DORA Readiness: More Than Compliance—A Cybersecurity Imperative

At Lorica, we see DORA as more than a compliance requirement—it’s a strategic framework for financial institutions to strengthen their security posture, mitigate cyber threats, and safeguard sensitive financial data. Institutions that embrace DORA as a foundation for resilience will be better equipped to handle evolving threats, while those that lag behind risk severe financial, operational, and reputational damage.

The DORA Mandate: Strengthening Cyber Resilience

DORA was created to ensure financial institutions can withstand major cyber events and maintain operational continuity. It focuses on five core areas:

• ICT Risk Management – Implementing robust security across systems and data flows.
• Incident Reporting – Ensuring rapid detection, transparent reporting, and response to cyber incidents.
• Digital Operational Resilience Testing – Conducting real-world simulations to assess preparedness.
• Third-Party Risk Management – Strengthening oversight of external service providers.
• Information Sharing – Encouraging collaboration and intelligence sharing across institutions.

Despite a two-year preparation period, only 33% of European financial firms felt fully prepared for DORA’s implementation. Many institutions cite complex requirements, legacy system challenges, and late publication of technical standards as obstacles. Yet, the reality is that financial institutions can no longer afford a reactive approach to cybersecurity.

Beyond Compliance: The Real-World Impacts of DORA

Non-compliance with DORA extends far beyond fines—it exposes financial institutions to severe operational, privacy, and reputational risks:

• Regulatory Backlash – EU regulators have signaled aggressive enforcement, with the power to suspend business activities of non-compliant firms.
• Data Breaches & Trust Erosion – Financial institutions hold vast amounts of sensitive customer data, and weak resilience increases breach risks, damaging consumer trust.
• Operational Disruptions – Without strong resilience frameworks, institutions are more vulnerable to cyberattacks that could cripple operations and disrupt transactions.
• Third-Party Risk Exposure – Firms that fail to meet DORA’s standards risk losing business partnerships, especially those serving EU-based clients.

The CrowdStrike IT outage of July 19, 2024, underscored the urgent need for resilience. In response, multiple countries beyond the EU are exploring similar regulations to protect banking services from supply chain vulnerabilities and future cyber threats.

Privacy-Enhancing Technologies: A Solution for Compliance and Security

A key component of DORA’s mandate is securing financial data throughout its lifecycle—at rest, in transit, and in use. Today’s cybercriminals increasingly target data in use, where traditional encryption methods fall short.

Privacy-enhancing technologies (PETs) offer a powerful solution:

• Fully Homomorphic Encryption (FHE) – Enables computations on encrypted data without decryption, ensuring sensitive data remains protected even during processing.
• Confidential Computing – Uses hardware-based Trusted Execution Environments (TEEs) to encrypt data in memory at runtime, safeguarding against unauthorized access.

By integrating PETs, financial institutions can go beyond compliance to proactively enhance data security and reduce exposure to breaches and cyberattacks.

2025 and Beyond: A New Era of Financial Cybersecurity

DORA is set to reshape financial cybersecurity far beyond its immediate enforcement:

• Increased adoption of Privacy-Enhancing Technologies (PETs) in the financial sector.
• Development of new tools and services to facilitate compliance.
• Advancements in secure cloud computing and confidential computing technologies.

At Lorica, we believe privacy and security should be embedded into financial operations—not treated as afterthoughts. The institutions that treat DORA as a catalyst for security innovation will be the ones that define the future of financial resilience. For those still catching up, the time for action is now—because cyber threats won’t wait for compliance deadlines.