With the Digital Operational Resilience Act (DORA) now in effect – since January 17 of this year – financial services firms across Europe have reached a critical compliance milestone.
That does not mean all banks and financial services firms are now fully compliant. In fact, quite a few institutions still have some vital steps to take.
DORA’s mandate emphasises the importance of operational resilience by establishing standards for Information and Communication Technology (ICT) risk management.
“While achieving compliance by the deadline was a significant accomplishment, it’s only the beginning,” said Dom Tovey, Assured Thought QE Management Consultant.
“True resilience requires a long-term commitment, including regular automated checks, continuous security and load testing, and proactive management of new risks arising from technology upgrades and evolving threats,” Tovey explained.
He stressed that sustaining resilience means consistently monitoring, adapting and improving systems and processes to stay aligned with both regulatory updates and emerging industry challenges.
Beyond the deadline
DORA compliance is not a ‘one and done’ process that stopped at the January deadline, Tovey remarked.
“Operational resilience must be maintained to ensure continuing compliance.”
For financial institutions, maintaining operational resilience means staying agile in the face of new risks, integrating technology updates and adapting proactively to regulatory shifts, he continued.
“In short, to comply with DORA, firms must now turn its focus to the practices that will sustain and strengthen resilience over time.”
As key areas for ongoing compliance and resilience, Tovey singled out continuous risk assessment and management.
“Now that DORA is in effect, regular ICT risk reviews are essential to keep up with emerging threats,” he explained.
“Continuous risk assessment will enable your firm to identify vulnerabilities early and adjust risk management strategies accordingly. This proactive approach will not only strengthen your operational resilience but also position your firm to handle challenges – expected and unexpected – more effectively.”
“Now that DORA mandates vendor alignment with resilience standards, firms should implement ongoing monitoring.”
– Dom Tovey
Then there is incident response and recovery improvements.
“With compliance standards in place, firms should regularly test and refine its incident response processes,” Davey noted.
“Ongoing incident simulations can help QA teams identify and close gaps in response times and effectiveness, ensuring faster recovery with minimal disruption,” he added.
“Continuous improvements in incident response will strengthen a firm’s resilience by keeping its teams prepared and responsive, reducing the potential impact on both operations and clients,” Tovey continued.
If financial services firms continue to rely on a web of external vendors, it’s critical to regularly evaluate those third parties for compliance and resilience capabilities, Tovey warned.
“Now that DORA mandates vendor alignment with resilience standards, firms should implement ongoing monitoring and establish contractual frameworks to ensure any partners contribute to, rather than compromise, operational stability,” he elaborated.
“Strengthening these partnerships will support your firm’s long-term resilience,” Tovey added.
Leveraging technology and automation
Tovey was keen to stress that automation offers significant advantages for sustaining compliance.
“Automated testing will reduce the manual burden of regular checks, increase accuracy and provide real-time insights you’re your firm’s compliance status,” he stated.
“By implementing automated compliance testing tools, firms can streamline regular checks, identify potential gaps early and adjust proactively.”
Tovey also singled out ongoing security testing.
“Cyberthreats evolve rapidly, and now that DORA compliance is a requirement, continuous security testing has become even more essential,” he explained, pointing out that penetration testing, vulnerability assessments and similar tools can identify and address weaknesses before they become issues.
“Regular security testing will strengthen firms’ resilience against cyberthreats, align it with DORA’s objectives and minimise compliance risks,” Tovey shared.
Finally, he pointed at continuous performance and load testing.
“Ensuring system performance is crucial for maintaining operational resilience.”
With DORA standards in place, regular load and stress testing will confirm whether firms’ systems can withstand peak demands, thus safeguarding continuity.
“These tests align with DORA’s emphasis on operational stability and will give you critical insights into your firm’s capacity, enabling firms to make any necessary improvements,” Tovey concluded.
Why not become a QA Financial subscriber?
It’s entirely FREE
* Receive our weekly newsletter every Wednesday * Get priority invitations to our Forum events *
THIS MONTH
WATCH NOW
READ MORE
- Xceptor joins forces with OnCorps AI to target banks in automation drive
- QA Forum NY: Varo Bank’s Nicole Nunziata on secure coding
- Why QA teams may need to fear OpenAI’s bold AI agent plans
- Banks warned not to embed too much GenAI in digital systems
- UiPath turns to the cloud with its latest AI agent solution
