Thought Leadership

Strengthening Cyber Resilience under DORA: What Financial Institutions Should Focus on in 2025 – 2026

Blog
Thought Leadership

Lars Frösslund, Head of Strategy & Transformation atSkySparc, explains how the Digital Operational Resilience Act (DORA) istransforming ICT-risk management across the European financial sector.

DORA in force since January 2025

Since 17 January 2025, the Digital Operational Resilience Act (DORA) – Regulation (EU) 2022/2554 – has been fully applicable to more than 22,000 financial entities and ICT service providers operating within the EU.

DORA represents a major step change in how financial institutions approach ICT-risk management. It establishes a uniform set of rules governing cyber-resilience, ICT incident response, and third-party risk management.

The regulation aims to ensure that all entities operating in the EU financial sector are digitally resilient, capable of withstanding, responding to, and recovering from operational disruptions. It requires continuous oversight of critical ICT systems and full accountability for dependencies on third-party technology providers – even those located outside the EU.

Organizations that fail to comply risk financial penalties, public reprimands, or withdrawal of authorization from regulators. The first supervisory reviews are expected to begin in 2026, making ongoing readiness essential.

Objectives and scope

DORA establishes harmonized cybersecurity and operational-resilience requirements across banking, insurance, asset management, payments, and market-infrastructure sectors.

It builds upon existing frameworks by mandating regular risk assessments, incident-management procedures, testing programs, and reporting obligations.

In practice, DORA requires firms to:

  • Identify and document all critical ICT functions and providers.
  • Monitor, test, and continuously improve digital-resilience controls.
  • Report major ICT incidents within strict regulatory timeframes.
  • Maintain governance structures ensuring board-level accountability.

Maintaining DORA compliance: Core control areas

As institutions operationalize DORA, several ongoing control domains have become priorities:

1 – Risk assessment and management

Firms must continuously assess ICT-related risks, review threat scenarios, and update mitigation strategies. This includes maintaining up-to-date business-impact analyses and resilience testing programs.

2 – Continuous monitoring

Automated monitoring tools should track system availability, cyber incidents, and deviations in real time. Continuous logging and alerting are central to detecting and containing threats early.

3 – Third-party oversight

Outsourcing and cloud providers must now meet the same standards as regulated entities. Regular due-diligence reviews, contractual updates, and independent audits are required to verify compliance with DORA’s third-party provisions.

4 – Updates and patch management

All critical systems must follow structured patch-management procedures to eliminate known vulnerabilities promptly and maintain security baselines.

5 – Incident management and reporting

A formalized incident-management process is mandatory. Staff must be trained to identify and escalate ICT incidents quickly, ensuring regulatory notification within mandated time limits.

Building and sustaining a DORA-readiness program

Most organizations launched DORA programs well before January 2025. The focus has now shifted from implementation to continuous improvement and audit preparedness.

A sustainable DORA-readiness program should include:

  1. Governance: Appoint clear ownership at board and senior-management levels.
  2. Requirements analysis: Monitor new technical standards and guidance issued by the European Supervisory Authorities (ESAs).
  3. Gap reviews: Regularly assess residual gaps between current controls and evolving DORA expectations.
  4. Action planning: Maintain a living remediation roadmap with measurable milestones.
  5. Implementation: Integrate improvements into change-management and IT-governance processes.
  6. Testing and validation: Perform scenario testing, red-team exercises, and periodic penetration tests.
  7. Continuous monitoring: Track key performance and risk indicators to ensure resilience levels remain robust.

Planning ahead

The post-implementation phase of DORA is only the beginning. Regulators across Europe are now preparing for supervisory reviews and data-submission pilots. Institutions that continue to treat DORA as an ongoing program – not a one-off project – will be best positioned to demonstrate resilience and avoid regulatory sanctions.

By fostering transparency, robust ICT governance, and collaboration with critical service providers, firms can transform DORA compliance into a competitive advantage, enhancing client trust and operational reliability.

How SkySparc can help

SkySparc supports financial institutions in strengthening digital resilience, establishing effective DORA-governance frameworks, and integrating ICT-risk controls into day-to-day operations.

To learn how we can help your firm sustain compliance and improve cyber-resilience maturity, please contact us at www.skysparc.com.

Related posts

Read more News and Insights from the team at SkySparc

Solutions & Innovations

Thriving In The Age Of Data – How SkySparc Helps You Enhance Data Quality and Accelerate Digital Integration

The Data Revolution in Finance
Events

Treasury 360° Nordic 2026

23 April 2026, 08:00 – 00:00 CEST, Gothenburg, Sweden.
Press & Announcements

SkySparc acquires Inovotek Solutions to strengthen its capital markets expertise and expand delivery across Murex, Calypso, and FIS platforms

SkySparc, a trusted global provider of digital transformation solutions for treasury and finance institutions, announced the acquisition of Inovotek Solutions.
View all