Building Resilience and DORA Compliance: Lessons, Gaps, What's Next
5 minute read time
Operational resilience is more than a nice-to-have. It's a business imperative. For financial institutions, this principle has been codified by the European Union's Digital Operational Resilience Act (DORA), which aims to ensure that the financial sector can withstand and recover from ICT-related disruptions.
While DORA compliance can be guided by a checklist, it ultimately represents a deeper shift in mindset, operations, and partnerships.
In a recent Sonatype webinar, industry experts shared real-world lessons from the first six months of DORA enforcement. Here's what we learned about what's working, what's not, and how institutions and their suppliers can navigate this new regulatory frontier with confidence.
Why Resilience Matters More Than Ever
DORA's core mission is simple: protect the EU's financial sector from operational failure due to cyber incidents, natural disasters, or supply chain issues.
To meet DORA's requirements, financial institutions must:
-
Build and maintain resilient infrastructure.
-
Strengthen partnerships with critical vendors.
-
Adopt automation to enhance visibility, speed, and control.
-
Prepare for stringent reporting requirements (e.g., 24-hour incident notification).
Achieving this requires a cultural and procedural shift, not only within financial entities, but also across the entire software supply chain of vendors and critical third parties.
Compliance as a Team Sport
Successful compliance is inherently collaborative. Institutions that build strong, trust-based relationships with vendors are far better positioned to meet DORA's expectations than those who treat suppliers as potential liabilities.
What Works
Successful DORA compliance relies on strong collaboration between financial institutions and their key suppliers. Institutions that actively work with vendors, rather than treating them as checkboxes, ensure smoother and more efficient compliance.
Regular check-ins between institutions and vendors build mutual understanding of responsibilities and expectations. Open communication on risk tolerance aligns priorities. DORA-specific contract addenda clarify accountability, while transparency on testing, continuity, and controls fosters trust.
What Does Not Work
Some institutions take a transactional or adversarial approach to compliance, which can hinder progress. A common mistake is sending regulation terms like "Article 30" to a vendor without context, creating confusion instead of clarity.
Another pitfall is applying the same compliance demands to all suppliers without considering their risk profiles or deployment scenarios. This can cause misalignment, wasted effort, and frustration on both sides.
Enabling DORA Compliance Through Automation, Open Source, and SBOMs
Achieving DORA compliance in the financial industry takes more than good intentions. It requires the right tools and strategies. With rising threats and strict timelines, institutions need solutions that offer speed, transparency, and control.
Three key enablers stand out in strengthening operational resilience and streamlining compliance efforts.
Automation
Automation streamlines compliance and boosts operational resilience. By reducing manual tasks and enabling faster, more accurate responses, it helps financial institutions meet DORA's requirements efficiently.
Specifically, it:
-
Tracks compliance status and produces necessary documentation.
-
Supports rapid incident detection and response.
-
Enables real-time reporting to regulators and stakeholders.
Open Source Software
Open source software contributes significantly to building resilient systems by offering transparency, flexibility, and built-in recovery options. Its community-driven nature and accessible architecture make it a valuable asset in ensuring continuity and security.
In particular, open source software:
-
Offers visibility into source code for independent verification and resilience.
-
Provides backup mechanisms during outages through community-maintained codebases.
-
Enhances flexibility when deploying compensating controls during incidents.
Software Bills of Materials (SBOMs)
Software bills of materials (SBOMs) are foundational to visibility and traceability in the software supply chain. They provide a detailed inventory of components that enables faster, more informed decision-making in both day-to-day operations and during incident response.
Specifically, SBOMs:
-
Lists all components in a software product, improving transparency.
-
Speeds up identification of exposure to vulnerabilities like Log4Shell.
-
Supports communication and coordination with vendors and regulators.
What's Next: Future-Proofing for Resilience
Regulation is evolving quickly. DORA complements the EU's Cyber Resilience Act (CRA) and AI Act, bringing forth new requirements for software security and accountability, further strengthening compliance standards.
To stay ahead, organizations can:
-
Invest in governance frameworks that scale with regulatory complexity.
-
Exercise incident response plans regularly, tabletop or real-world.
-
Incorporate SBOMs and automation into build pipelines, not just audit trails.
-
Train cross-functional teams on their roles during incidents.
-
Anticipate risk management expectations from upstream and downstream partners.
Success comes from partnerships, better processes, and a shared commitment to managing risk. By collaborating, automating, and using open source with strong governance, financial institutions and suppliers can turn DORA compliance into a competitive advantage that drives trust, stability, and growth.
Want to hear more from Sonatype experts on how to comply with DORA and navigate what's next? Watch the full webinar recording.
Aaron is a technical writer on Sonatype's Marketing team. He works at a crossroads of technical writing, developer advocacy, software development, and open source. He aims to get developers and non-technical collaborators to work well together via experimentation, feedback, and iteration so they ...
Explore All Posts by Aaron LinskensTags
Comply with SBOM Regulations
Meet regulatory requirements with Sonatype SBOM Manager – a single solution for SBOM monitoring, management, and compliance.