As the Digital Operational Resilience Act (DORA) comes into force after years of anticipation, FStech hears from industry experts to find out what the new rules mean for the financial services industry, exploring the benefits and challenges associated with the regulation.

The EU’s long-anticipated Digital Operational Resilience Act (DORA) was finally launched on 17 January. The new regulation is designed to strengthen the IT security of financial services institutions (FSIs) and ensure that the sector is able to stay resilient in times of severe operational disruption.

The legislation aims to harmonise the rules related to operational resilience, with the rules applying to 20 different types of financial entities and ICT third-party service providers, including those that are situated outside of the EU but with operations inside the bloc.

DORA has been a hot topic of debate for the industry over the past few years, with questions still remaining about the long-term impact of the law on the industry and operational resilience strategies and whether anyone is ready for this significant regulatory change.

Elliot Limb, chief executive and founder of Cubed – which helps FinTech founders and chief executives scale and boost value – says that in its current form the regulation is trading innovation for resilience.

“It is enforcing strict compliance burdens and putting financial pressure on the start-ups and scaleups within the FinTech and banking industries,” continues Limb. “Europe is home to over 35 per cent of the world’s FinTech start-ups which have a combined revenue of over $31 billion so we must consider what this regulation means for them.”

He describes DORA as a “knee-jerk reaction” to the industry’s resilience and security problems rather than a regulation which complements the industry’s innovative nature and fosters growth.

Andrii Shevchuck, chief technology officer (CTO) and co-partner at payments provider CONCRYT says that while the Act is a crucial step toward enhancing the EU’s digital security framework, its limitations highlight the growing challenges faced by the payments industry.

“Cyberthreats targeting payments systems, such as ransomware attacks, phishing scams, and increasingly sophisticated fraud schemes, continue to escalate, threatening not only individual organisations but the broader financial ecosystem,” continues the CTO. “While DORA provides a foundation for improving operational resilience, it stops short of addressing key vulnerabilities in the payments space.

“For instance, the regulation lacks clarity on necessary investment levels in cybersecurity and offers limited guidance on adopting advanced technologies essential for defending against modern threats. With the rise of real-time payments, embedded finance, and cross-border transactions, threat vectors have multiplied, yet the tools proposed by DORA lean heavily on outdated, centralised solutions that fail to address risks in decentralised and Web3 environments.”

Shevchuck points out that the payments industry has faced additional challenges with the proliferation of IoT devices, remote access points, and cloud-based systems, all potential single points of failure.

“Legacy security approaches, which often fail to integrate seamlessly with new payment technologies, leave companies exposed to breaches,” he adds. “Meanwhile, DORA’s focus on compliance risks overshadowing the urgent need for genuine innovation in threat mitigation.”

Anna Carrier, senior government and regulatory affairs advisor at law firm Norton Rose Fulbright says that the scope of DORA is very broad, applying to all types of European financial entities with “very limited exemptions” for the smallest institutions.

“It will also capture some of the biggest unregulated ICT third-party service providers, which is a novelty in European law,” adds Carrier. “DORA puts a heavy compliance burden on the businesses affected.

“Most will have to review and update their internal governance arrangements, and documentation, as well as assess any contractual arrangements with external ICT suppliers and uplift contract terms to reflect the new DORA requirements.”

To complicate things further, she says, some of the secondary legislation is not ready yet and part of the eagerly awaited Q&A guidance is also pending.

“Despite this, there is no transition period and in-scope entities are now expected to be ready to report ICT-related incidents in line with the DORA rules,” continues Carrier. “They will also need to submit their duly completed registers of information on third-party contractual arrangements in early Q1 to their competent authorities.”

Desre Sheen, head of UK financial services consulting practice at Capgemini says that financial institutions are signalling that they have achieved the minimum acquired for compliance.

“However, the main challenge will be sustaining and evolving the underlying culture over time,” explains Sheen. “Additionally, all plans need to be living documents, as the definition of a critical business service may change.

“It's also important to be mindful that all regulations require a certain level of interpretation, and that means not every firm will be equally compliant.”

Marija Devic, consultant at global management and technology consultancy Capco, says that whilst firms have made progress for the Day 1 go-live, there is a substantive book of work to complete in 2025 and beyond Day 2 to ensure compliance with the regulation and build strategic operational resilience capability.

“As firms plan their Day 2 remediation activities, they need to ensure they can demonstrate to their customers, regulators and other stakeholders their commitment to maintaining a high level of digital operational resilience,” she continues.

She expects firms to focus on third-party risk management through the augmentation of ICT third-party risk management practices, including completion of registers of information and negotiation and amendments to contracts for all remaining ICT third-party service providers, enhancements of concentration risk frameworks, and development of exit plans and testing for all ICT third-party service providers supporting critical or important functions.

The tech consultant also said that financial services institutions will be looking at enhancement of internal governance and control frameworks, as well as expansion of the scope, alignment and level of sophistication of existing practices and tests under the overarching “digital operational resilience testing” programme, for example, scenario testing.

Paulo Rodriguez, head of international at Vanta, which develops a trust management platform that automates compliance, describes the regulation as a robust framework to support financial institutions in their efforts to withstand, respond to and recover from cyber threats and other disruptions.

“However, many financial institutions are facing challenges adapting to the new regulations,” warns Rodriguez. “This shouldn’t come as a surprise.

"GDPR, the EU’s other great effort to improve digital resilience, was introduced six years ago and businesses are still struggling to grapple with the regulation to this day. Achieving and maintaining compliance demands a significant overhaul of business practices, as well as resource-heavy monitoring and auditing. No doubt DORA is leaving financial institutions and their third-party vendors facing similar headwinds.”

He says that AI could help firms that are struggling with the regulation to automate manual tasks and support the process of maintaining digital resilience compliance.

Marios Joannou, head of digital risk and privacy at payabl says that DORA signals the end of the "move fast and break things" FinTech era that accelerated growth but often left critical resilience gaps, exposing institutions and markets to significant operational risks.

"While it may look cyber security oriented, the reality is that DORA addresses a wide range of risks," continues Joannou. "These include service availability, business insolvency, and hostile takeover as the framework seeks to balance the need for innovation with sustainable growth."

The head of digital risks says that while DORA is the right step to improve resilience, it has placed a significant burden on FinTechs.

"The high compliance costs and heightened scrutiny of third-party providers demand significant resources, which may be challenging – especially for start-ups and scale-ups," Joannou continues. "For larger, multinational institutions like payabl., the harmonisation of resilience rules between the UK and the EU reduces the need to navigate divergent frameworks.

"At the same time, dual compliance frameworks still create significant operational obstacles. Although it has presented an enormous challenge for the industry, it is a necessary growing pain as the industry matures and shifts its focus toward long-term stability. "

Nathaniel Lalone, financial markets and funds partner at law firm Katten Muchin Rosenman UK says that that one compliance challenge for firms is linked to updating contracts. He says that there is a “battle of the forms” between financial entities, who want all their services providers to use their standard form of agreement, and service providers, who want all their financial entities to use their own standard form of agreement.

"The question is: who has the stronger negotiating power and who blinks first?", explains Lalone. "Second, the compliance burden ratchets up for service providers supporting “critical or important” functions, and there’s some push-and-pull between financial entities and their service providers over the proper criteria and process to use when making that decision.

"This leaves open the risk that some providers of a given service are designated by their financial entities as supporting “critical or important” functions and subject to heightened obligations, whereas providers of a nearly identical service are not. That seems inequitable and it’s not clear how to solve for those discrepancies with the rules as they currently stand."

While there are mixed feelings across the industry about the EU's legislation, the new rules come at a time when the threat of operational disruption has never been more pertinent. Over the coming months and years, firms must ensure that they aren't just committing to a box-ticking exercise to meet the new standards, instead they should be cultivating an environment of resiliency across their businesses to protect themselves from disruption that could ultimately be detrimental to their services and systems.

Find out more about the challenges and insights firms are facing during first month of DORA compliance at RegTech Live on 27 February. Register now

---