Published by Jessica Weisman-Pitts
Posted on October 27, 2023
5 min readLast updated: January 31, 2026
Over the course of the last decade, technology adoption has accelerated across the financial services sector. From
Over the course of the last decade, technology adoption has accelerated across the financial services sector. From investments, to banking and tax, many services are now delivered digitally or are supported by ICT infrastructure.
For all the benefits this brings – efficiency and cost savings amongst them – the sheer scale and speed of this digital transformation has multiplied operational risks across the industry. Should a critical part of ICT infrastructure fail – say, a bank’s cloud provider goes offline for 24 hours – the consequences could be vast.
In the face of these evolving technology-based risks, the operational resilience of the financial services sector has been a key focus for regulators. One of the most comprehensive examples of this comes in the form of the Digital Operational Resilience Act (DORA), officially adopted by the European Union in January 2023.
Affected firms have until January 2025 to be fully compliant with DORA. Though it is EU legislation, given that many affected UK organisations work within the EU, DORA will likely apply. UK organisations will therefore need to prepare to comply with its guidance.
So, what does the act involve, and how can affected organisations prepare?
DORA has been established to ensure digital resilience is embedded throughout the financial services sector. Its focus is on addressing risks posed by the industry’s reliance on third party ICT providers, and making sure affected organisations can withstand digital disruption.
The act is far-reaching. It applies to credit, payment and e-money institutions, investment firms, crypto-asset providers, central securities depositories, crowdfunding providers and ICT third-party providers, to name a few.
It essentially encourages a uniform approach to the security of network and IT systems that are involved in the operation of financial services. This includes:
DORA represents a significant step change for how many organisations across financial services will approach ICT risk management – so it’s important to prepare. This is particularly crucial when you consider the impact of non-compliance. Regulators may order organisations to cease specific activities or discontinue using certain third-party ICT providers, disrupting operations further. Non-compliant organisations may also face financial penalties, depending on the local regulatory body: potentially fines valued at 1% of the average daily worldwide turnover in the preceding business year.
A pragmatic first step? Gather relevant people and teams from across the organisation – whether CISO, CIO, IT or risk management leads – to pull together a plan for implementing any new infrastructure.
Organisations will likely have to undertake a comprehensive review of existing infrastructure and processes – whether that’s for incident reporting, resilience testing or third party services – to map out where improvements should be made in line with DORA’s requirements. This includes how to identify, classify and document all potential ICT risks, and compiling comprehensive business continuity plans, including ICT disaster recovery and communication plans. These will need to be regularly tested, with risk assessments performed at least once a year – or in response to incidents, resilience testing, audit findings, supervisory instructions, or significant changes to ICT systems.
As the industry strives to comply with DORA and fortify their operational resilience, technology itself emerges as a key enabler of this: whether cloud computing, backup and disaster recovery systems, or cyber security software. By adopting secure and flexible technology solutions, affected organisations can protect critical data and systems, and navigate disruptions with confidence.
Though DORA compliance is a major undertaking, it is a necessary – and legislatively enforced – one. By having a laser focus on digital resilience, we can build a financial services sector that is built to withstand modern, evolving risks and be fit for the future.
Jack Bennett
Sales Leader, SysGroup
The Digital Operational Resilience Act (DORA) is EU legislation aimed at ensuring that financial services firms can withstand and recover from digital disruptions, particularly those related to ICT infrastructure.
Operational resilience refers to an organization's ability to continue delivering services during and after disruptive events, ensuring that critical functions remain operational despite challenges.
ICT risk management involves identifying, assessing, and mitigating risks associated with information and communication technology systems to ensure their security and reliability.
Major incidents in financial services refer to significant disruptions, such as cyberattacks or system failures, that can impact the delivery of services and require immediate response and reporting.
Explore more articles in the Finance category
