DORA marks a new era for cybersecurity in the financial sector. But for the regulation to have real impact, more than compliance is required. Success lies in building a culture where security is tested, evaluated, and improved over time.
The Digital Operational Resilience Act (DORA) is changing how financial organizations approach cybersecurity. The regulation makes security a strategic issue and requires organizations to demonstrate that their protections work in practice. For many, this means a new way of thinking—where technology, processes, and leadership must work together.
“Those who previously viewed IT as a support function have been shocked to realize that they now need to work with security in a completely new way,” says Benjamin Svensson, senior security specialist at Assured.
Resilience as a Capability
For a long time, cybersecurity has focused on technical solutions. With DORA, the focus shifts to an organization’s ability to understand and improve its resilience over time. This means building a learning system where testing, analysis, and incident handling lead to real change.
“Sometimes we find the same vulnerabilities test after test with the same customers. That’s not what we want to see. Of course we also find new issues, but we want to see that what we previously identified has actually been fixed,” he says.
The regulation implies that resilience must be trained. Security is no longer the result of isolated efforts, but of recurring testing and a culture that turns lessons learned into practice.
When Structure Is Missing
For large banks and financial institutions, DORA is often an extension of already established processes. They have testing routines and clearly defined roles for risk management. For smaller players—especially fintech companies—the regulation may instead require building these capabilities from scratch. Benjamin describes how smaller organizations sometimes have only one or two people in IT who carry the entire responsibility.
“For us, it’s not just about testing—equally important is helping customers truly understand the results and turn them into real improvements,” he says.
He explains that many organizations need to start small and let the structure grow in line with the business.
“It might mean starting with a risk analysis and testing a single function, and then expanding to more areas the following year,” he says.
Understanding Your Own Risks
A core principle of DORA is proportionality, meaning that requirements should be reasonable in relation to an organization’s size and risk profile. This applies both to the companies themselves and to the authorities supervising their work.
In practice, this means that a small payment service provider should not be assessed against the same requirements as an international bank, but rather in relation to its own risk level and technical capabilities.
“DORA doesn’t mean you should spend your entire budget on cybersecurity, but you do need to understand your risks and work with them in a controlled and systematic way,” says Benjamin.
He also sees a clear shift in how organizations think about cybersecurity. More and more realize that testing is not about formal compliance, but about trust in systems, processes, and their own work.
“Putting your systems to the test in real scenarios is a good way to build solid trust—both internally and externally,” he says.
What Should Financial Sector Organizations Do?
It starts with allocating resources in the right way. The point of DORA is clear: cybersecurity pays off when it is integrated into the business—not when it is treated as a separate support function. Security needs to be woven into processes, technology, and leadership from the outset.
At its core, the regulation creates a safer digital environment for the entire financial market. The earlier organizations begin, the greater the effect. A systematic approach reduces risk, strengthens resilience, and improves the conditions for both security and business success.
Want to Strengthen Your Digital Operational Resilience?
Assured helps financial organizations understand their risks, test their systems, and build the structure required under DORA.
Read more about how we can help hereGet in touch to discuss how we can support your DORA and fintech security journey.