In 2025, regulatory developments profoundly influenced how quality assurance and software testing teams in banks and financial services approach their work.
Regulations that were once distant ideas on paper became binding legal frameworks requiring financial firms to embed testing into risk management, operational resilience, and innovation cycles.
Compliance expanded far beyond meeting functional specifications: proving trustworthiness, data integrity, and resilience through rigorous, repeatable testing became essential, not optional.
DORA transition
The Digital Operational Resilience Act (DORA) took effect on January 17, 2025, and quickly became one of the dominant regulatory forces shaping QA practices across the EU and beyond.
As the regulation came into force, banks and other financial institutions faced a range of new conditions intended to strengthen digital resilience and govern ICT risk management across complex, interconnected systems.
Nearly a year on, institutions remain deep in the work of compliance, with risk assessments and governance frameworks still evolving and many entities continuing to grapple with implementation challenges.
Survey data shared in the industry underscored that while almost all financial entities expect to be compliant with key ICT third‑party standards, areas such as subcontracting rules and the Register of Information obligations remain difficult to complete, demonstrating how comprehensive these requirements are.
One senior risk officer observed that DORA has shifted the mindset “from a mere compliance checklist to embedding resilience as a core strategic priority,” highlighting how resilience expectations have moved into core strategic thinking rather than being a technical afterthought.
For QA teams, one of the most tangible impacts of DORA has been the elevation of software testing to a regulatory obligation rather than a purely technical best practice.
Threat‑led penetration testing, long advocated by security practitioners but previously voluntary, is now mandated under DORA for critical ICT systems.
As Jens Kunz, partner at Noerr, described it: “The stricter requirements under DORA are leading to a fundamental change in IT penetration testing practices in the financial sector. After all, hacking is now mandatory under the DORA regulation.”
This shift imposes legal obligations to conduct structured resilience tests that encompass vulnerability assessments, source code reviews, network checks, and scenario‑based simulations, and it requires institutions to align third‑party service providers with the same standards.
At the same time, James Johnston, vice-president of EMEA at Azul, noted the widespread struggle within the industry to meet the original compliance deadline, saying “I personally have not met a CIO or CISO who thought the DORA deadline was realistic,” reflecting how comprehensive and challenging these new requirements are for IT and QA leaders.
Regulation reshapes QA
DORA also redefined how QA teams must think about evidence, automation, and integration with governance. Where QA once focused primarily on defect detection, regulators now demand auditable proof of resilience, continuity, and monitoring that aligns with organisational risk profiles.
Continuous testing, automated compliance checks embedded in CI/CD pipelines, and traceable documentation have become fundamental components of demonstrating compliance.
Michael Kissel of Tricentis stressed that “continuous performance testing is a match to the requirements of DORA,” and Puneet Kohli of Rocket Software emphasised that “compliance today is inseparable from testing. Continuous testing is the only way to stay ahead of both threats and regulators,” underscoring broader recognition that resilience must be proven, measured, and repeatable.
Alongside DORA, the EU Artificial Intelligence Act entered a pivotal enforcement phase in August 2025, moving from legislative debate into binding obligations for developers and deployers of general‑purpose and high‑risk AI systems.
With rules requiring comprehensive technical documentation, transparent data policies, and testable datasets, the AI Act has made compliance a technical challenge as well as a legal one.
Paul Mowat, founder of Infinity Tech Consulting, pointed out that “AI requirements must be validated through comprehensive testing across functional, performance, security, and stress layers, but also in algorithmic integrity,” indicating that QA teams are expected not only to confirm that systems operate correctly, but also to assess fairness, transparency, and bias mitigation in AI models.
Daryl Elfield, a partner at KPMG in the UK, added that high‑risk AI applications now require ongoing monitoring, stating that “if an application falls under this category, then regular testing must take place to ensure accuracy, reliability, and security,” further illustrating how continuous assurance is key to regulatory compliance.
The practical effects of the AI Act also extend to data practices. Tendü Yoğurtçu, CTO of Precisely, emphasised that strong foundational data practices are essential, arguing that “vendors and providers must demonstrate that their test data practices are transparent and aligned with regulatory expectations.”
For QA teams, this means adapting not just functional test suites but also test data management processes that ensure traceability, accuracy, and consistency across environments.
Global and regional moves
Regulatory pressure has not been limited to Europe. In Australia, the CPS 230 standard has reshaped operational resilience expectations, compelling banks and insurers to adopt integrated scenario analysis and comprehensive testing that reflects material service provider dependencies and recovery objectives.
Insurance Asia reported that “APRA expects scenario analysis and testing that is commensurate with the size and complexity of their operations,” signalling that resilience testing must be proportionate, structured, and continuous.
This shift aligns Australian practice with broader global trends toward evidence‑based resilience testing and increasing regulatory demands for end‑to‑end assurance rather than periodic review.
Cross‑border collaboration also emerged as a notable trend in 2025. The Financial Conduct Authority (FCA) in the UK partnered with the Monetary Authority of Singapore (MAS) to develop shared AI testing and regulatory QA standards.
This move was described by Jessica Rusu, the FCA’s Chief Data, Information and Intelligence Officer, who said regulators “will be championing safe and responsible AI innovation across UK and Singapore markets.”
This agreement aims to create secure environments for validating AI models and sharing insights, illustrating the growing importance of coordinated QA frameworks that align regulatory expectations across major financial centres.
In addition, accessibility regulation under the European Accessibility Act influenced QA activities by requiring inclusive design and systematic validation of customer‑facing systems for users with disabilities.
Fredericka Argent, special counsel in London, explained that the act obliges providers to ensure services and apps “are made accessible to consumers with disabilities,” pushing QA teams to broaden test scopes to include accessibility standards as part of compliance workflows.
Regulation as a cultural and strategic imperative
Taken together, these regulatory developments demonstrate a clear shift: QA is no longer a back‑office engineering task but a visible and measurable component of regulatory compliance and operational resilience.
This year’s regulatory landscape has required QA teams to adopt more sophisticated, continuous, and integrated testing approaches that align with legal obligations and organisational risk strategies.
Testing pipelines are now expected to deliver not only functional correctness but demonstrable evidence of resilience, transparency, and accountability. Institutions that have embraced this shift are better positioned to meet regulatory expectations and integrate compliance seamlessly with innovation and delivery.
For QA professionals in 2025, the mandate is unmistakable: testing must be continuous, traceable, and deeply connected with governance processes.
Regulatory frameworks like DORA, the EU AI Act, CPS 230, and accessibility mandates have expanded the QA domain into new areas of responsibility. The future of quality assurance in financial services, it seems, will be defined not just by detecting defects, but by proving resilience at every layer of the software lifecycle.
Why not become a QA Financial subscriber?
It’s entirely FREE
* Receive our weekly newsletter every Wednesday * Get priority invitations to our Forum events *
REGULATION & COMPLIANCE
Looking for more news on regulations and compliance requirements driving developments in software quality engineering at financial firms? Visit our dedicated Regulation & Compliance page here.
READ MORE
- Leapwork engineering head: Why test automation so often fails to deliver
- World Economic Forum warns financial sector must strengthen AI risk controls
- How Banca Progetto is hard-wiring quality into Italy’s digital banking space
- How Wealthsimple builds quality into the product, not around it
- Digital revamp puts spotlight on internal controls at China Construction Bank
WATCH NOW
QA FINANCIAL PODCASTS
Listen to Sudeepta Guchhait on Nasdaq’s new Mimic AI testing platform
QA Financial sits down with Sudeepta Guchhait, Senior Director of Product Framework & Quality Engineering at Nasdaq
——–
Listen to Wesley Scheffel and Robin Rain on Schroders’ DevOps strategy
We catch up with Wesley Scheffel, Head of Cloud Platform and Product Engineering at Schroders, and Robin Rain, Head of Cloud Platform Architecture
——–
Listen to Citi’s Jason Morris on Lightspeed and the future of continuous delivery
Jason Morris, Head of Developer Pipelines for Securities Markets and Banking at Citi, talks about Lightspeed
