DORA - digital resilience

The financial sector must step up its regulatory resilience efforts to maintain trust and stability in its ecosystems. With the rise of cyber threats and increasing interconnectivity among players, di

Dowload the report

introduction

This is where regulators step in, multiplying regulations to meet the demands of an increasingly complex digital environment. Among them is the Digital Operational Resilience Act (DORA), which came into effect on January 17, 2025. This groundbreaking regulation standardizes security requirements across the European financial sector, enforcing a unified approach to risk management, third-party oversight, and business continuity.

 

But DORA goes beyond mere compliance—it offers a strategic opportunity to turn cybersecurity into a true driver of resilience and innovation.

 

Whether you are a bank, an insurance company, an asset management firm, or a technology provider, successfully implementing DORA is essential for ensuring lasting compliance—even in the face of evolving regulations. This guide provides a detailed analysis of DORA’s challenges, practical implementation advice, and a strategic outlook, helping you leverage it as a competitive advantage.

what will you find in this paper?

sophisticated cyberattacks, increased reliance on external providers, and an evolving regulatory landscape.

stay competitive in the face of market

+20

major blockchain projects delivered for leading banks and fintechs across Europe

4,000

of crypto asset holders are interested in an investment offer from their bank.

71%

of crypto asset holders are interested in an investment offer from their bank.

testimonies

[Julien Bacus: Partner, finance at Addleshaw Goddard] In their contractual arrangements with ICT providers, financial institutions shall ensure that they include provisions governing access rights, inspection and audit. These provisions must detail the areas to be audited, the standards to be applied and the frequency of such audits. These requirements are similar to the outsourcing requirements which were already applying before DORA.

However, DORA is not a "cut and paste" on these provisions and goes further than the existing regulatory guidance. Subjected to a limited exemption, DORA imposes to verify that auditors appointed to perform audits of ICT services of high technical complexity have the appropriate skills and knowledge. Even if DORA is a regulation directly applicable in all member states, please note that the certification of auditors is dealt with at national level. The harmonization sought by DORA is actually not complete in this respect. From a practical perspective, financial institutions need to have a clear picture of their own risks, but also of the risks that ICT providers may create. This is an extensive exercise which imposes new obligations on financial institutions.

[Ludovico Ninotti: Threat Intelligence Analyst, Sopra Steria] At Sopra Steria, our European reach enables us to have the appropriate local skills as required by DORA, to fulfill those strong audits and test requirements. In our view, cybersecurity is not just about reacting to threat, it is rather about staying ahead of a fast-evolving cyber threat landscape. Now the question is: how do we do that? how do we reach this ambitious objective? We do that by leveraging the cooperation between threat intelligence and the red team which becomes essential in the context of DORA activities. Threat intelligence collects huge amounts of data from different sources, about attack patterns and techniques used by threat actors, which specifically targets the financial sector.

Once all this info has been analyzed and structured, it is passed on to the red team which uses this info, which is stored into intelligence, to build realistic threat attack scenarios based on the most relevant threat and customize on your environment. So let us turn intelligence into resilience so that you are always prepared for whatever comes next in the future.

DORA: Strengthening TLTP for C