How Finance Tech Will Change After the 2025 EU DORA Mandate
The Digital Operational Resilience Act (DORA) has already begun to reshape the financial landscape in the European Union and beyond. As of January 2025, EU financial entities and Information and Communication Technology (ICT) third-party providers must demonstrate robust operational resilience against ICT disruptions.
DORA requires organisations to adopt a proactive approach to operational resilience. This means having a strong disaster recovery plan to withstand and quickly recover from a wide range of ICT-related disruptions. DORA’s unique emphasis on ICT risk management, incident reporting, and third-party risk management will require an expansion of existing systems and processes to encompass the myriad of vendor relationships that often exist.
This is a fundamental shift in how financial institutions manage risk, technology, and their interconnected ecosystems. This article — my second in a series exploring the implications of DORA — will explore how finance tech must evolve in the wake of the DORA mandate.
The Landscape Before DORA
Before DORA was enacted, the regulatory landscape within the financial sector was characterized by a patchwork of varying regulations and standards aimed at addressing operational resilience and cybersecurity. Organisations sometimes struggled to keep up with disparate regulations, leading to gaps in their resilience frameworks and increased vulnerability to cyber threats. The lack of uniformity meant that organizations could adopt different standards, creating challenges in cross-border operations and collaboration.
While the financial services industry is well-versed in regulatory oversight, it’s critical to avoid being overly reactive with misplaced focus on meeting minimum compliance standards rather than fostering a culture of resilience and proactive risk mitigation.
Being reactive leads to insufficient preparedness for potential disruptions, including cyberattacks and operational failures. Stakeholders and regulators increasingly recognized the need for a more cohesive approach to operational resilience, particularly as cyber threats became more prevalent and sophisticated. The prevailing sentiment underscored the importance of establishing a comprehensive regulatory framework, ultimately leading to the introduction of DORA, which aimed to standardize resilience measures and enhance overall security.
Back to topA Higher Standard for ICT Providers
One of the biggest challenges presented by DORA is the expanded scope to include scrutiny of third-party ICT providers. Financial institutions can be held accountable for the resilience of their entire supply chain, meaning they must ensure that their critical technology partners meet the same stringent standards. Financial institutions now need to be more selective, choosing ICT providers that are also DORA compliant — and ICT providers will need to be under no illusion about their responsibilities.
A ripple effect is being felt across the broader tech ecosystem. Accountability is required at all levels, for third parties operating in the EU and beyond. From cloud storage providers to SaaS technology, no one is “innocent until proven guilty” — everyone is a risk or a threat to keeping critical data safe and systems available.
Back to topChanges to the Financial Tech Landscape
Financial institutions benefitted from a two-year grace period to meet DORA requirements leading up to the 17 January enforcement deadline. These are my predictions around knock-on effects and hard truths we can expect from DORA’s enforcement in fintech organisations:
- Manual Work Won’t Cut It. Manual processes are simply too slow and error-prone for the level of resilience required by DORA. Automation is now essential for streamlining tasks pertaining to vulnerability management, incident response, and change management. Solutions like Puppet, which automate infrastructure configuration and management, will play a crucial role in enabling organisations to achieve the necessary resilience with the required speed and agility.
- Visibility Matters. DORA requires organisations to have a comprehensive understanding of their ICT landscape. This means investing in advanced monitoring and analytics capabilities that can provide real-time insights into system performance, security threats, and potential vulnerabilities — in short, a holistic, connected view into the entire infrastructure estate will be critical.
- Security Tactics Must Keep Pace. Cybersecurity is at the heart of operational resilience — DORA will drive increased investment in security technologies and processes, including threat intelligence, intrusion detection, and data protection. Stronger identity and access management will be non-negotiable.
- ICTs Need to Establish Trust. DORA encourages collaboration and information sharing between financial institutions and their ICT providers. But it also requires ICTs to be transparent about their DORA compliance status, making platforms that facilitate secure data sharing and collaboration increasingly important.
- We Need New Fire Drills. The cost of downtime for financial services organizations was over €145 million in 2024. Regular testing and simulation of ICT disruptions will be crucial for demonstrating compliance with DORA as well as fine-tuning resilience response tactics. Organisations must continually prepare for new and repeat threats, including cyberattacks, systems failures, and natural disasters. The results of these drills must feed the perpetual cycle of preparation-test-remediate.
Beyond DORA (and beyond the EU), the trend towards increased regulatory scrutiny will continue. We’re already seeing other regulations placing similar emphasis on resiliency and ICT supply chains and it is only a matter of time before these become more commonplace.
The investments made to comply with DORA will have long-term benefits, enabling financial institutions to not only meet current regulatory requirements but also to lessen the risk of costly service disruptions.
Back to topNavigating Change from 2025 and Beyond
DORA is now firmly entrenched and its enforcement phase has begun. It is important that focus is not lost for even a moment, since this can be resource intensive and distract from other business initiatives. New tactics need to drive efficiency while eliminating human error to ensure that compliance remains strong, without placing unmanageable burdens on infrastructure teams.
Puppet enables organisations to achieve greater consistency, reliability, and security — all essential building blocks of resilient IT infrastructure.
Puppet achieves this through its use of policy as code, which empowers organizations to take a proactive approach to security. By codifying security policies — literally turning them into code — Puppet ensures that your ICT security measures are not only consistently enforced but also continuously monitored and updated as threats evolve.
Using policy as code, Puppet can automate the patching of vulnerabilities, ensuring that systems are always up-to-date and protected against known threats. It can also be used to continuously enforce hardened, internationally recognized standards, such as CIS Benchmarks, reducing the risk of human error and ensuring that systems are configured securely. Read about how Puppet helped ANZ Bank achieve compliance for 22 regulatory bodies.
For businesses operating in the EU financial sector, and those doing ICT-related business with them, DORA is a catalyst for global change. It establishes the gold standard for operational resilience that will influence future regulations and best practices around the world. By investing in the right technologies today, financial institutions can achieve and maintain compliance and gain a competitive advantage.
But the time to act is now.
Our team is standing by to demonstrate how to streamline your DORA compliance efforts with Puppet:
You can also check out our additional DORA resources:
- Webinar: EU’s Digital Operational Resilience Act (DORA): Protect Sensitive Data & Infrastructure at Scale
- Blog: 5 Ways Perforce Helps with DORA Regulation Compliance
- eBook: Get DORA Ready: Avoid Penalties and Stay Secure
