DORA and the Practical Test of Operational Resilience
By Alan Stewart-Brown, VP EMEA, Opengear
Disruption in the financial services sector presents unique challenges that are rarely straightforward. Factors such as misconfiguration, the emergence of malicious traffic, or a poorly timed change can trigger a chain reaction across interconnected platforms and teams. This complexity is exacerbated in environments where systems and suppliers are tightly integrated. When such disruptions occur, identifying the source of the fault is not usually the primary concern. Instead, the key challenge lies in maintaining enough control to mitigate damage and restore services promptly before the situation escalates further.
To address these issues, the European Union has introduced the Digital Operational Resilience Act (DORA), which has been in effect since January 2025. DORA sets forth explicit expectations for firms operating within the financial services landscape: they must systematically manage IT risks, conduct resilience testing under realistic conditions, handle incidents with discipline, and govern the third-party vendors that support critical functions. The implications of non-compliance are significant, including the potential for supervisory measures, financial penalties, and remediation orders.
DORA aims to elevate industry standards regarding incident detection, regulatory reporting, and supplier oversight. It emphasizes that resilience testing should incorporate genuine stress scenarios while also ensuring that cybersecurity and IT operations are aligned and accountable at the board level. The primary objective is not to create infrastructure that never fails, but rather to cultivate organizations that can maintain command during instances of failure.
Progress and Current Landscape
More than a year into DORA’s implementation, the maturity level across the financial services sector remains uneven. While some institutions have made substantial investments in continuity and cybersecurity response, others still find themselves in the initial stages of development, often limited by both specialist resources and their tolerance for prolonged disruption.
Even where comprehensive frameworks are outlined, confidence tends to wane when organizations test their responses under realistic constraints. In scenarios where access is restricted and multiple dependencies fail simultaneously, the effectiveness of resilient strategies can come under scrutiny. A 2025 Censuswide survey reported that 96% of EMEA financial services organizations believed they still needed to improve their resilience to align with DORA’s requirements. Documentation may be in place, but true resilience manifests only when firms can act consistently across a complex blend of systems, services, and suppliers under pressure.
Challenges in Incident Management
In major incidents, visibility into issues is rarely a problem; teams can typically see what is occurring. The more significant difficulty arises in maintaining control, especially when conventional access routes are unavailable or unsafe.
A network fault can disrupt connectivity to crucial sites, while a cyber incident might instigate containment measures that intentionally reduce access. Unstable identity services can block privileged access exactly when it is most needed. Engineers may possess a thorough understanding of the fault but still struggle to reach the necessary controls to isolate affected components, stabilize essential services, and initiate recovery.
This scenario highlights a critical gap in many resilience programs. While backup and disaster recovery mechanisms may safeguard data and workloads, they do not ensure that teams can manage infrastructure during a crisis. If the production network also serves as the primary conduit for engineers to access and configure devices, a significant outage can obliterate both the service and the means to restore it. Time gets lost, not due to a lack of expertise, but because the avenues for applying fixes are cut off.
Supply Chain Disruption and Its Complications
Financial services organizations increasingly rely on shared platforms and external service providers—ranging from cloud infrastructure to outsourced applications and specialist networks. When a disruption originates within the supply chain, firms must still contain its impact and maintain essential services, often while coordinating responses with third parties facing similar issues.
The 2025 Verizon Data Breach Investigations Report noted a doubling of third-party involvement in breaches, now making up 30% of incidents. Plans that rely on the assumption that a firm can always resolve root causes internally are becoming increasingly misaligned with the realities of operational disruptions.
DORA reflects this need for heightened accountability in third-party oversight, advocating for firms to connect governance structures with operational outcomes. This requires a clear understanding of which providers support critical functions, recognizing what constitutes failure in practice, and knowing the real-time actions a firm can take when an external dependency is under duress.
Maintaining Control During Recovery
DORA pushes organizations to undergo practical tests, particularly focusing on whether they can retain operational control during severe disruptions, including instances where the primary network is incapacitated or locked down due to containment protocols.
To safeguard this control, it is beneficial to maintain a management access route separate from the production network. This independent management plane, often referred to as out-of-band management, provides a dedicated channel to critical infrastructure even when the primary network is compromised, unstable, or intentionally segmented. This separation is vital because containment measures often necessitate curtailing connectivity, which can simultaneously obstruct engineers’ access paths needed to administer repairs.
With independent access, teams can interact with network equipment and crucial systems, restore configurations to known safe states, roll back problematic changes, and re-establish minimum safe connectivity without waiting for the primary network to become operational again. This access also facilitates controlled interventions during high-risk routine activities such as software updates, configuration changes, and system migrations.
Conclusion: The Road Ahead with DORA
To comply with DORA’s stringent requirements, dependency mapping, realistic resilience testing, and robust governance structures are critical. However, the added value of independent access cannot be understated; it provides a pragmatic solution for maintaining control when the main routes into the environment contribute to the disruption.
As more than a year has passed since DORA’s implementation, its expectations remain firm. Organizations that focus on designing their infrastructure to maintain access, minimize impact, and safely restore services will significantly reduce both operational risks during incidents and regulatory risks in their aftermath.
Alan Stewart-Brown serves as the VP EMEA at Opengear, specializing in operational resilience and secure infrastructure operations in regulated industries. He collaborates with financial services and critical infrastructure organizations on incident readiness, continuity planning, and maintaining controlled access during outages and cyber events.
For those attending DTX Manchester in April, one can find Opengear at booth #C101, and don’t miss Alan Barnett’s speaking session titled, "Staying in Control When It Matters Most: Building Operational Resilience with Smart Out-of-Band Infrastructure," scheduled for Wednesday, April 29, from 15:25 to 15:50 on the Modern Infrastructure and Connected Experiences Stage.