Skip to main content
This website uses Cookies to provide necessary site functionality and improve your experience.
By using our website, you agree to our Privacy Policy and our Cookies Policy
OK

CATEGORY:BlogPressSolutionsTech
READ TIME 3 minutes

The Digital Operational Resilience Act is no longer something to prepare for in the future. It is here, and it is active. 

From January 2025, financial institutions across the EU must comply with DORA’s requirements. But the work needs to start now. For firms still trying to translate the regulation into day-to-day action, the window to prepare is closing fast. 

This is not just an IT issue. DORA brings together risk management, compliance, resilience testing, third-party oversight, and incident response. It applies across the entire organisation and requires evidence, not intention. 

So what now? What should your teams be doing to make sure your integration and operational processes are up to standard? 

Need a refresher on DORA itself? 

If you are still getting to grips with what DORA includes, start here: 
https://arrt.uk.com/understanding-the-digital-operational-resilience-act-dora/  

You can also watch our short explainer: 
https://youtu.be/umd0c6cA2oM?si=u1g_MzQXOP7uBp0C 

Or explore our follow-up content that covers implementation tips: 
https://youtu.be/iU5HWvGmB2w?si=0EabxXDc3kstxDCI 

Five Things to Tackle Right Now

  • Audit your ICT risk landscape 
    Understand where your vulnerabilities sit across systems, data, third-party services, and internal processes. You cannot secure what you cannot see. 
  • Prepare for structured incident reporting 
    DORA expects a formalised process for classifying, logging, and escalating ICT-related incidents. This needs to be in place and tested ahead of enforcement. 
  • Map your third-party dependencies 
    DORA places heavy emphasis on external risk. Do you know which vendors support critical services? Are your contracts up to standard? 
  • Get your configuration data in order 
    Your resilience is only as strong as the clarity of your configuration data. If your integrations are undocumented or inconsistent, incident response becomes difficult and delays recovery. 
  • Plan for resilience testing 
    This includes everything from tabletop exercises to threat-led penetration testing. You will need a strategy, documentation, and evidence. 

What Firms Are Struggling With in 2025 

DORA may now be in effect, but compliance is proving more difficult in practice than it looks on paper. 

Many firms are realising that existing documentation, controls, and risk processes do not meet the level of clarity and traceability DORA requires. 

 According to AuditBoard, only 40 percent of organisations have completed the necessary steps to comply. The majority are still working through gaps in visibility, vendor oversight, and operational processes. 
https://www.channelinsider.com/managed-services/auditboard-compliance-report/  

McKinsey also highlights resilience testing and incident reporting as two of the most underdeveloped areas across the financial sector. While most firms have basic processes in place, few are equipped for the kind of real-time, auditable responses that DORA expects. 
https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/europes-new-resilience-regime-the-race-to-get-ready-for-dora  

Another key challenge is the effort required to map and assess third-party ICT dependencies. DORA introduces direct accountability for these relationships, and firms are now expected to maintain accurate inventories and ensure contracts are DORA-compliant. This is proving to be a time-consuming task, especially in environments where vendor lists have grown organically over time. 

These challenges highlight one consistent theme. DORA is not just a compliance checkbox. It is a shift in operational culture that requires real clarity, coordination, and control. 

How ARRT Can Help 

At ARRT, we help financial services teams turn regulation into practical action. Our support includes: 

  • Mapping systems and identifying blind spots 
  • Reviewing BizTalk and Azure estates for risk and complexity 
  • Establishing vendor tracking and assurance 
  • Strengthening your incident logging and escalation process 
  • Aligning configuration and integration visibility with DORA principles 

DORA is not a one-off checklist. It is a long-term shift toward operational resilience by design. 

Want to talk through your DORA readiness 
Start here: https://arrt.uk.com/contact/  

You can also begin with our DORA aligned health check. This reviews your current integration and operational risk landscape:
https://arrt.uk.com/is-your-integration-ecosystem-fit-for-the-future/  

Looking to strengthen one of the most overlooked areas of resilience? Download our configuration data white paper here:
https://arrt.uk.com/resources/configuration-data-white-paper/  

1
ARTICLE:

DORA Is Now Live: What Should Financial Firms Be Doing? 

You may also like:

see all

request a free consultation with us.

and find out how we can harness the power of integration to improve your business.
request a consultation

follow us

subscribe for updates