The Digital Operational Resilience Act (DORA) and the European Financial Sector

Bringing the financial sector into the digital age has yielded significant benefits but has also heightened technology risks like cyberattacks and system outages. In the EU, the Digital Operational Resilience Act (DORA) establishes comprehensive requirements for EU-based financial institutions (FIs) to protect their core operations, according to an article by McKinsey. 

As the January 2025 enforcement date nears, many institutions are progressing toward compliance, though uncertainties about the scope and timelines of the legislation remain. McKinsey’s survey reveals that while 94% of FIs are actively engaged with DORA, many are still clarifying key elements such as the definitions of critical functions and third-party providers. 

Financial institutions have undertaken gap analyses and are developing implementation programs, yet budget allocations for these efforts vary widely, reflecting the complexity and scope of the required changes. Some institutions anticipate spending up to €100 million on compliance, significantly higher than initial estimates.

The article highlights challenges in implementing DORA including managing third-party information and communications technology (ICT) risks and defining the scope of compliance activities. To counter these risks, financial institutions need robust oversight of ICT service providers and a strategic approach to risk management. 

Despite the hurdles, some organizations are leveraging DORA as an opportunity to enhance digital resilience rather than merely meeting regulatory requirements. This involves driving transformation from the top, appointing a single accountable program owner, and adopting a risk-based approach to implementation.

The authors also emphasize cross-industry collaboration, with the potential to streamline the compliance process and build trusted networks. As institutions work towards DORA compliance, they have the chance to address broader issues of digital resilience, fostering greater trust in the financial ecosystem and creating long-term value.

While the Digital Operational Resilience Act (DORA) presents significant implementation challenges, it also offers a strategic opportunity for financial institutions to strengthen their digital resilience and operational capabilities. By focusing on risk-based, business-led approaches and fostering collaboration, institutions can not only comply with DORA but also enhance their overall resilience and customer trust.