Share this post
By Swaminathan Ramani, Programme Test Manager · 27th May 2025
When the Digital Operational Resilience Act (DORA) compliance deadline came and went, many financial institutions probably breathed a quiet sigh of relief. Another requirement handled. Another regulation checked off.
But here’s the thing: if you see DORA as the finish line, you’re missing the bigger opportunity.
DORA isn't just about staying on the right side of regulators. It's a shift in thinking. It's about building digital resilience that holds up when pressure hits. For tech leaders in financial services, this means going beyond compliance and focusing on capability.
Resilience isn’t software. It’s a state of mind.
You can’t download resilience like you would a new tool. It must be built into how your teams operate, how systems behave and how your organisation responds when things go wrong.
Still, time after time, we see well-resourced programmes fall short. Not because they’re missing technology, but because the challenge was framed in the wrong way. Resilience is too often treated like a deliverable rather than a principle. That’s where the cracks start to show.
Based on our experience working with large-scale digital transformation projects, here are three issues that regularly trip teams up, which have nothing to do with code and everything to do with approach.
1. Everyone’s heard of DORA, but not everyone understands it
Awareness tends to be assumed, but in reality, it’s often uneven.
Many teams view DORA as something that sits within IT or compliance. Risk managers start their workstreams, technology leads set up roadmaps and elsewhere in the business, things carry on as usual. But when an incident happens, it’s not just the back office that’s affected.
If product owners, developers, customer teams and even external partners don’t understand their role in maintaining resilience, they can’t contribute effectively. And when systems are under pressure, that lack of clarity becomes a serious problem.
Instead of giving everyone the same generic briefing, tailor the message. Provide practical context. Explain why resilience matters in their corner of the business. When that understanding takes hold, teams start to anticipate issues rather than just respond to them.
2. Functionality is fine. Until it isn’t.
Building a system that works on a normal day is one thing. Keeping it working when things start to go wrong is something else entirely.
This is where non-functional requirements (NFRs) matter: performance, failover, recovery, accessibility. These qualities often fly under the radar during development. They don't create buzz in demos and rarely get discussed during planning. But ignore them and you're left with systems that are fragile when it counts.
The systems that hold up under pressure are the ones where these “behind-the-scenes” qualities are prioritised early. Don’t treat them as optional. Integrate them from the beginning, test them under realistic conditions and make sure they’re part of your definition of ‘done’.
3. Vendors aren’t always on the same page
Third-party suppliers are essential to how financial firms operate. But too often, organisations assume vendors are just as ready as they are.
Some partners are already aligning their practices to meet DORA’s requirements. Others are still catching up. When those gaps go unnoticed, they introduce friction, delays and sometimes real compliance risks.
The answer isn’t more control. It’s more communication. Get vendors involved early. Share plans, define expectations and create space for joint testing. When suppliers understand the stakes and feel part of the process, they tend to show up with more commitment and clarity.
What should leaders focus on now?
Compliance may be complete, but the real work is just getting started. This is the time to embed resilience into how your organisation thinks and works.
There are four places where leadership attention can make a measurable difference:
-
Testing strategies that reflect real-world pressure, not just ideal conditions
Think beyond whether a system works on paper. Ask whether it can handle three times the expected load. What if a critical service fails? What if cloud latency spikes? Teams need the tools and authority to explore these questions with environments that mirror actual risk, not scaled-down versions.
-
Training that makes sense for each role
A single training deck won’t cut it. Different teams face different risks and responsibilities. DevOps needs one kind of preparation. Customer service needs another. Make the training short, specific and easy to repeat. Better yet, turn it into something practical. Simulate real scenarios and help teams build muscle memory.
-
Executive support that stays visible
Resilience doesn’t gain traction without senior leaders pushing it forward. That includes setting the tone, aligning budgets and supporting teams that raise issues early. It also means treating resilience goals as part of the wider business strategy, not just a line in the audit plan.
-
Vendor collaboration that’s built on shared responsibility
Contracts help, but relationships matter more. Invite suppliers into planning conversations. Run readiness sessions together. Establish a common understanding of what good looks like. When vendors feel included, they’re more likely to invest effort and raise their game.
These steps aren’t complicated, but they do require commitment. And a willingness to prioritise long-term strength over short-term speed.
What’s next? Making resilience real
At 2i, we’ve worked with organisations across heavily regulated sectors to make resilience more than just a buzzword. Whether it’s testing systems under stress, shaping training that fits real-world needs or building practical frameworks for cross-functional teams, we help technology leaders deliver predictable outcomes.