Webinar recap – DORA is here: How to ensure operational resilience and compliance

Don’t see DORA as a compliance burden – see it as a chance to innovate and build resilience by design.

That was the core message of a recent exclusive webinar, DORA is here: How to ensure operational resilience and compliance.

For anyone in banking, insurance, or the ICT sector, this webinar is a must-watch.

It’s been almost a year since DORA (the Digital Operational Resilience Act) came into effect, marking a major shift in how the financial sector approaches operational resilience. Many institutions are realising that DORA is more than just a compliance requirement – it’s a call to rethink how resilience is built into systems, operations, and partnerships.

While rising regulatory pressure and cyber threats make compliance critical, they also open the door to smarter, resilience by design approaches rather than simple box-ticking. DORA isn’t a one-time effort; it requires institutions to continuously refine strategies, stay ready for updates, and remain proactive in a complex digital ecosystem. Because let’s be honest: DORA’s true impact will be measured by how effectively financial institutions build sustainable operational resilience for the future.

In this expert session, António Soares, Head of Business Development at Worldline, and Odun Fadahunsi, Senior Security, Risk & Compliance Advisor at Google, explored how organisations can move beyond mere compliance to embed resilience at the core of their operations. They discussed practical strategies, common challenges, necessary investments, and actionable insights, showing how DORA can be a catalyst for innovation rather than just a regulatory obligation. 

Below are some very brief takeaways, but you can access the full webinar anytime, on demand.

The five pillars reshaping financial operations

DORA's framework centres on five critical pillars that financial entities must master. First, ICT risk management demands redundancy and backup security with direct accountability to top management. Second, incident management requires standardised reporting and transparency. Third, comprehensive testing including stress scenarios and extreme event simulations. Fourth, third-party risk management – identified by the webinar experts as consuming the most effort. Fifth, information sharing across regulators and stakeholders.

From compliance burden to strategic opportunity

The message from the webinar was clear: DORA is far more than a regulatory checkbox — it’s a catalyst for transformation.

Resilience is emerging as a unifying theme across regulations. Financial institutions are no longer just expected to comply; they must anticipate and withstand a wide spectrum of digital disruptions. This requires strategic leadership, embedding resilience into broader organisational strategies, rather than treating it as a separate, siloed effort. Organisations that build resilience into the design of their systems stand out.

António emphasised that payments are a mission-critical industry where downtime is unacceptable. He explained that DORA harmonises industry best practices around backups, recovery, and operational resilience. In payments, every second counts – much like in a space flights – and the regulation standardises what the industry has always prioritised: continuous operations and trust. By doing so, DORA enables financial institutions to transform operational resilience into a strategic advantage, strengthening the trust that lies at the heart of financial services.

Third-party risk: the Achilles’ heel

The webinar highlighted third-party risk management as the most challenging aspect of DORA compliance. "From everybody you speak to in the industry, this is where most of the effort is coming to," António noted. The regulation brings ICT providers directly under its scope, creating shared responsibility between financial institutions and their technology partners.

This shift addresses a critical vulnerability. Financial institutions increasingly rely on concentrated ICT providers, creating systemic risks. DORA's oversight framework for Critical Third-Party Providers (CTPPs) ensures these dependencies don't become single points of failure.

Cultural transformation: beyond technical implementation

Odun stressed that technical compliance alone won't suffice: "What I see with some of my customers is the challenge holding is actually not technical, it's cultural. Many organisations understand what DORA is on paper. But actually, embedding a resilience-first mindset in daily operations across all teams is extremely challenging."

The solution lies in making resilience everyone's responsibility. Organisations must move beyond annual penetration tests to continuous resilience testing, treating each test failure as valuable learning rather than a mistake. This requires role-specific training across all levels—from developers understanding RTO/RPO targets to business teams grasping impact tolerances.

AI-powered compliance

Artificial intelligence emerged as a powerful tool for proactive DORA compliance. Odun outlined AI's transformative potential: predictive risk assessment analysing massive datasets to forecast threats, real-time security monitoring detecting anomalous behaviour, automated incident classification meeting DORA's strict reporting timelines, and contract analysis scanning thousands of vendor agreements for compliance gaps.

"AI enables organisations to anticipate," António added, highlighting how AI-powered fraud detection and transaction scoring have become essential for maintaining resilience in real-time payment environments.

Investment realities and resource allocation

The webinar revealed that 25% of poll respondents identified "allocating resources and ensuring cross-functional coordination" as their primary challenge.

The financial burden varies dramatically by institution size. António revealed the substantial investment required for DORA implementation, with Tier 1 banks spending between 20 and 40 million euros, representing 1-2% of their IT budgets. While large organisations have the capability to handle implementation themselves, smaller institutions face significant challenges due to limited capacity and must rely heavily on external partners and shared knowledge to meet compliance requirements.

However, forward-thinking institutions are reframing this investment. Rather than viewing DORA as a cost center, they're leveraging compliance efforts to modernise infrastructure, enhance customer trust, and build competitive advantages through superior resilience.

Resilience by design: the path forward

The concept of resilience by design emerged as a central theme. This means architecting systems with inherent redundancy – multiple payment schemes instead of one, active-active setups rather than active-passive, multi-cloud strategies, and even offline fallback mechanisms.

António illustrated with a practical example. He noted that resilience by design may sound like a buzzword, but it has a very practical meaning. It’s about shaping your business so that resilience is built into its very structure, making it resilient by nature, not by afterthought.

He explained that, for instance, a payment institution relying on a single payment method — say, only cards through one card scheme – is inherently less resilient, even if all systems are fully redundant. In contrast, an organisation supporting multiple schemes, or offering a mobile app completely separate from its card infrastructure, is naturally more resilient.

António added that this concept also applies at the infrastructure level. The industry now recommends approaches such as multi-cloud strategies and active-active setups – where both sites operate simultaneously – rather than the traditional active-passive model. These measures help ensure continuous availability and minimise risk by design.

Three-step approach

António outlined a practical three-step approach to implementing DORA compliance.
First, identify and map your critical functions. You can’t fix what you don’t know.
Second, conduct a gap assessment, benchmarking existing processes against DORA requirements. Third, implement corrective measures and establish governance for continuous monitoring.

He emphasised that this is a recurring process, requiring attention at the highest organisational level to ensure ongoing compliance and long-term operational resilience.

Conclusion

Resilience by design offers a competitive advantage: organisations building inherent redundancy and flexibility position themselves as trusted partners. Continuous testing replaces annual assessments: DORA demands ongoing resilience validation, not periodic checkbox exercises.

DORA represents a watershed moment for European financial services. As António Soares emphasised in his closing advice, “Identify the critical areas for your business and then take action on them.” The regulation's true impact extends beyond compliance checkboxes to fundamentally reshape how financial institutions approach operational resilience.

The advice was complemented by Odun’s, who added that DORA is about demonstrable resilience. It’s not just documentation. Realistic testing exposes weak points and pushes teams to proactively practice their responses, turning resilience from theory on paper into an embedded operational reality.

Bottom line: Organisations that view DORA as an opportunity rather than a burden will emerge stronger, more trusted, and better positioned for the digital future. The path forward demands investment, cultural transformation, and strategic thinking and partnerships – but the payoff is a financial system capable of weathering any digital storm.

For those yet to achieve full compliance, the message is clear: DORA isn't going away. The time for action is now, transforming regulatory requirements into competitive advantages through proactive resilience strategies that protect not just systems, but the trust at the heart of financial services.

These are just a few brief takeaways from the webinar. The session was packed with insights, actionable advice, and strategies for compliance – all of which you can benefit from by watching the full webinar here.

About the author

Oana Ifrim is Lead Editor and content strategist for The Paypers’ Banking and Fintech team. She writes and manages features on a broad range of topics, including fintech, banking, payments, and industry trends, driving the editorial vision for cutting-edge topics, including payments modernisation, Open Banking, Open Finance, Embedded Finance, and Banking-as-a-Service. As an experienced editor and content lead, she oversees content creation and coverage, conducts expert interviews, and moderates video interviews, industry webinars, and panels. Oana also leads thought leadership initiatives, including whitepapers, customised projects, and in-depth industry reports. In addition to her editorial role, she represents The Paypers at major industry events, engaging with experts, gaining valuable insights, and staying ahead of key industry trends.

She can be reached at oana@thepaypers.com or on LinkedIn.

About Worldline