The Digital Operational Resilience Act (DORA) is a regulatory framework introduced by the European Union to enhance the resilience of financial services firms against IT disruptions. Effective from January 2025, DORA sets clear expectations for firms to manage IT risks systematically, conduct resilience testing under realistic conditions, and maintain strict oversight of third-party dependencies. The act aims to ensure that organizations can retain control and restore services promptly during incidents, thereby minimizing operational and regulatory risks.
Despite being in effect for over a year, the maturity of compliance with DORA varies significantly across the financial sector. While some institutions have invested in continuity and cyber response measures, others are still in the early stages of building the necessary frameworks. A survey conducted in 2025 revealed that 96% of financial services organizations in the EMEA region believe they need to improve their resilience to meet DORA's standards. The challenge lies not only in having governance documents but in executing consistent actions across complex systems and suppliers under pressure.
Technical challenges often arise during major incidents when access to critical systems is compromised. Network faults or cyber incidents can sever connectivity, making it difficult for engineers to isolate affected components and stabilize services. This highlights a gap in many resilience programs, where backup and disaster recovery plans do not ensure that teams can administer infrastructure during an incident. Independent management access, such as out-of-band management, provides a dedicated route to critical infrastructure, allowing teams to restore services even when the primary network is impaired.
Supply chain disruptions add another layer of complexity, as financial services firms rely on shared platforms and external providers. When disruptions originate from the supply chain, firms must still contain the impact and maintain essential services, often in coordination with third parties. DORA emphasizes the importance of third-party oversight and operational outcomes, pushing firms to understand which providers support critical functions and how to respond when external dependencies are under stress.
To meet DORA's requirements, firms should focus on maintaining operational control during severe disruptions. Implementing independent management access to critical infrastructure can help achieve this by providing a practical means of staying in control when the main route into the environment is compromised. This approach reduces both operational risk during incidents and regulatory risk in the aftermath, ensuring that firms can limit impact and restore services safely.
Source: https://www.itsecurityguru.org/2026/04/28/dora-and-the-practical-test-of-operational-resilience/?utm_source=rss&utm_medium=rss&utm_campaign=dora-and-the-practical-test-of-operational-resilience