Why DORA is forcing CISOs to rethink operational resilience

The EU’s Digital Operational Resilience Act, better known as DORA, is more than a regulatory milestone for financial services. For chief information security officers, it represents a shift in accountability, visibility and operational expectations.

 

Formally adopted as Regulation (EU) 2022/2554, DORA has applied since 17 January 2025 and creates a single rulebook for managing information and communication technology risk across banks, insurers, investment firms and their critical technology providers. Unlike earlier fragmented requirements, it is directly applicable across all member states.

 

For CISOs, the immediate implication is governance elevation. DORA explicitly places responsibility for digital operational resilience with management bodies. Security leaders now have both leverage and pressure. Leverage, because cyber-risk must be discussed at board level. Pressure, because frameworks, controls and reporting must withstand regulatory scrutiny.

 

The regulation requires firms to implement comprehensive ICT risk management frameworks that are proportionate to their scale and complexity. That includes clear asset inventories, dependency mapping, resilience planning and documented control effectiveness. For many security teams, this means formalising practices that may previously have been informal or inconsistently evidenced.

 

Incident reporting is another operational inflection point. Under DORA, firms must notify authorities of major ICT-related incidents within defined timelines. For CISOs, this demands mature detection, classification and escalation processes. The margin for uncertainty narrows when reporting windows are fixed and supervisory follow-up is likely.

 

Perhaps the most strategic impact lies in third-party risk. Financial institutions must identify, monitor and manage dependencies on external ICT providers, including cloud services. Supervisory authorities, including the European Banking Authority, the European Insurance and Occupational Pensions Authority and the European Securities and Markets Authority, can designate certain providers as critical and subject them to direct oversight.

For CISOs, this extends the security perimeter beyond internal infrastructure. Vendor risk assessments, contractual clauses, exit strategies and resilience testing must now be defensible and continuously updated. Dependency concentration, particularly in cloud environments, becomes a board-level conversation.

 

DORA also introduces regular resilience testing, including threat-led penetration testing for significant entities. This moves organisations from theoretical preparedness to demonstrable survivability. For security leaders, the emphasis shifts from preventing every incident to proving the organisation can absorb and recover from disruption.

 

In practical terms, DORA gives CISOs a stronger mandate to align cyber-security with enterprise risk management. It also raises expectations around documentation, metrics and assurance. The question regulators will ask is not whether controls exist, but whether resilience is measurable, tested and embedded into strategic decision-making.

 

For financial sector CISOs, DORA is both a compliance challenge and a strategic opportunity. It formalises cyber-resilience as a pillar of financial stability and positions security leadership at the centre of governance rather than at the edge of IT operations.