For months, the impending Digital Operational Resilience Act (DORA) deadline has dominated boardroom discussions across the financial sector with its potential to reshape operational and regulatory practices. Now that DORA is officially in effect, attention has shifted to other matters, such as a new US presidential inauguration, AI, and fiscal concerns for 2025. Yet DORA should remain a major cause for concern as the regulation is now active and enforcement has begun. Given its likely strict enforcement, financial organisations and third parties must maintain focus on compliance to avoid major regulatory and operational risks.

DORA is Here – Now What?

As DORA enforcement begins, organisations should prepare for a potentially rigorous process, given its focus on essential finance and economic functions. While enforcement is initially likely to be inconsistent across EU member states – as seen with GDPR – the European Supervisory Authorities are expected to harmonise enforcement over time. This early inconsistency may create a false sense of security for some organisations. Unfortunately, the risk to UK organisations is greatly understated.

Post-Brexit, the EU remains the UK's largest trading partner, and the UK financial system is deeply integrated within the EU. If we look at GDPR, this is a cause for concern for UK organisations. The largest GDPR fines are levied against US companies operating out of Ireland and Luxembourg (such as LinkedIn Ireland being fined €310 million in 2024), indicating a realpolitik that being tough on non-EU companies is easier than fining national champions. This creates a real risk that EU enforcement will treat UK companies as 'free hits'.

This situation is even more concerning in light of recent research from Orange Cyberdefense revealing that 43% of UK financial institutions were not prepared to meet the DORA deadline as of December 2024. A challenge reported by respondents is a lack of visibility over third-party partners, an issue DORA directly seeks to address. For third-party suppliers, DORA introduces a level of scrutiny they are not accustomed to, requiring significant adjustments to risk controls and governance frameworks, as well as demonstrable proof of compliance. By targeting systemic vulnerabilities, such as the single points of failure caused by third parties, DORA aims to build greater trust and resiliency within the financial ecosystem. However, this initial phase of implementation will undoubtedly test the adaptability and trust of institutions and suppliers alike.

Singing From the Same Hymn Sheet

To meet DORA's regulatory requirements, organisations should consider deploying advanced data security and centralised data management solutions. For instance, identifying sensitive data and applying Privacy-Enhancing Technologies (PETs) such as tokenisation and encryption is highly effective in mitigating the risk of third-party breaches. These technologies effectively anonymise data in use, motion, and at rest, ensuring that sensitive information remains secure even in the event of a breach. This approach also helps organisations integrate third-party risk monitoring into their DORA-required risk management strategies without having to massively overhaul their internal structures.

If DORA aims to get financial institutions and their third-party partners to sing in harmony under a unified framework, robust data security methods can serve as the conductor. In today's complex, multi-cloud environments, data – the main driver for cyber-attacks and a main concern for regulations – is often scattered, duplicated, accidentally deleted, locked behind bureaucratic access procedures, or lost entirely within the ecosystem. By moving towards data-centric security methods, it empowers organisations to identify critical data, control access, and implement a zero-trust architecture, ensuring a secure and streamlined financial ecosystem. This can effectively help organisations and their third parties be compliant, whilst improving internal flows, procedures, and enhancing a synergy within the ecosystem.

Compliance as a Business Benefit

A further benefit of streamlined, compliant, data management methods is that they enable organisations to avoid unnecessary costs associated with bloated and complicated compliance 'fixes' that only seek to tick boxes. Further, moving to centralised data management and security processes simplifies access to sensitive information while maintaining security, eliminating long waiting times for clearance. As Protegrity's research shows, 37% of organisations wait 1-2 months to access sensitive data, while 32% face delays of 3-6 months. Organisations can fast-track compliance, effectively leverage their third parties' offerings, and free up resources to concentrate on growth and innovation by focusing on effective data management and security. Additionally, third parties that embrace and demonstrate good data hygiene will be more attractive to organisations.

With 2025's fiscal challenges looming, achieving DORA compliance is not only essential, but will quickly become a major business benefit for organisations and third parties alike. Enhanced data processes not only ensure regulatory adherence but also unlock actionable insights – such as customer preferences – allowing organisations to improve relationships and explore new products and services.

To stay compliant and competitive, all entities within the financial sector must implement scalable data management solutions and streamline security processes. These steps will ensure compliance while fostering resilience, trust, and innovation in an ever-evolving landscape.