Life After The Deadline: Turning DORA Compliance Into Operational Stability

By Rene Millman • 13 January 2026

The January 2025 panic is well and truly over. But for the financial sector’s most successful leaders, the real work, and the real reward, has only just begun. We explore how the Digital Operational Resilience Act has shifted the conversation from “avoiding fines” to “protecting revenue.”

While many viewed the Digital Operational Resilience Act (DORA) as a compliance burden, the last twelve months have revealed its true function: it is a blueprint for uptime. We are now seeing tangible proof that the specific mechanisms DORA enforces, namely rigorous digital testing and deep-tier supply chain mapping, are doing more than satisfying regulators. They are preventing revenue-killing outages.

To understand why, we have to look at the cultural shift that occurred in the boardroom.

The Outages That Didn’t Happen

It is hard to believe that a full year has passed since the 17 January deadline. Cast your mind back to late 2024: the frantic gap analyses, the late nights scrutinising ICT third-party contracts, and the scramble to map critical functions.

For many, that was the finish line. But for the “winners” of 2025, it was the starting gun for a new era of active defence.

“Many organisations view DORA purely as a regulatory hurdle,” says Chris Newton-Smith, CEO of ISMS.online. “But the most critical shift businesses should be making is to ask the right questions about their compliance. Too many focus on ‘Are we compliant?’ when the more valuable question is ‘Does our compliance actually help us continue operating when something goes wrong?'”

As Newton-Smith notes, when you shift the mindset, “compliance very quickly stops being a tick-box exercise and starts actively protecting the organisation.”

Perhaps the most significant impact of DORA has been the “invisible victories”, the outages that never occurred.

To understand the magnitude of this shift, we need to look at the industry’s mindset just as the rules came into force. Etienne Bouet, a Senior Manager at consultancy Wavestone, warned in January 2025 that the industry risked missing the point if they focused only on the paperwork.

“DORA should not be seen merely as a compliance exercise,” Bouet noted at the time. “Yes, there are regulatory requirements to meet, but the real challenge lies in building resilience… compliance alone is insufficient if it doesn’t come with genuine improvements in resilience.”

Those who heeded that advice are now reaping the rewards. In the last twelve months, we have seen organisations move from having a “paper shield”, policies that say they are secure, to an “Iron Dome” of active defence. This wasn’t optional. The DORA requirement to demonstrate how you would recover from a severe ICT disruption forced teams to test their theories.

The result is a landscape of systems that actually recover. When minor cloud configuration errors hit payment processors earlier this year, the DORA-compliant banks didn’t go dark. Their redundancy protocols, tested and refined under DORA’s pillar of digital operational resilience testing, kicked in automatically.

A New Era of Maturity

This shift marks a maturation of the industry. For years, the FinTech sector in particular was defined by rapid growth, often at the expense of stability. DORA has effectively forced a “grown-up” conversation about risk.

By mid-2025, the strain of this transition was visible. A Censuswide survey released in July 2025 revealed that six months into the regime, 96% of EMEA financial organisations still felt their data resilience “wasn’t where it needs to be.”

That statistic highlights a divide in the market. On one side, the 96% who were struggling to retrofit resilience into legacy systems. On the other, the agile “winners” who used DORA as a blueprint to modernise their architecture.

For the winners, the “end of move fast and break things” is what the Board now cares about. When presenting end-of-year reports, security leaders are no longer just listing compliance status. They are listing the estimated revenue saved because systems stayed up when competitors didn’t.

Supply Chain: The “Puzzle” of Interconnection

If 2024 was the year of “trusting” vendors, 2025 and 2026 have been the years of monitoring them. The reliance on third parties was always a known risk, but DORA forced organisations to quantify it.

Olaf Jonkers, Chief Internal Security Officer at the digital identity platform itsme, highlighted this shift in accountability back in February 2025.

“DORA ensures that ICT providers delivering services to FSIs are held adequately accountable for maintaining strong internal governance,” Jonkers explained. “This is very important because FSIs’ growing reliance on ICT providers means that a system crash or breach can suddenly reduce operations to a small fraction.”

DORA’s focus on ICT Third-Party Risk Management (TPRM) forced organisations to map these dependencies. Security teams likely discovered that a “critical” function relied on a vendor who relied on another vendor who had no backup plan.

The initial mapping was painful. But the operational benefit has been immense. We are no longer blindsided by fourth-party failures. In the past, a vendor outage was a valid excuse: “It’s not our fault, it’s the cloud provider.” That excuse no longer flies with customers, and certainly not with regulators. Because of DORA, exit strategies and multi-vendor setups for critical functions are now standard practice.

Compliance as a Value Driver

The danger in this “post-deadline” world is complacency. The risk landscape changes daily; if resilience documentation is static, an organisation is already non-compliant.

We have seen many teams struggle over the last year because they treated DORA as a “one-and-done” project. They built their Register of Information in Excel, filed it, and haven’t looked at it since. That data is now obsolete.

“The priority is to keep compliance ‘alive’ and operational,” advises Newton-Smith. “We see that frameworks like DORA deliver the most value for businesses when their leadership has a real-time view of compliance… That means businesses have to move beyond static documents and manual tracking towards tools that offer continuous oversight.”

Managing dynamic operational resilience with static tools is no longer feasible. Security leaders need a “live” view of risk. If a key supplier’s security certificate expires, the risk register should update immediately.

Resilience is Revenue

The “fear, uncertainty, and doubt” (FUD) era of selling cybersecurity is over. DORA has pushed the industry into the era of resilience as a value driver.

The organisations winning in 2026 will not be the ones who just scraped a “pass” last January. They are the ones who used the framework to harden their operations. They are experiencing fewer downtime events, managing vendor risks proactively, and sleeping better at night knowing their recovery plans actually work.

To understand the true value of this shift, leaders should look back at their incident logs for the last six months. By identifying “near misses” that were caught by controls implemented for DORA, and calculating the potential cost had those incidents escalated into full outages, the financial reality becomes clear. That figure, the cost of the disaster that didn’t happen, is the true value of compliance. The deadline is gone, but the era of stability is here for those with the tools to enjoy it.

Rene Millman

Rene Millman is a versatile freelance writer and broadcaster specializing in cybersecurity, AI, IoT, and cloud technologies. Alongside his role as a contributing analyst at GigaOm, he brings extensive experience as a former Gartner analyst focusing on the infrastructure market. Renowned for his expertise, Rene Millman has made frequent television appearances, sharing insights and analysis on technology trends and influential companies shaping our daily lives. Stay updated with Rene Millman's insights by following him on Twitter.

The CrowdStrike Outage: A Case for Reinforcing Incident Response with ISO 27001

In July 2024, a botched software update by CrowdStrike led to a significant global IT outage, affecting numerous organisations, including airlines,...

Rene Millman

Cyber security 16 July 2024

Avoiding the Next MediSecure: Cybersecurity Lessons for Businesses

The MediSecure cybersecurity catastrophe serves as a stark wake-up call for businesses: neglect digital defences at your peril or risk becoming the...

Rene Millman

Cyber security 11 June 2024

What Can Be Done About the National Vulnerability Database Crisis?

The National Institute of Standards and Technology (NIST) is in a bind, and one that has serious implications for cybersecurity teams worldwide. Th...

Rene Millman