Skip to content

DORA: Why Formal Compliance Does Not Equal IT Resilience

In short: DORA compliance is necessary but insufficient for digital resilience – what is required is a consistently built and centrally controllable security architecture with a focus on identity and cryptography management.

The Digital Operational Resilience Act (DORA) establishes binding requirements for banks and insurers in managing IT risks and third-party service providers. However, regulatory compliance alone does not lead to genuine digital resilience – a consistently built security architecture is essential.

DORA sets out clear obligations for all supervised financial undertakings in the European Union: robust structures for managing ICT risks, defined protective measures, processes for incident response, and oversight of third-party service providers. Many institutions have responded with governance adjustments, documenting policies, establishing incident reporting processes, and building outsourcing registers.

The problem lies in the gap between formal compliance and actual security. Regulators assess whether structures exist and processes are defined. True resilience, however, only becomes apparent during ongoing operations under real-world conditions. Examples include widely used certificates across multiple applications, decentrally managed cryptographic keys, or inconsistently implemented identity and access control concepts. In cloud and third-party environments, there is often a lack of transparency regarding security-relevant processes. While this situation is not formally non-compliant, it significantly increases complexity and thus the demands on control and responsiveness.

Cybersecurity threats in the financial sector are making the situation more severe: the intensity and sophistication of attacks are increasing, while many institutions struggle with complex IT landscapes that have grown over years. Banks and insurers present attractive targets for attackers through their substantial assets and sensitive data; risks such as data theft and ransomware remain acute.

Effective digital resilience requires a shift from a compliance mindset: rather than understanding security as a sum of individual measures, a consistently built, centrally controllable, and permanently auditable security architecture must emerge. Two key levers are the central management of digital identities and cryptography. In modern, decentralized infrastructures with numerous interfaces, traditional network boundaries lose their significance – access occurs across locations and organizational boundaries, often with external actors. Approaches such as Zero Trust address this through authentication and authorization based on clearly defined identities rather than network perimeter.


Source: www.it-daily.net · Published 3 July 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.

Share on: