DORA: Operational Resilience in Financial Services

Supervisory priorities for 2025–2027 highlight potential vulnerabilities in banks, with a priority on operational resilience – especially IT outsourcing, IT security, and cyber risks. The EU’s Digital Operational Resilience Act (DORA) has been applicable since 17 January 2025, turning expectations into binding requirements.

This landmark regulation is reshaping how organizations manage operational risk. We explore key aspects of DORA through insights from our experts.

What is DORA, and why is it important?

DORA is a comprehensive regulation aimed at strengthening the operational resilience of financial institutions within the EU. It mandates robust information and communication technology (ICT) risk management frameworks to handle disruptions and threats. Our Head of Core IT, Elisabeth Geyer-Schall, explains that “DORA is a proactive step to safeguard financial stability, ensuring institutions can withstand, respond to, and recover from operational disruptions.”

How are financial institutions adapting their risk management strategies?

Since its implementation, institutions have been revising their risk protocols to align with DORA’s stringent requirements. Stefan Jaschky, our group-wide leader for IT Risk Management, emphasizes that “the regulation encourages a shift towards more integrated and continuous risk assessment processes, fostering a culture of resilience and preparedness.

What are the key goals and objectives in achieving DORA compliance?

Institutions are focused on enhancing their ICT security frameworks, improving incident response mechanisms, and ensuring robust oversight of third-party service providers. Our Head of Group Security & Resilience, Robert Wagenleitner, believes that achieving maximum compliance will result in even greater customer trust: "In times of ever-increasing cyberattacks, customers expect us to recover from disruptions—even without noticing."

Where does DORA put the focus?

DORA prioritizes two key aspects: integrity and availability. Integrity emphasizes the accuracy and reliability of information, which is crucial for maintaining trust and credibility. Availability ensures that systems remain operational and accessible, even during disruptions, minimizing downtime. The team led by Markus Stanek, Head of Group Efficiency Management, manages transparency and efficiency at the process level: "We continuously work with our business teams to evaluate business processes and the systems required for their execution. This approach provides us with a focused view of IT resilience requirements.”

What about dependency on external vendors?

The implementation of DORA significantly influences how financial institutions manage their relationships with third-party service providers. Under the new regulations, institutions are required to exercise comprehensive oversight and ensure that these external partners comply with stringent operational resilience standards. Edzard Janssen, our Head of Group Procurement, explains: "Thorough risk assessments and continuous monitoring of third-party interactions will improve the entire supply chain, prompting service providers to enhance their own security and resilience frameworks to align with DORA's requirements.”

At a high level, none of DORA’s requirements are new to banks. Most of them go into more detail and increase the involvement of supervisory authorities; for example, all major disruptions must be reported to the regulator within 24 hours of detection.

DORA is not just a regulatory requirement; it sets the bar for all banks and is therefore a catalyst for positive change, driving the industry toward a more secure and resilient future.