From DORA implementation to operational reality
Over the past few years, financial institutions across Europe have invested significant resources in implementing the Digital Operational Resilience Act (DORA). Policies have been updated, control frameworks strengthened, and governance processes redesigned.
Yet many boards and executive teams still feel uncertain about their organisation’s true level of digital resilience.
That uncertainty is understandable.
The real challenge for many institutions today is not implementing the regulation itself, but understanding whether the organisation is genuinely resilient when critical digital dependencies fail.
In practice, DORA is a stress test of an organisation’s operational governance, and of how well boards, management and control functions understand their digital dependencies.
When implementation programmes conclude, institutions enter the more demanding phase: ensuring that digital resilience is embedded not only in governance frameworks and board-level decisions, but in the operational procedures and working instructions that determine how people act when it matters.
Digital operational resilience is a board responsibility
At its core, digital operational resilience is about one thing: the organisation’s ability to continue delivering financial services under stress.
One of the most important shifts introduced by DORA is that this is now explicitly a matter of corporate governance, not simply an IT or security issue. Boards are expected to ensure that ICT risks are understood, governed, and managed appropriately.
More than that, it is ultimately the board that sets the organisation’s acceptable level of digital resilience, determining how much operational risk the organisation is willing to carry, and ensuring that is reflected in its risk profile and strategic decisions.
For many boards, this means gaining deeper visibility into digital dependencies and understanding how those risks translate into real threats to service continuity.
ICT risk is business risk
In modern financial institutions, digital infrastructure underpins virtually every business function, from the front office to the back office.
Customer services, payments processing, lending decisions, trade execution, regulatory reporting processes, business intelligence and fraud detection are all dependent on complex technology environments.
A simple question often illustrates the point:
Which critical business processes today are not dependent on ICT?
In most organisations, the answer is very few.
ICT risk therefore cannot be treated as a specialised technical domain. It is a central component of the organisation’s operational risk landscape.
When technology fails, the impact is immediate and visible, payments fail, transactions halt, customers are left without access, and regulators take notice.
Fragmented risk visibility
In discussions with boards and executive teams, we frequently see that responsibility for ICT risk and digital resilience is distributed across several organisational functions. In some cases, critical aspects are even managed by third party providers entirely outside the organisation’s direct control.
Different aspects of digital risk may be managed by IT Operations, information security, risk control function, compliance function, or in some cases by a dedicated vendor management function.
Each function provides valuable insight within its own domain, but the overall risk picture can become fragmented.
When digital risk is fragmented across multiple functions, it becomes difficult for boards to obtain a coherent view of the organisation’s overall risk exposure.
In our work with financial institutions across the Nordic region, we still see many organisations tracking operational and ICT risks through fragmented spreadsheets and locally developed tools, approaches that quickly reach their limits as digital dependencies increase and regulatory expectations rise.
The question is no longer whether digital resilience belongs on the board agenda, it is whether boards have the visibility and tools to act on it.
The evolving role of the second line
DORA is also raising expectations of what second-line risk and compliance functions need to deliver.
In many institutions, the second line mandate is clearly defined. However, the technical capability required to challenge first-line risk assessments has not always evolved at the same pace as the complexity of digital environments.
When the second line lacks sufficient technical understanding, independence risks becoming formal rather than practical.
This reflects a broader shift in how compliance and risk functions contribute to digital resilience.
Second-line functions increasingly act as a bridge between regulatory requirements and the organisation’s operational reality, ensuring that regulatory expectations are translated into controls and processes that are effective in practice.
Smaller and mid-sized institutions often feel this most acutely. The expectation of fully independent ICT risk oversight does not scale down with the size of the organisation — but the resources available to meet it often do.
For boards and executive management, the implication is direct: if second-line functions are not equipped to assess complex digital environments, the board risks approving a risk appetite it cannot adequately oversee, and carrying regulatory accountability for gaps it was never informed of.
Governance frameworks exist – but supervisors look beyond documentation
Most financial institutions today have extensive governance frameworks covering ICT risk and operational risk.
However, supervisory reviews increasingly focus not only on whether frameworks exist, but on whether organisations can demonstrate that resilience works in practice.
Across the Nordic region, similar observations often appear in supervisory assessments. ICT asset inventories may not always be sufficiently comprehensive, Business Impact Assessments may lack the necessary depth, and continuity plans are sometimes not tested under scenarios that reflect realistic operational disruptions.
Resilience cannot be assessed through documentation alone. It needs to be verified through testing in realistic scenarios.
This is not unique to individual institutions. Across the ecosystem, the translation of DORA requirements into operational practice is still maturing for both institutions and supervisors.
As digital dependencies grow, weaknesses in governance or testing can quickly affect multiple parts of the organisation simultaneously, threatening the institution’s ability to operate critical functions.
Third-party dependencies are becoming strategic risks
Boards and executive teams are placing greater emphasis on the organisation’s growing reliance on external ICT providers. Cloud platforms, specialised technology vendors and digital infrastructure are now central to the delivery of financial services.
Third-party risk is therefore a core component of the organisation’s operational risk and resilience framework. Institutions need to understand not only which providers they depend on, but also how those dependencies affect service continuity, concentration risk and supply-chain resilience.
For many organisations, this means moving beyond contractual oversight and building genuine governance across the entire third-party lifecycle, from onboarding and due diligence to ongoing monitoring, incident management and resilience testing.
As reliance on external providers grows, boards and executive management need clearer visibility of whether critical suppliers can maintain services during disruption and support the continuity of essential financial operations.
The changing threat landscape and geopolitical exposure
Digital resilience cannot be understood in isolation from the broader threat environment in which financial institutions operate. The geopolitical context across Europe and beyond has shifted significantly in recent years, and this shift has direct implications for how institutions should think about operational resilience.
Heightened geopolitical tensions have coincided with a measurable increase in cyber threat activity targeting critical infrastructure, including the financial sector. State-sponsored threat actors, hybrid warfare tactics, and coordinated disinformation campaigns are no longer theoretical risks. They are a documented part of the operating environment for European financial institutions.
For boards and risk functions, this means that resilience scenarios need to reflect a more demanding and realistic threat picture. Disruption scenarios should no longer be limited to technical failures or natural disasters. They must also account for deliberate, sophisticated, and potentially coordinated attacks on financial infrastructure.
Geopolitical dynamics also reshape the risk profile of technology supply chains. The growing scrutiny of technology providers from certain jurisdictions, and questions around data sovereignty and infrastructure ownership, are becoming governance considerations in their own right. Institutions are increasingly expected to assess not only the operational reliability of their technology providers, but also the geopolitical risk profile associated with where infrastructure is located and who controls it.
In the Nordic region, these dynamics are particularly relevant. Institutions operating across borders, relying on shared infrastructure, or serving clients in sectors with strategic national significance face an elevated exposure. The interconnected nature of Nordic financial markets means that any single institution’s resilience posture has implications that extend well beyond its own operations.
DORA provides a sound foundation for managing these risks. But the threat landscape that institutions now face demands more than compliance. It requires boards and executive management to integrate geopolitical awareness into their resilience thinking, treating it not as a separate foreign policy consideration, but as a central dimension of operational risk management.
From implementation to integration
For many institutions, DORA does not represent the end of a regulatory programme. It marks the beginning of a broader maturity journey.
Across the market, DORA-driven work is already shifting from one-off implementation projects toward ongoing governance, ownership, and lifecycle management of resilience frameworks, controls and reviews.
Once implementation projects conclude, it becomes clear that digital resilience cannot be built through isolated initiatives. It must be embedded across governance, risk management, and operational decision-making.
This means integrating ICT risk more clearly into the overall operational risk framework, ensuring it is assessed, reported, and governed with the same rigour as other material risks, rather than managed as a separate technical discipline.
It also means strengthening the technical capabilities of the second line, so that risk and compliance functions can genuinely challenge first-line assessments and provide boards with independent assurance, not just process confirmation.
Boards themselves need to receive a coherent, consolidated view of the organisation’s digital risk exposure, one that connects ICT risks to business impact, service continuity, and strategic decision-making.
Testing and scenario planning must also become more realistic and more demanding, reflecting the types of disruption, including geopolitical and third-party driven events — that institutions may actually face.
For most institutions, this phase also implies adopting a more risk-based approach, focusing governance, resources, and oversight where operational and compliance risks are greatest.
The key question is no longer whether an organisation has implemented DORA. The real question is whether it has achieved the level of resilience the regulation is intended to create.
Operational risk in a digitally dependent industry
As financial services continue to digitalise, operational risk is increasingly shaped by technological infrastructure, data flows, and external dependencies.
Operational risk management must evolve accordingly.
For boards and executive teams, the challenge is no longer limited to ensuring regulatory compliance. It is about understanding digital dependencies and being confident the organisation can continue operating when disruptions occur.
DORA is best understood not as the conclusion of a regulatory programme, but as the starting point for a deeper shift in how financial institutions govern operational risk.
The decisive question going forward is not whether the frameworks exist, but whether organisations have truly built the resilience required when the digital infrastructure they depend on is put to the test.
