top of page
Search

Digital Operational Resilience: Why DORA Marks a Regulatory Turning Point for Financial Services

  • Writer: Buckingham Capital
    Buckingham Capital
  • Apr 3
  • 4 min read

Buckingham Capital Consulting DORA


The financial sector has long recognised that its dependence on digital infrastructure introduces systemic risk. However, until recently, regulatory frameworks across Europe lacked cohesion when it came to ICT-related threats. The Digital Operational Resilience Act (DORA) represents the most comprehensive attempt yet to formalise a common baseline — not only for cyber risk, but for digital continuity, third-party dependency, and ICT governance across the entire EU financial system.


This article looks at DORA not as a compliance burden, but as a necessary evolution in supervisory architecture — and a signal of how regulators now view technology risk as central to financial stability.



The Logic Behind DORA: A Convergence of Threat and Dependency


Digital transformation in financial services has not been linear; it has been exponential. Institutions now rely on distributed cloud platforms, software-as-a-service ecosystems, and real-time data flows that often sit outside their direct operational perimeter. This has created an increasingly complex ICT landscape — with cyberattacks, system outages, and service disruptions becoming not just internal operational risks, but external systemic risks.

DORA recognises this. It shifts the regulatory perimeter to formally encompass technology providers, ICT infrastructure, and the critical dependencies that underpin financial continuity. In effect, DORA’s goal is not just to make individual firms more resilient, but to ensure resilience at a systemic level.



Scope: A Single Framework for a Fragmented Landscape


One of DORA’s most consequential features is its breadth of applicability. Unlike previous frameworks, which differed by jurisdiction or entity type, DORA applies across the EU to:


  • Credit institutions

  • Investment firms and asset managers

  • Insurance undertakings

  • EMIs and PIs

  • Crypto-asset service providers

  • Crowdfunding platforms

  • Trade repositories, CCPs, and market infrastructure firms


Additionally, DORA indirectly extends regulatory reach to ICT third-party providers, especially those designated as critical by supervisory authorities.


This harmonisation addresses a longstanding weakness in European regulation: fragmentation in digital risk oversight. DORA replaces this with a common lexicon, standardised expectations, and sector-wide obligations.



The Five Pillars of DORA Compliance


At the heart of DORA are five core pillars. Each is designed not as a standalone requirement, but as part of an integrated approach to operational resilience.


1. ICT Risk Management

Firms must establish and maintain an internal governance and control framework that addresses ICT risks holistically. This includes:

  • Defined roles and responsibilities

  • ICT risk identification and assessment

  • Protective and detection measures

  • Response and recovery protocols

  • Business continuity and backup systems


The emphasis is not on technology tools per se, but on organisational accountability.


2. ICT Incident Reporting

Firms must report major ICT-related incidents to competent authorities within prescribed timelines, including:

  • Immediate notifications

  • Root cause and impact assessments

  • Preventive and corrective measures


This ensures supervisors have real-time visibility over digital disruptions and emerging systemic vulnerabilities.


3. Digital Operational Resilience Testing

Firms must regularly test their resilience to ICT disruptions. Testing must be proportional to the size and risk profile of the institution, and may include:

  • Vulnerability scans

  • Scenario-based testing

  • Threat-led penetration testing (TLPT) for critical firms


The goal is to ensure that resilience is not theoretical — but demonstrable.


4. Third-Party Risk Management

Firms must identify, assess, and manage ICT risks arising from external providers. DORA mandates:

  • Contractual clauses defining access, audit rights, data recovery, and exit terms

  • A centralised register of all ICT service providers

  • Monitoring of concentration risk and systemic dependencies


The inclusion of subcontractors and multi-tier outsourcing chains reflects the real-world complexity of vendor landscapes.


5. Information Sharing

Firms are encouraged to participate in threat intelligence sharing. While this is voluntary, it reflects a wider regulatory trend — the view that operational resilience must be collective, not siloed.



Governance and Accountability: The Board Is Responsible


DORA is not a technology regulation. It is a governance regulation, with direct implications for boards, senior management, and accountable persons. Firms must not only implement technical safeguards, but also demonstrate:


  • Board-level oversight of ICT risk

  • Regular reporting to risk and audit committees

  • Internal audit coverage of ICT frameworks

  • Documentation of decision-making, risk tolerance, and remediation actions


Regulators are likely to assess governance effectiveness as rigorously as they assess technical controls.



What DORA Means for Supervisors


For national competent authorities (NCAs), DORA introduces a more active supervisory role — including the authority to:


  • Assess resilience frameworks

  • Request documentation and audit trails

  • Investigate significant ICT incidents

  • Coordinate with other EU NCAs on cross-border risks

  • Designate and oversee critical ICT third-party providers


This represents a notable shift in supervisory responsibility, particularly in how non-financial service providers may come under direct regulatory oversight for the first time.


Conclusion: Beyond Compliance — Towards Digital Integrity


DORA reflects a new consensus: digital resilience is core to financial stability. The regulation signals that operational disruptions are not secondary concerns, but primary threats. The harmonisation of expectations, combined with a strong focus on board accountability, elevates DORA far above traditional cyber risk frameworks.

Whether firms are large or small, licensed or registered, the principle remains the same: digital operations must be resilient, governable, and testable. The financial system, after all, is only as strong as the infrastructure it runs on.

bottom of page