Overview
Key Findings
The Digital Operational Resilience Act (DORA) Regulation (EU) 2022/2554 is not solely a cybersecurity responsibility; it requires continuous, cross-functional collaboration across cybersecurity, legal and compliance, enterprise risk management, procurement, business continuity, and IT.
DORA compliance and cyber resilience are interdependent; both are critical to achieving the organization’s strategic objectives. Cybersecurity leaders should view DORA as an opportunity to secure executive support for continued cyber resilience investment.
Cybersecurity leaders struggle to interpret the multitude of requirements and produce essential DORA compliance documents such as the ICT Risk Management Framework, DORA Strategy, and Information Register and incident reporting, creating risks to timely and effective regulatory adherence.
Cybersecurity leaders and their teams continue to struggle with implementing automated real-time monitoring and achieving complete visibility over critical business functions, posing a barrier to effective DORA compliance.
Recommendations
Establish executive sponsorship, build cross-functional resilience teams, and enforce accountability to make DORA compliance an enterprisewide priority that protects critical business services, not just a compliance checkbox.
Integrate DORA requirements into existing frameworks, prioritizing operational resilience over audit documentation. Conduct gap assessments, refine artifacts, and assign clear ownership to streamline compliance, maximize current investments, and strengthen cyber-risk management.
Implement automated, real-time monitoring across all critical functions to ensure continuous visibility, proactive risk management, and sustained operational resilience, making DORA compliance a driver of ongoing cyber resilience.
Introduction
The European Union’s Digital Operational Resilience Act (DORA) establishes rigorous, harmonized cybersecurity and ICT risk management standards for all financial entities operating in or with a presence in the EU, including critical third-party service providers.
Interpreting and operationalizing DORA’s Implementation Technical Standards (ITS) and Regulatory
Technical Standards (RTS) present significant challenges for cybersecurity leaders. This includes when organizations treat operational resilience as a finite project rather than a continuous, enterprisewide program, resulting in fragmented compliance efforts, poor cross-functional integration, and limited alignment with existing frameworks.
Cybersecurity should not own or be accountable for DORA Compliance; this is an Enterprise capability that must be delivered across Cybersecurity, IT, and the broader business functions.
Failure to address these complexities risks noncompliance, heightened operational and regulatory risk, and ineffective resilience strategies. Consequences include substantial financial penalties up to 2% of global turnover for financial institutions, individual fines up to €1 million, and up to €5 million for critical third parties, as well as exposure to additional regulatory breaches and diminished ability to withstand sustained cyberattacks.
Siloed ownership and poor visibility undermine the digital operational resilience essential for DORA compliance. Cybersecurity leaders must drive clear accountability, embed compliance across functions, and deploy real-time monitoring to ensure sustained resilience and regulatory adherence.
Figure 1: DORA Accountability, Integrated Compliance and Real-Time Monitoring

Analysis
Establish executive-level sponsorship and cross-functional resilience teams to ensure DORA becomes an enterprisewide concern.
DORA elevates digital operational resilience from a technical concern to a strategic, enterprisewide mandate. Executive and board oversight is critical; organizations must integrate cybersecurity, business continuity, and operational resilience to protect revenue, profitability, and reputation.
Achieving and sustaining DORA compliance will not be possible without ongoing investment in a sustained and continuously improving cyber resilience program.
Ensuring DORA compliance demands active engagement and collaboration with stakeholders across IT, risk, compliance, operations, procurement, and communications. A cross-functional approach ensures robust planning, implementation, and ongoing alignment with DORA, enabling organizations to proactively manage evolving digital threats more effectively.
Digital operational resilience cannot reside within a single function. It is an organization-wide responsibility, requiring coordinated effort and shared accountability (see Figure 2).
Managing ICT risks
Responding to incidents
Testing operational resilience
Overseeing third-party dependencies and
Meeting regulatory requirements.
Figure 2: DORA Pillars for Compliance

What Cybersecurity Leaders Must Do:
Secure Executive Sponsorship:
It is critical that senior executives and the board understand and prioritize operational resilience. Draft and deliver regular, targeted briefings that clearly articulate the strategic business risks, operational, regulatory implications, and financial impact of resilience failures. Communicate the benefits of a cyber resilience program and include elements such as enabling the continued delivery of the corporate objectives and revenue-generating activities. Advocate for resilience as a strategic priority, not a one-time compliance project that is run as a program similar to existing Cybersecurity or Privacy programs with executive buy-in.
Form a Cross-Functional Resilience Team:
DORA’s requirements span multiple functions: IT, cybersecurity, enterprise risk management, procurement, legal and compliance, and business operations. Gartner sees that overarching Organizational resilience should ideally be owned by the CRO, Chief Risk Officer, or CFO Chief Financial Officer as the Executive Sponsor. Overarching organizational resilience should therefore be sponsored at the executive level by the Chief Risk Officer (CRO) or Chief Financial Officer (CFO). Organizations should establish a cross-functional resilience team with clear mandates and representation from all relevant risk areas. This team must be empowered to drive integrated decision making and ensure accountability for resilience outcomes, but also bring the various risk areas together. Gartner has observed that where this has been done successfully, organizations have established a transformational resilience team to drive not only DORA compliance but also Operational Resilience. (Figure 3) DORA or Resilience is not the sole responsibility of the Cybersecurity leader or IT. However, they would feed into the requirements for compliance within the scope of their functional services.
Define and Communicate Roles and Responsibilities:
A RASCI for DORA needs to be developed, even if a cross-functional team or transformational team cannot be created. Cybersecurity leaders should develop and implement a DORA-specific RASCI matrix to avoid fragmented or siloed risk management. This tool should clarify who is responsible, accountable, supporting, consulted, and informed for every aspect of resilience, ensuring transparency and collaboration across the organization. Gartner clients can leverage the Gartner RASCI tool and customize it to meet DORA Requirements: Tool: Cybersecurity Program RASCI Matrix.
Figure 3: DORA/Resilience Needs to Be a Program, Not a Project

Organizations most successful in achieving DORA compliance are those that integrate cyber risk with enterprise risk management, foster cross-functional collaboration, and maintain executive-level sponsorship for resilience initiatives.
Cybersecurity leaders must actively champion and foster proactive management, advancing the resilience of the organization’s digital assets by their respective owners across the business and IT. By securing executive support, building cross-functional teams, and implementing clear accountability structures, leaders can ensure that resilience is embedded into the organization’s DNA, protecting critical business services, reputation, and revenue continuity.
Integrate DORA With Current Cybersecurity Practices
When documentation is created solely to satisfy audit requirements, it results in artifacts that lack operational relevance and effectiveness. improve cyber resilience, so the focus should be on increasing resilience rather than creating documentation for the sake of passing an audit. Cybersecurity leaders should focus on embedding DORA requirements into existing frameworks and processes, ensuring compliance drives regulatory and business resilience objectives. This approach enables cybersecurity leaders to streamline DORA compliance, leveraging existing investments and fostering a culture of continuous improvement and accountability.
Practical Steps to Overcome Documentation and Framework Challenges:
Conduct a Gap Assessment Against DORA Requirements:
Begin by mapping existing documentation, such as risk management policies, cybersecurity policies, incident response plans, business continuity, and disaster recovery frameworks, against DORA’s specific mandates. Identify gaps, particularly around new artifacts like the DORA Strategy, ICT Risk Management Framework, Register of Information, and ICT Reference Architecture. If you align with an industry-recognised framework such as ISO 27001:2022 or NIST CSF 2.0, a lot of the policies and standards under the ICT Risk Management, Incident Management, and Third Party Risk pillars should already be in existence and may only require cross-checking and light updates.
Update Information Register and reporting of Incidents: Proactively lead the update of the Information Register by coordinating with Legal, Compliance, and Enterprise Risk Management teams. Ensure all required data is accurately captured and ready for timely submission to regulators. In the event of a security incident, take ownership of providing complete, DORA-compliant reporting to the designated European Supervisory Authority (ESA). If you are not responsible for submitting the report, ensure you deliver all necessary information promptly to the report owner to maintain regulatory compliance.
Enhance Existing Documentation Rather Than Create From Scratch:
Where gaps exist, update and expand current documents to address DORA’s requirements. Avoid creating stand-alone documents solely for audit purposes; instead, integrate DORA expectations into existing governance and operational processes to ensure ongoing compliance and operational value.
Establish Clear Ownership and Accountability:
Ensure that the relevant teams or individuals are assigned responsibility for each required artifact or framework. Ensure that updates and maintenance are part of routine governance, not ad hoc compliance exercises. If required, escalate accordingly to ensure accountability and responsibility are taken. This is where a RASCI outlined in the previous section will really support governance.
Regularly Review and Validate Documentation:
Implement a schedule for periodic review and validation of all DORA-related documents. This ensures that documentation remains current, actionable, and aligned with evolving regulatory expectations.
Technology and Automation — Integrating Real-Time Monitoring for Effective DORA Compliance and Ongoing Cyber Resilience
Despite regulatory momentum, conversations with Gartner clients often show many cybersecurity leaders are challenged by the lack of ongoing, automated real-time monitoring and comprehensive visibility across critical business functions. Due to a large and pervasive presence of legacy architecture in many subject organizations, this capability is a core requirement for DORA compliance. The absence of this capability impedes proactive risk management and increases the likelihood of regulatory breaches and operational disruptions. Systems and applications are brought online, moved, or removed throughout the year, and there needs to be a real-time linkage to asset inventories to provide continuous visibility. In turn, this means Business Impact Assessments (BIAs) can no longer be a once-a-year exercise if continued resilience is a formalized DORA objective. Cybersecurity Leaders should consider:
Evaluate and Deploy Cyber and GRC Management Platforms:
Cybersecurity leaders should assess solutions that offer continuous risk assessment and real-time vulnerability monitoring. Before considering going to the external market, assess current tools and platforms and work with ERM to understand if there is existing technology that they are using that can be leveraged. Current integrated asset inventory or risk management platforms may provide additional modules with integration capabilities. Platforms with built-in automation capabilities can provide holistic visibility across IT, business operations, and third-party dependencies, supporting compliance and resilience objectives. Cybersecurity leaders could consider technologies from a Cyber and GRC Perspective:
Automate Incident Reporting and Response Workflows:
Implement tools that enable automated incident detection, reporting, and escalation. This reduces manual intervention, accelerates response times, and ensures consistent regulatory reporting requirements.
Enable Seamless Integration With IT Service Management (ITSM):
Select platforms that integrate natively with existing ITSM systems, allowing for streamlined workflows, centralized data management, and enhanced collaboration between cybersecurity, IT operations, and business stakeholders. Cybersecurity leaders could consider How to Integrate Cybersecurity in Your ITSM Practice. Establish Real-Time Dashboards for Executive and Board Oversight:
Provide senior leadership and key stakeholders with real-time dashboards that visualize risk posture, incident status, and compliance metrics. This will facilitate informed decision making and foster a culture of resilience and accountability.
Regularly Test and Validate Monitoring Capabilities:
Schedule routine assessments to ensure monitoring tools and processes are functioning as intended. Validate that visibility extends to all critical business functions and that automated reporting mechanisms align with DORA requirements.
Cybersecurity leaders should prioritize solutions that deliver actionable visibility and seamless integration, transforming compliance from a reactive obligation into a strategic advantage.
Acronym Key and Glossary Terms
| DORA | Digital Operational Resilience Act |