Technology leaders working in financial services will have likely already heard of the Digital Operational Resilience Act (DORA), particularly if they have any presence or operations in Europe. Many will have already gotten to work preparing for it alongside their legal and compliance teams. For anyone who has seen an uptick of requirements regarding disaster planning, security, compliance, testing, and vendor review in the past 6 to 12 months, it might stem from your organization's larger efforts to comply with DORA or related laws coming into force.
As the general counsel of Cockroach Labs, creators of the distributed SQL database CockroachDB, I advise product and engineering leaders and decision-makers about new and developing regulations affecting our business. When it comes to compliance, we reach the best outcomes when we all have a foundational understanding of the underlying rules and what they mean.
Understanding the basic principles of a law and the context for why it exists makes it possible to see around corners to avoid costly mistakes and even uncover potential strategic advantages. This doesn’t mean you have to become a deep expert, read the regulations in their entirety, or sit through a lengthy presentation. However, knowing the basics will help you comply with the law smarter, faster, and better. In turn, this will lead to wins for everyone – whether it's a smoother onboarding process for new vendors, uninterrupted services for your customers, or avoiding fines from regulators.
To that end, this blog post covers three main topics. We’ll start with a contextual explanation regarding The Criticality of Financial Services & the Advent of DORA, followed by An Entirely Too Short Summary of DORA to give you a basic understanding of the law’s tenets, and Tips for Vendor Selection under DORA.
The criticality of financial services and the advent of DORA
Digital financial services have revolutionized the way we live as they have become accessible through online platforms, our smartphones, and apps. They add immense value and convenience to our lives through simplified cash management, instantaneous access to credit, and secure and efficient means for making payments and transferring money.
As we adopt these new technologies, old ways of doing business are being left behind. Meanwhile, the smooth functioning of our modern economy has become ever more dependent on the availability and reliability of these new financial services.
This reliance introduces significant and unprecedented new risks: If modern financial services were ever to become unavailable, whether due to cyberattacks, technical failures, or other disruptions, it would profoundly impact people’s ability to acquire fundamental everyday necessities, from food and housing to transportation and healthcare.
DORA is a landmark set of new regulations in the European Union in response to these risks and aims to address them through imposing requirements on financial institutions regarding the resilience of their operations and services. Though some laws already addressed digital operational resilience at the local level, DORA harmonizes a previously existing and sometimes disjointed patchwork of regulations. DORA’s requirements ask companies to go beyond ticking compliance boxes and push technologists like yourself to proactively embed resilience into the DNA of the technology stacks you build.
An entirely too-short summary of DORA
What is DORA? The regulations that comprise DORA are thousands of pages long and immensely complex – any summary of this length will be woefully insufficient to do it justice. As a lawyer, I (of course!) recommend every technology leader reading this blog post to consult your attorney for whatever further details you might require. As I said earlier, no one needs a full treatise on DORA regulation compliance, but everyone can benefit from a basic primer of its fundamentals, which is provided below in brief:
DORA provides a comprehensive framework for enhancing operational resilience of financial entities providing services to customers in the EU. It incorporates the following elements:
Information Communication Technology (ICT) Risk Management Framework – Comprehensive ICT risk management strategies, policies, and procedures for identifying, managing, and mitigating internal and third-party ICT risks.
Incident Management & Reporting – Processes for managing ICT incidents, including classification, response, reporting, and where sharing of cyber threats is required.
Digital Operational Resilience Testing – Testing of operational resilience, including annual testing of critical ICT systems and applications and penetration testing in some circumstances.
Third-Party Risk Management – Stringent management of third-party ICT risks, including assessing and documenting third party ICT services, concentration risks, and exit strategies, with enhanced oversight for critical ICT vendors.
Governance & Oversight – Governance framework to ensure accountability among senior management for the oversight and implementation of ICT risk-management practices.
Information Sharing – Sharing of information among financial entities about cyber threats and vulnerabilities.
All financial entities will undoubtedly have armies of attorneys, compliance teams, and security specialists already in place to harmonize their existing compliance and security programs with DORA requirements. This work’s output may take many forms - enhanced disaster planning, new security requirements, audit and testing procedures, training, various policies, and of course mountains of new documentation.
DORA is a complex piece of regulation and a significant undertaking. Further, maintaining resilience is already top of mind for many organizational decision-makers, as revealed by the recent Cockroach Labs survey, “The State of Resilience 2025: Confronting Outages, Downtime, and Organizational Readiness.”
In many cases, the role of technical staff will primarily be to cooperate with and assist in the implementation of the new DORA programs and policies that their compliance and legal teams introduce. However when it comes to vendor selection and management, DORA will require technology leads to take a more proactive role vetting ICT vendors to ensure they fit into their organization’s overall resilience strategy.
Tips for vendor selection under DORA
DORA is designed to push technologists like yourself to evaluate vendors using more holistic means than simply running through the boxes on a compliance checklist. ICTs must be evaluated across multiple qualitative dimensions to make certain that operational resilience is baked into their offerings and their place in the tech stack.
Compliance and security teams will still conduct their reviews of ICT vendors, but they increasingly rely on the technology teams using that vendor for the substantive explanations of the technical and strategic reasons why that vendor is acceptably resilient to be relied upon for critical work. A SOC2 report or ISO certification gives a great deal of useful information, for example, but it doesn’t explain the vendor’s criticality to the business, unique resilience capabilities, track record, or reputation, which are all essential dimensions in responsibly evaluating new vendors under DORA.
Smart technologists will make ICT resilience a key foundational component of the procurement process, alongside vendor pricing and features. This will not only result in a more resilient tech offering for end customers, but also help technology leaders avoid frustrating rejections and delays during downstream compliance review. That’s when DORA-driven questions will inevitably arise and help proactively build the case for selecting their vendor of choice.
Evaluating vendors for resilience and sufficiency under DORA doesn’t need to be overcomplicated - there are four primary dimensions to focus upon: (1) whether the vendor is a critical dependency, (2) the resilience capabilities of the vendor, (3) their track record and reputation, and (4) the maturity of their security and compliance program. Let’s explore each of these aspects in depth:
Is this vendor a critical dependency? – The first step in vendor evaluation is determining whether an ICT is a critical dependency. An ICT forms a critical dependency if a service disruption has the potential to disable or impair key services or organizational operations.
This determination is crucial because critical dependencies will need to undergo a more stringent review due to the unique risks they post. Before starting a procurement process for a new ICT vendor, consider carefully:
whether the ICT services being sought are integral to core functions
if a disruption of this ICT would in turn cause material disruptions to the operation of key services or organizational operations
If so, the ICT presents unique risks under DORA that must be considered.
Vendor Resilience Capabilities – Closely evaluate whether the vendor is adequately designed to ensure resilience, and what options are available to enhance resilience for its customers. In the event of technical failures, will it keep running? What about widespread outages? System wide outages? How about cloud outages?
Over-reliance on a single vendor, especially major cloud providers like AWS, GCP, and Azure, can be a serious organizational concern. DORA recognizes that this kind of vendor concentration is a significant risk to enterprises and in some cases entire industry sectors, and asks institutions to find ways to mitigate the potential harms. ICT vendors with cloud optionality or multi-cloud capabilities are uniquely positioned to help address these concerns.
Track Record – Pay careful attention to the track record of the vendors under consideration and whether their resilience claims match their historical performance. Do an extra level of diligence regarding whether the vendor has experienced prior disruptions and how well their offerings held up when put to the test.
Security & Compliance Maturity – Don’t wait until compliance team review to start spot checking the level of maturity of a critical ICT vendor. Instead, do a proactive review of compliance readiness: Does the vendor have SOC2 reports, ISO certifications or equivalent validations that demonstrate robust security and compliance practices? Evaluate if the vendor has a reputation for organizational maturity and gather superficial data points to demonstrate that reputation.
This is not a replacement for compliance review. However, if their trustworthiness cannot be objectively demonstrated to the technology team buying the services, that vendor has little hope of passing muster with compliance teams later.
DORA: more than compliance
The Digital Operational Resilience Act is more than just a compliance mandate – it forces a cultural shift in how financial institutions approach the fundamental resilience of their technology ecosystems. Meeting these challenges will require technology teams to adopt new ways of thinking about the products they build and the technology vendors they work with.
This presents opportunities for forward-thinking leaders – to not only meet regulatory requirements and avoid costly missteps, but also to build a stronger and more robust foundation for their organisation and customers. As the financial industry continues to evolve and become ever faster, smarter, and more accessible, proactively adopting the principles of DORA will position technologists as key drivers of innovation, security, and trust.
Learn how the right cloud-native distributed database fits into your DORA compliance strategy: Visit here to speak with an expert.
Daniel Hegwood is General Counsel at Cockroach Labs.
