Last January, the European financial sector activated one of the most ambitious cybersecurity regulations: the Digital Operational Resilience Act (DORA). The regulation, promoted by the European Union, requires banks, insurers, investment managers and other entities to strengthen their ability to withstand cyberattacks and technological failures without compromising their business.

DORA's goal is not only to strengthen security, but to ensure that companies are able to operate even in the midst of a digital crisis.

What changes with DORA?

Until now, digital security in the financial sector followed a very heterogeneous approach: fragmented regulations, optional best practices and an over-reliance on technology providers without a clear oversight framework. DORA puts an end to that uncertainty with a common and mandatory framework, structured in five pillars:

• ICT risk management: Cybersecurity is no longer an isolated department but a strategic priority for the entire organization.
• Rapid incident notification: Companies must report cyber-attacks and technology failures within 24 hours, which will facilitate a coordinated response.
• Digital resilience testing: It is no longer enough to react; simulations of cyber-attacks and technology failures are now required on a regular basis.
• Oversight of technology providers: Many organizations rely on third parties for their critical infrastructure. They must now ensure that they meet appropriate security standards.
• Centralized supervision: The EU will be able to sanction and restrict the activity of technology companies that do not comply with security requirements for the financial sector.

A challenge for technology leaders

For CIOs, CISOs and industry executives, DORA is a major challenge. The regulation not only imposes new requirements, but also changes the way in which digital security must be managed within the enterprise.

In the short term, many organizations will need to invest in infrastructure, training and processes to meet the requirements. But at its core, the challenge is not just technical, but strategic: DORA forces a rethink of how business continuity is protected in an environment where digital threats evolve faster than regulations.

Various industry analyses indicate that a large proportion of financial companies have not yet completed their DORA adaptation plans, suggesting that many are underestimating the impact of this regulation. It is not enough to react to threats when they occur; a preventive, systematic and auditable approach is now required.

How to prepare?

DORA is already underway, and companies that fail to adapt risk being exposed to critical vulnerabilities and penalties. To address this transition successfully, it is important to follow these steps:

• Assess the current level of digital resilience
• Update incident response protocols
• Implement periodic stress tests
• Review contracts with technology suppliers
• Fostering a culture of cyber resilience

DORA is not just another regulation, but a change of mindset in the way the financial sector approaches digital security. It is no longer about protecting against the latest cyber-attack, but about ensuring that the company can continue to operate no matter what.