Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Monday, 6 July, 2026
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

When DORA Goes From Afterthought to Commercial Imperative

Bulletproof from WorkNest's Head of Compliance, Luke Peach looks at how organisations are taking DORA more seriously than ever.

by Guru Writer
February 17, 2026
in Insight, Opinion
When DORA Goes From Afterthought to Commercial Imperative
Share on FacebookShare on Twitter

If you had asked me in 2024 how seriously firms were taking DORA, my honest answer would have been that only around the top 20 per cent of impacted organisations were truly focused on it. These were typically the more risk averse, forward thinking businesses that tend to move early on regulatory change. Even then, many struggled to embed DORA into compliance as usual activities, whether because of stretched resources, limited budgets or complications within their IT supply chains.

Now, more than halfway through 2025, the picture has shifted significantly. Organisations are beginning to understand just how demanding DORA really is. It is no longer viewed as a future requirement. It is appearing in onboarding questionnaires and supplier due diligence processes. In some cases, it is influencing commercial decisions and costing organisations lucrative deals. Like many new regulations, it enjoyed a brief honeymoon period where it was seen as progressive but not yet widely enforced. That phase has passed. DORA is now moving into the same territory as GDPR, where compliance is increasingly expected rather than admired.

The Real Barriers to Compliance

There are several hurdles that firms are encountering.

First, there is the ongoing challenge of supplier oversight. Ensuring IT providers have the appropriate controls in place has always been complex, but DORA raises the bar by placing additional emphasis on resilience testing and incident response capabilities. With supply chains becoming longer and more layered, maintaining visibility and assurance across every link is becoming significantly harder.

Then there is compliance fatigue. Many organisations feel they are constantly responding to new regulatory demands. DORA is, in practical terms, another framework that needs to be interpreted, implemented and evidenced. That can create resistance internally, particularly where teams are already managing ISO standards, GDPR obligations and sector specific requirements.

Cost is another significant barrier. Threat Led Penetration Testing, which is a core requirement under DORA for certain entities, can be eye wateringly expensive. We are talking figures that can exceed one hundred thousand pounds. While this testing is typically required once every three years, it still represents a substantial investment. On top of that, firms must fund resilience improvements, tooling, training and further testing activities.

A final challenge is timing. DORA came into force in January 2025, yet many firms only began taking it seriously around that date. As a result, they are now playing catch up. Some are technically non compliant while they work through remediation programmes. That creates both regulatory risk and commercial pressure.

The Most Challenging Areas

In my experience, two elements of DORA stand out as particularly demanding.

The first is resilience testing. Beyond cost, the scale and coordination required can be considerable. A threat led penetration test that meets DORA requirements is not a routine scan. It is a complex exercise that requires an experienced third party and significant internal engagement. Someone within the organisation must own the process, coordinate stakeholders and ensure findings are addressed properly.

The second challenge lies in legal and contractual complexity. Achieving compliance across layered vendor relationships is not straightforward, especially where smaller providers are involved. Many existing IT contracts simply do not meet DORA standards. That means legal reviews, amendments to agreements and potentially difficult conversations with suppliers. 

Those changes can introduce friction and strain commercial relationships.

What Happens Next

One of the realities of any new regulation is that clarity evolves over time. GDPR is a useful example. Each new fine or enforcement notice has provided the market with clearer guidance on what is acceptable and what is not. DORA will follow a similar path.

While that eventual clarity is helpful, the period before it arrives can be uncomfortable. Organisations may invest heavily in controls and processes that they genuinely believe meet regulatory expectations, only to find later that interpretations have shifted or that supervisory authorities expect something more. That uncertainty can lead to frustration.

There is also a risk that some firms will delay action altogether, choosing to wait until enforcement patterns are clearer. I would not recommend that approach. The longer organisations postpone meaningful progress, the more difficult and expensive compliance becomes.

How Organisations Can Get on the Front Foot

The most effective starting point is to engage a qualified DORA specialist who understands both the regulatory intent and the practical implications. A structured gap assessment against current DORA requirements provides a clear baseline. From there, an action plan can be developed, prioritising areas of highest risk and impact.

At the same time, organisations should plan early for Threat Led Penetration Testing. These exercises can take months to prepare and execute. From a financial perspective, it is important to budget for this on a recurring three year cycle so that the cost does not come as a surprise.

Ultimately, the journey can be simplified into three stages. First, check what you have against what is required. Second, fix what is missing or insufficient. Third, maintain and audit your position to ensure compliance remains embedded rather than reactive.

DORA is not a passing regulatory trend. It represents a structural shift towards operational resilience and demonstrable assurance. Firms that treat it as a strategic priority rather than a compliance burden will not only reduce regulatory risk but strengthen their commercial credibility. Those who delay will find the cost of catching up far greater than the effort of starting now.

Author: Luke Peach, Head of Compliance – Bulletproof from WorkNest

Tags: cybersecurityDigital Operational Resilience ActDigital ResilienceDORAResilience
ShareTweet
Previous Post

Black Duck Expands Polaris Integrations to Streamline Enterprise DevSecOps Across Major SCM Platforms

Next Post

Next Gen Spotlights: Trailblazing A Mindful, People-First Approach to Cyber – Q&A with Cyber Innovations Ltd.

Recent News

pentesting

Pentesting is dead. Long live pentesting.

July 3, 2026
AI Appreciation Day: Celebrating Progress, Embracing Responsibility

The industries being reimagined by AI

July 2, 2026
geopolitical cyber report

Iran-linked MuddyWater espionage campaign targets organisations across four continents

July 1, 2026
Check Point Brings Cloud Firewall to AWS European Sovereign Cloud

Check Point Brings Cloud Firewall to AWS European Sovereign Cloud

July 1, 2026

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2024 IT Security Guru - Website Managed by Dessol

  • About Us
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2024 IT Security Guru - Website Managed by Dessol