building foundational capabilities that can be extended over time.

Subscribe to CybersecurityHQ Newsletter to unlock the rest.