What good are cybersecurity standards if there’s no way of telling whether or not those standards have been met?
It’s a question that’s plagued regulators on both sides of the Atlantic for decades, and with almost half (43%) of UK businesses reporting a cybersecurity incident in the past 12 months, those standards matter more than ever.
That’s particularly true in areas like finance, where cyberattacks are on the rise and some 61% of UK firms are now scrambling for external information and guidance.
Enter DORA, or the EU’s Digital Operational Resilience Act (DORA). Years in the making, DORA finally came into effect a bit more than 6 months ago, on January 17, 2025. At its core, it was designed to harden the financial sector against digital disruption.
While DORA doesn’t directly apply to financial firms in the UK, the vast majority do business closely with EU member states, so they’ll need to ensure they’re ready to comply.
Principal Cyber Security Strategist at Infoblox.
Banks, insurers, and service providers know the legislation is designed to harden the sector against ICT-related disruption, and few would question the importance of that goal.
Yet knowing and doing are very different things. Much like earlier rounds of regulation, many organizations are treating compliance as a matter of checking boxes rather than reshaping practices.
According to one study from January 2025, just as DORA came into effect, some 43% of UK banks were still unprepared for it, leaving them incredibly vulnerable to loss of businesses and compliance friction.
Operational resilience – the very heart of DORA – requires new baselines, built into core systems and processes, that ensure the industry can withstand disruption without systemic fallout.
That shift is proving easier said than done. The language of the regulation leaves plenty of room for interpretation, budgets are tighter than ever, and IT and security teams already stretched thin are left grappling with how to turn policy into practice.
The result is what many inside the sector describe as “audit anxiety” – a state of heightened awareness but limited clarity on the path to true compliance.
Large organizations can dedicate entire teams to decoding regulatory language and aligning it with internal processes, but smaller firms often lack the same bandwidth.
In both cases, the risk is the same: without embedding resilience into the critical services that underpin finance, compliance becomes an administrative exercise rather than a genuine defense against disruption.
The reality of audit anxiety
For financial firms and institutions, the first real challenge of DORA isn’t technology at all – it’s interpretation. The regulation’s language around IT risk management and resilience frameworks is intentionally broad, but that vagueness can leave firms second-guessing how to put compliance into practice.
The result is what industry insiders are calling “audit anxiety.” IT and security teams already facing tight budgets and lean staffing must now devote precious time to decoding policy and aligning it with day-to-day operations.
Large institutions may be able to spin up specialist compliance groups, but for mid-sized and smaller firms, the burden often falls on overstretched teams who are expected to keep the lights on and deliver transformation projects at the same time.
That pressure creates a rather dangerous scenario. Many organizations already possess the tools and processes that can support DORA compliance – protective DNS (PDNS) for instance – but because of uncertainty around how to frame them against the regulation, those assets go underused. The gap between awareness and execution continues to widen.
Without clear, actionable processes to connect regulation with operations, firms risk reducing DORA to another annual audit exercise, precisely the kind of reactive, check-the-box behavior the law was designed to disrupt.
DNS: the “Tier 0” blind spot
One of the most overlooked elements of digital resilience sits at the very foundation of the internet: the Domain Name System (DNS). Often treated as a background utility that “just works,” DNS is in reality a “Tier 0” service – if it fails, every other service fails with it.
No transactions can be processed, no customer communications can take place, and no critical applications can be reached.
That makes DNS resilience central to DORA’s vision of operational continuity, even if many organizations don’t yet recognize it.
Operational ownership is something many organizations will need to evaluate closely, because security teams typically have limited visibility into DNS processes, and those that do have visibility are more concerned with its functionality than its security potential.
And the stakes are larger than any single institution. In a highly interconnected financial ecosystem, the outage of one firm’s DNS infrastructure can ripple quickly across partners, suppliers, and customers.
What looks like an isolated technical issue can become a systemic disruption, undermining confidence and stability across the sector.
By elevating DNS from background function to frontline defense, firms can not only strengthen their own resilience but also contribute to the wider stability DORA is designed to safeguard.
Overlapping mandates and rising complexity
DORA is not the only framework financial institutions must contend with. At the same time as they work toward operational resilience under EU law, firms are also expected to meet the requirements of other mandates such as NIS2.
Each brings its own language, scope, and reporting obligations, creating an overlapping web of compliance that can overwhelm already stretched IT and security teams.
Instead of a single, clear objective, organizations face the challenge of juggling multiple regulatory lenses, each of which frames resilience in slightly different terms.
This complexity is only compounded by the interconnected nature of modern finance. A failure in one institution’s infrastructure, such as a DNS outage, can quickly cascade across the wider ecosystem of vendors, partners, and customers.
Delaying investment in resilience only makes this problem harder to manage. Threat actors continue to evolve, new risks emerge, and regulatory scope is likely to broaden in response.
Without a strategic, multi-framework approach, firms risk falling into a perpetual cycle of reactive fixes, racing from one compliance deadline to the next without ever strengthening the core services that DORA and its counterparts are designed to protect.
A strategic path forward
The most effective way to cut through this complexity is to think of compliance as a mindset rather than a series of disconnected obligations. Instead of tackling each mandate in isolation, financial institutions can align themselves with established frameworks that map across multiple regulations.
The updated NIST SP 800-81, for example, provides detailed best practices for DNS security and resilience. Because it is already referenced in NIS2, adopting it can help firms strengthen a Tier 0 service while also satisfying overlapping requirements.
This “one effort, many outcomes” approach reduces duplication, lowers costs, and embeds resilience into the very systems that regulators care most about.
Ultimately, DORA is more than just another compliance hurdle; it’s an opportunity to harden the foundations of finance. By elevating DNS and other Tier 0 services from overlooked utilities to critical pillars of resilience, firms can move beyond audit anxiety and tick-box exercises.
In other words, organizations need to stop thinking of compliance as a way of “avoiding penalties” and create an infrastructure capable of withstanding disruption without spreading instability both internally and across the broader financial ecosystem.
Viewed this way, compliance becomes what it was always designed to be – a blueprint for long-term operational strength.
We’ve featured the best encryption software.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here:
