DORA: From Theory to Cyber Reality 

The Digital Operational Resilience Act (DORA) is came into force in January 2025, setting a new standard for cyber resilience across the financial sector.

For many organisations, the real challenge isn’t knowing what DORA requires, it’s putting it into practice. There’s still uncertainty around what effective compliance looks like, especially when it comes to the cybersecurity measures required. Despite years of preparation, recent research shows that the majority of in-scope organisations are still not fully compliant. One of the most common gaps? A lack of clarity around what DORA demands from a cybersecurity and resilience standpoint — and how that differs from existing regulations like NIS2 or ISO 27001.

This whitepaper, “DORA: From Theory to Cyber Reality”, addresses this disconnect, offering a practical, expert-led guide to understanding and implementing the cybersecurity elements of DORA.

Inside, you’ll find:

• What DORA actually requires in terms of ICT risk management, resilience testing, and third-party oversight

• How DORA’s threat-led penetration testing (TLPT) requirements go beyond traditional assessments

• The real-world impact of recent updates, including the designation of critical ICT third-party providers

• Why incident reporting under DORA isn’t as straightforward as it seems

• Steps organisations can take now to close compliance gaps and build long-term resilience

Whether you're directly impacted by DORA or supporting firms that are, this whitepaper offers a grounded perspective on navigating the new regulatory environment.