The date of 17 January 2025 is firmly on the calendars of the European financial sector and its thousands of technology partners. The entry into force of the DORA (Digital Operational Resilience Act) regulation marked the beginning of a new era of shared responsibility for them.
The question immediately arose behind the scenes in the IT industry: is this a repeat of RODO – years of preparation, uncertainty and costs? Or, on the contrary, a precisely defined opportunity for growth?
The truth is that DORA is much more than an obligation. It is a detailed plan of technology and service needs that smart IT companies can turn into concrete contracts.
Unlike RODO, which protected data, DORA protects entire operational processes, which is a much broader and more technical field of operation, thus creating a hidden vein of gold for technology providers.
To understand the scale of these opportunities, it is sufficient to translate the airtight language of regulation into concrete market demand.
DORA defines in five pillars what the financial sector and its partners will have to pay for. The first pillar, on ICT risk management, forces organisations to understand their own infrastructure in depth.
This is no longer a time for guesswork – companies need to know exactly what digital assets they have, how they are interconnected and where their weaknesses lie.
Such a requirement directly generates demand for advanced penetration testing, Red Team exercises and attack surface management (ASM) platforms that allow you to look at your own organisation through the eyes of the aggressor.
At the same time, the second pillar, focusing on third-party risk, is revolutionising supplier relationships. The era of relying on certificates and declarations is coming to an end.
Financial institutions are now obliged to continuously monitor and audit their partners, opening up a huge market for Vendor Risk Management (VRM) class platforms and consultancy services to help create and maintain the legally required ‘Information Register’.
Subsequent requirements deepen this transformation, shifting the focus from analysis to action.
The third pillar, incident management, requires having structured and tested response processes in place.
This means an increase in demand for the implementation and operation of SIEM/SOAR systems that automate detection and response, as well as for continuous readiness services (Incident Response Retainers) that guarantee access to experts at the moment of crisis.
Crisis simulations, so-called tabletop exercises, have gone from being a niche practice to becoming the standard.
The fourth pillar of DORA, dedicated to change management, introduces rigour into implementation processes. Every new application, every infrastructure upgrade must be assessed for its impact on operational resilience.
This, in turn, creates ideal conditions for companies specialising in DevSecOps methodologies that integrate security into the entire software lifecycle, and for tools that monitor the integrity of systems.
The final, fifth pillar, on resilience testing, ties all the previous ones into a coherent whole. Organisations must not only test their systems regularly, but also be able to prove their maturity to auditors.
This is a breeding ground for providers of GRC (Governance, Risk, Compliance) platforms that automate the evidence collection process, and for specialised companies capable of conducting the most advanced tests, such as Threat-Led Penetration Testing (TLPT), which simulates real, targeted attacks.
In this way, the five pillars of DORA form a coherent demand ecosystem, covering the entire cyber security lifecycle – from risk identification, protection and detection to response and audit.
This new reality fundamentally changes the market dynamics. “DORA-Ready” or “DORA-Compliant” status ceases to be a mere marketing slogan and becomes a hard currency in tenders and a key criterion for the financial sector to select a supplier.
IT companies that have already invested in aligning their services, processes and products gain a powerful competitive advantage. They are able not only to meet customer requirements, but also to proactively help them achieve compliance, positioning themselves as a strategic partner.
Those organisations that ignore this trend risk being progressively marginalised and cut off from one of the most lucrative and stable sectors of the economy. It becomes crucial to proactively communicate their readiness for DORA – in company materials, in sales conversations and in the very architecture of the solutions offered.
DORA is therefore not another bureaucratic hurdle, but a precise roadmap. It indicates the areas in which the financial sector, under the threat of severe penalties, simply has to invest. For the technology industry, the question is not “if”, but “how quickly” it will turn these regulatory requirements into innovative offerings.
The winners of the DORA era will not be those who merely passively adapt, but those who guide their clients through this complex process. It is time to stop treating DORA as a task for lawyers and start seeing it as a strategic challenge for engineers and business development visionaries. The market has already been created and its rules clearly defined. All we need to do is reach for it.
