Over six months after the EU’s Digital Operational Resilience Act (DORA) came into force, most firms are still falling short. While the regulation was designed to ensure banks, insurers, asset managers and other financial institutions can withstand ICT-related disruption, evidence suggests there is still a long road ahead.
Recent research shows that 96% of firms admit their current levels of data resilience fall short, while 41% say their IT and security teams are under heightened stress since DORA came into effect. This is concerning given the costs of operational failures: in the UK alone, banks have paid out £12.5 million in compensation for IT outages over the past two years.
In an industry where minutes of downtime can cost millions and trust evaporates instantly, DORA is not just another regulation – it’s a survival test.
APIs: the invisible fault lines
Financial services are only as resilient as their weakest API. In today’s financial systems, APIs do the heavy lifting behind every trade, balance sheet, and payment. But when performance dips – even slightly – efficiency, trust, and profit are at stake.
Consider this real-world scenario: A fintech integration with a market data provider seemed healthy, but latency crept from 50 ms to 200 ms. Execution logic slowed, slippage increased, and detection lagged by minutes. That’s not a policy issue, that’s an operational failure.
The lesson for firms is clear: monitoring uptime is no longer enough. IT leaders need full-path visibility into API latency, including external providers, and systems capable of pinpointing when performance degradation crosses the threshold into compliance territory.
Cloud health isn’t enough – supply chain visibility is critical
High-profile incidents in the past year have shown that a single cloud outage can paralyse entire sectors. You only have to look back to July 2024, when the infamous CrowdStrike outage disrupted everything from air traffic systems to online banking. Yet for many organisations, the dashboards still showed “green.” More recently, attackers exploited a compromised integration between Salesloft and Drift, which allowed malicious emails to be sent through trusted platforms and impacted over 700 companies – a strong reminder that exposure to vulnerabilities extends far beyond your own systems.
For Heads of IT Operations, the question is not whether your own tenancy is healthy, but whether you can detect region-wide failures before your customers do. DORA’s ICT dependency mapping requirements underline this: resilience depends just as much on understanding and monitoring the wider supply chain as it does on your own cloud services.
Your vendors, your problem
Another challenge lies in third-party dependencies. The CrowdStrike outage revealed how quickly a vendor failure becomes your business problem. Under DORA, firms cannot outsource accountability – regulators will hold you responsible for third-party vendor resilience.
That means embedding resilience standards directly into vendor contracts, with escalation chains and SLAs that provide assurance long before regulators come calling. Continuous monitoring of vendor performance and documented evidence trails are now critical regulatory requirements.
A checklist for DORA readiness
To meet DORA’s standards and build lasting resilience, IT leaders should focus on five critical actions:
- Monitor API latency, not just uptime. Compliance demands accurate incident detection and reporting. Latency blind spots can turn into regulatory breaches.
- Map full ICT dependencies, including cloud and vendors. DORA requires firms to demonstrate comprehensive dependency visibility – going beyond “green” dashboards.
- Enforce vendor SLAs and escalation chains. Accountability must be contractual, not assumed. Ensure third-party governance aligns with regulatory reporting needs.
- Maintain granular incident logs and evidence trails. If you can’t prove your response with documentation, regulators will assume you didn’t meet requirements.
- Formalise and rehearse third-party incident response playbooks. Resilience must extend across the supply chain, with IR procedures that are tested and auditable.
From compliance to resilience
For IT and operations leaders in financial firms, DORA is more than a regulatory milestone – it is a mandate to prove operational resilience in real time. It’s about visibility, accountability, and preparedness, not just a regulatory tick box exercise.
This means equipping IT teams with the tools and discipline to measure, explain, and prove resilience – importantly before things go wrong.
In financial services, resilience is the new competitive advantage. Firms that treat DORA as an opportunity as opposed to a regulatory burden will strengthen trust, improve customer confidence and reduce the likelihood of costly outages and damaging headlines.
____
Martin Nilsson is Chief Product Officer at ITRS, with over 20+ years experience of B2B software and financial services technology. Prior to joining ITRS he led global product management and quality assurance at Itiviti, and has held chairman posts at Codic Consulting, Software Skills, and Future Skills.
Join our LinkedIn group Information Security Community!
