Operational resilience is more than a nice-to-have. It's a business imperative. For financial institutions, this principle has been codified by the European Union's Digital Operational Resilience Act (DORA), which aims to ensure that the financial sector can withstand and recover from ICT-related disruptions.
While DORA compliance can be guided by a checklist, it ultimately represents a deeper shift in mindset, operations, and partnerships.
In a recent Sonatype webinar, industry experts shared real-world lessons from the first six months of DORA enforcement. Here's what we learned about what's working, what's not, and how institutions and their suppliers can navigate this new regulatory frontier with confidence.
DORA's core mission is simple: protect the EU's financial sector from operational failure due to cyber incidents, natural disasters, or supply chain issues.
To meet DORA's requirements, financial institutions must:
Build and maintain resilient infrastructure.
Strengthen partnerships with critical vendors.
Adopt automation to enhance visibility, speed, and control.
Prepare for stringent reporting requirements (e.g., 24-hour incident notification).
Achieving this requires a cultural and procedural shift, not only within financial entities, but also across the entire software supply chain of vendors and critical third parties.
Successful compliance is inherently collaborative. Institutions that build strong, trust-based relationships with vendors are far better positioned to meet DORA's expectations than those who treat suppliers as potential liabilities.
Successful DORA compliance relies on strong collaboration between financial institutions and their key suppliers. Institutions that actively work with vendors, rather than treating them as checkboxes, ensure smoother and more efficient compliance.
Regular check-ins between institutions and vendors build mutual understanding of responsibilities and expectations. Open communication on risk tolerance aligns priorities. DORA-specific contract addenda clarify accountability, while transparency on testing, continuity, and controls fosters trust.
Some institutions take a transactional or adversarial approach to compliance, which can hinder progress. A common mistake is sending regulation terms like "Article 30" to a vendor without context, creating confusion instead of clarity.
Another pitfall is applying the same compliance demands to all suppliers without considering their risk profiles or deployment scenarios. This can cause misalignment, wasted effort, and frustration on both sides.
Achieving DORA compliance in the financial industry takes more than good intentions. It requires the right tools and strategies. With rising threats and strict timelines, institutions need solutions that offer speed, transparency, and control.
Three key enablers stand out in strengthening operational resilience and streamlining compliance efforts.
Automation streamlines compliance and boosts operational resilience. By reducing manual tasks and enabling faster, more accurate responses, it helps financial institutions meet DORA's requirements efficiently.
Specifically, it:
Tracks compliance status and produces necessary documentation.
Supports rapid incident detection and response.
Enables real-time reporting to regulators and stakeholders.
Open source software contributes significantly to building resilient systems by offering transparency, flexibility, and built-in recovery options. Its community-driven nature and accessible architecture make it a valuable asset in ensuring continuity and security.
In particular, open source software:
Offers visibility into source code for independent verification and resilience.
Provides backup mechanisms during outages through community-maintained codebases.
Enhances flexibility when deploying compensating controls during incidents.
Software bills of materials (SBOMs) are foundational to visibility and traceability in the software supply chain. They provide a detailed inventory of components that enables faster, more informed decision-making in both day-to-day operations and during incident response.
Specifically, SBOMs:
Lists all components in a software product, improving transparency.
Speeds up identification of exposure to vulnerabilities like Log4Shell.
Supports communication and coordination with vendors and regulators.
Regulation is evolving quickly. DORA complements the EU's Cyber Resilience Act (CRA) and AI Act, bringing forth new requirements for software security and accountability, further strengthening compliance standards.
To stay ahead, organizations can:
Invest in governance frameworks that scale with regulatory complexity.
Exercise incident response plans regularly, tabletop or real-world.
Incorporate SBOMs and automation into build pipelines, not just audit trails.
Train cross-functional teams on their roles during incidents.
Anticipate risk management expectations from upstream and downstream partners.
Success comes from partnerships, better processes, and a shared commitment to managing risk. By collaborating, automating, and using open source with strong governance, financial institutions and suppliers can turn DORA compliance into a competitive advantage that drives trust, stability, and growth.
Want to hear more from Sonatype experts on how to comply with DORA and navigate what's next? Watch the full webinar recording.