DORA and beyond: what do new compliance standards mean for banking and finance?

The Digital Operational Resilience Act (DORA) redefines financial sector resilience, bringing challenges and opportunities for 2025.

There is a palpable tension in the air, and every player in the European financial services industry feels it. The sector stands on the brink of a significant regulatory shift.

As cyber threats escalate in both sophistication and frequency, regulatory bodies are seeking ways to reassess and strengthen existing resilience measures. In many cases, regulatory efforts are necessary to keep pace with the evolution of cybersecurity threats.

According to the 2024 Global Financial Stability Report, produced by the International Monetary Fund (IMF), over the past two decades, the financial sector has experienced over 20,000 cyberattacks, resulting in a staggering $12 billion loss (see Fig. 1).

IBM’s Cost of a Data Breach Report estimates that in 2024 alone, the average data breach cost soared to $4.45 million.

Figure 1. Financial sector losses and cyber incidents. Source: IMF

“Such losses could potentially cause funding problems for companies and even jeopardise their solvency. These extreme losses have more than quadrupled since 2017 to $2.5 billion. And indirect losses like reputational damage or security upgrades are substantially higher,” the IMF indicates.

However, there is a light at the end of the tunnel. As we look towards 2025, compliance standards like the Digital Operational Resilience Act (DORA) appear as not mere regulatory guidelines but a call for a paradigm shift in how banks and financial entities operate.

DORA aims to provide the financial sector with a more unified and robust framework to ensure that all institutions can withstand, respond to, and recover from various information and communication technology (ICT) related threats and disruptions. The upcoming regulatory changes address both the threats that have already occurred and those that lie ahead.

It’s time to put on our investigator’s hats and examine DORA closely. We will explore what it aims to achieve and what needs to be considered when it takes effect.

Understanding the changing regulatory landscape

 The financial sector is entering a pivotal moment as it faces the full implementation of DORA by January 17, 2025. DORA focuses on digital operational resilience across financial institutions in the EU. The key goal – ensure these institutions are well-equipped to withstand, respond to, and recover from ICT disruptions.

Given the recent figures, it is clear that regulatory shifts come at a significant cost and require substantial organizational changes (see Fig. 2). However, these regulation-related costs are minimal compared to the potential losses the industry could face without regulatory oversight.

Figure 2. The overall cost of compliance. Source: Avenga

DORA sets out a unified framework covering multiple aspects of operational resilience. It relates to ICT risk management, incident reporting, resilience testing, and third-party risk management. For financial institutions, this means a new era where compliance is not just a tick-box exercise but an integral part of daily operations.

Compliance challenges on the horizon

Financial institutions face several compliance challenges with regulations such as DORA. Among the most significant are:

• Increased costs of compliance. Compliance with DORA and similar regulations will require significant investment. Compliance costs average $181 billion annually, with the average cost per employee to maintain compliance reaching $10,000, according to Forbes. With DORA’s additional requirements, these costs are likely to increase.
• Adapting legacy systems. Many financial institutions rely on legacy systems that are difficult to integrate with modern, automated compliance tools. These outdated systems will need upgrading or replacement to meet DORA’s standards, presenting a technically complex and costly challenge.
• Third-party risk management. DORA places significant emphasis on third-party ICT risk. Financial institutions must ensure their resilience, as well as that of any external service providers. According to the aforementioned IBM report, 95% of all cybersecurity breaches involve human error. This involves continuous monitoring and clear contractual agreements with providers to maintain compliance standards across the board.

Stephen McDermid, EMEA chief security officer for cybersecurity firm Okta, argues that Many financial services firms are focusing on their current resilience and third-party risk programmes to comply with DORA. In an interview with CNBC, he says: “This is the intention of DORA, to align many existing governance programmes under a single supervisory authority and harmonise them across the EU.”

DORA compliance: avoiding penalties

Non-compliance with DORA carries substantial financial penalties. Institutions could face fines of up to 2% of their total annual worldwide turnover, and critical third-party service providers could incur even higher fines of up to €5 million. These penalties are comparable to those of the General Data Protection Regulation (GDPR), which can reach up to €20 million for severe breaches. Given the stakes, financial institutions must adhere to DORA’s requirements to avoid financial and reputational damage.

The changing regulatory landscape presents distinct challenges, primarily related to the rising costs of compliance and the need to update or replace legacy systems. With DORA on the horizon, financial organisations must plan ahead and allocate resources to ensure compliance. This also requires a new approach to working with third-party providers. However, with proper strategic guidance and reliable partners, these challenges can be overcome.

Navigating compliance with strategic guidance

While compliance may seem daunting, a strategic approach can transform regulatory requirements into a competitive advantage. Here’s how financial institutions can adapt effectively:

1. Gap assessment and roadmap development. The first step toward compliance with new standards like DORA is conducting a gap assessment. This process helps identify shortcomings and discrepancies between the organisation’s current practices and DORA’s requirements, highlighting areas that need improvement or complete transformation. Institutions can then create a clear roadmap by setting realistic timelines and milestones to achieve compliance by January 2025.
2. Engaging management and governance. DORA emphasises the need for a holistic approach to digital operational resilience. Governance must break down silos between IT, cyber, business continuity, and third-party risk management. This means actively involving senior management in compliance initiatives to ensure commitment and alignment of resilience efforts across the institution.
3. Investment in technology and automation. Financial institutions can simplify and scale their compliance processes by investing in automation and integrating new technologies. Automation helps reduce the costs of manually managing compliance tasks while increasing accuracy and efficiency. Examples include using artificial intelligence (AI) driven anomaly detection systems to identify potential breaches and multi-factor authentication (MFA) to enhance system access security.
4. Strategic partnership. A key factor in achieving successful compliance is having the right partners by your side. Ensure you collaborate with companies and service providers that specialise in gap analysis and have compliance experts trained to promote digital resilience.

Experts at McKinsey believe that “Europe’s new resilience regime” represents a significant collaborative effort, urging institutions and organisations to revisit critical challenges around digital resilience while fostering greater integration across various organisational components. Ultimately, concrete preventive measures are being implemented, moving away from post-breach tactics.

The fact that many organisations plan to spend between €5 million and €15 million to comply with DORA underscores the seriousness with which this initiative is being approached (see Fig. 3).

Figure 3. Institutions budget for DORA strategies, planning, design, and orchestration. Source: McKinsey

So, a smooth transition to DORA requires a strategic gap analysis, an in-depth roadmap, unilateral governance, substantial investment, and strategic partnerships. Meeting these aspects turns compliance from a challenge to a strategic asset, something we will discuss in the next section.

From compliance burden to strategic asset

Rather than viewing compliance as a burden, financial institutions can see it as an opportunity for transformation. The evolution of regulations like DORA guidelines presents a chance for banks and financial entities to improve their resilience and, ultimately, their service quality.

Here’s a roadmap showing DORA’s path from an idea to soon-being-a-reality (see Fig. 4).

Figure 4. Progressive strengthening and harmonisation of sectoral requirements on ICT risk management. Source: PwC

So, what specific points does DORA bring to the table? While there are numerous pages written on the subject, we can outline four key aspects:

1. Building resilience. DORA strongly emphasises ICT incident reporting, testing, and management. Financial institutions must establish systems for real-time alerts, implement regular operational resilience tests, and report incidents effectively. This helps in regulatory compliance and creates a more secure environment for clients and investors.
2. Leveraging third-party service providers. A core tenet of DORA is ensuring the resilience of third-party service providers, as they are often integrated deeply into banking operations. Institutions must clearly define service-level agreements (SLAs), monitor compliance, and work collaboratively with third-party providers to uphold resilience standards.
3. Continuous testing and improvement. Digital operational resilience testing is a continuous process. To ensure readiness, financial institutions should conduct annual penetration tests, implement simulated phishing exercises, and stress test their systems under extreme conditions.
4. Information sharing and community building. DORA encourages institutions to establish trusted networks for information sharing regarding cyber threats and vulnerabilities. Financial institutions should actively participate in industry forums and collaborative cybersecurity exercises to stay ahead of potential risks.

DORA focuses on creating a more secure ecosystem. Its multifaceted approach is designed to ensure that all relevant parties adhere to the same resilience-based standards.

DORA readiness assessment with Avenga

Turn compliance challenges into strategic advantages

With DORA enforcement imminent, financial institutions must ensure full compliance to avoid penalties and strengthen operational resilience. We expect more businesses to seek ongoing support instead of quick fixes.

Avenga offers DORA Readiness Assessment services to guide organisations during their compliance journey. Our team provides efficient solutions, skilled personnel, and continuous guidance to handle future requirements, whether through automation, third-party assessments, or faster approval processes. This way, you stay prepared as DORA compliance becomes a long-term necessity.

Here’s what Avenga provides:

• Comprehensive gap analysis. Identified and evaluated compliance gaps using detailed checklists aligned with DORA requirements.
• Actionable compliance roadmap. A customised plan with specific recommendations addressing technical, procedural, and legal gaps.
• Expert guidance. Support implementation with experienced compliance specialists to ensure readiness and long-term resilience.

Avenga helps organisations confidently meet DORA mandates and turn compliance challenges into strategic advantages.

Conclusion

2025 marks the year of regulatory transformation. Compliance with DORA guidelines and other evolving regulations is essential for all financial institutions. This new regulatory landscape presents both challenges and opportunities, depending on how institutions respond. By transforming compliance efforts into strategic initiatives, the financial sector can meet regulatory requirements, strengthen operational resilience, and build trust with clients and investors.

Remember, compliance is an ongoing process, not a one-time project.

Is your organisation ready to tackle these cybersecurity challenges?

I invite you to connect and discover how we can help strengthen your cybersecurity strategy for 2025 and beyond.

Get in touch with Tatjana Sokolova Najdova and let’s have a chat.

Sponsored by Avenga