Key DORA insights from the field

In the early stages of most DORA programs, financial institutions tend to view compliance as a regulatory obligation, a necessary cost rather than a strategic opportunity. This mindset is especially prevalent at the executive level. Over time, however, that perception evolves. As one national regulator puts it, “holding capital is just as important as having your resilience in order.” This realisation often marks a turning point, where DORA shifts from a checkbox exercise to a catalyst for improved service reliability and customer trust. 

One common pitfall is a traditional, policy-heavy approach with limited operational translation. Many organisations draft comprehensive frameworks but fail to integrate them meaningfully into everyday systems and workflows. 

DORA compliance rarely exists in isolation. It often runs alongside broader initiatives like cloud migration, data consolidation, and digital transformation. But these efforts don’t always move in lockstep. In some cases, organisations accelerate cloud adoption while their data quality or process maturity lags behind. The result is a disconnect between technical change and operational readiness.

Ideally, DORA implementation should be embedded into the broader transformation portfolio, rather than treated as a parallel or secondary project. Too often, the opposite happens, compliance teams operate in isolation from IT, security, and infrastructure units.

A recurring challenge lies in the internal structure of many organisations. ICT risk is often managed separately from broader enterprise risk functions, and operational departments may respond to incidents independently. But DORA is inherently cross-functional: risk, IT, governance, and business units all have roles to play.

To navigate this, institutions are introducing annual, coordinated planning cycles based on DORA’s recurring compliance requirements. This includes clear deliverables, decision checkpoints, and escalation paths. By aligning incident response, threat intelligence, and business continuity processes across the enterprise, organisations can respond faster and more effectively when new threats emerge.

While crisis management processes often exist on paper, the most common gap lies in early recognition knowing when a regular incident escalates into a DORA-reportable crisis. Delays in that determination can add significant risk and hinder response efforts.

Some organisations are addressing this by embedding intelligent alerts directly into frontline tools, such as helpdesk systems. For instance, if a support agent logs symptoms that match predefined criteria, the system may flag a potential DORA incident and alert the appropriate coordinator. This early triage mechanism can dramatically reduce response time and improve incident handling across departments.

Operational resilience testing is another key requirement under DORA, but the quality and relevance of the scenarios matter. Rather than over-emphasising common attacks like DDoS, already well mitigated in many environments, organisations are focusing more on high-impact scenarios such as ransomware, compromised failover environments, and cascading failures during backup replication.

Equally important is factoring in the societal impact of ICT disruptions. Scenarios involving payment system outages or delays in healthcare claims processing are now being prioritised. These not only carry high operational risk but also significant reputational and regulatory consequences.

The insights gathered from this interview offer a valuable window into the real-world organisational and operational challenges that DORA introduces and how institutions are actively navigating them.

If you want to learn more about navigating the complex compliance landscape of DORA, feel free to reach out. Our specialists are ready to help you move forward.