Decoding DORA: The Road to Resilience Write-up
On the 30th of January, FinTech North’s community came together for the organisation’s first event of the year, their ‘Decoding DORA: The Road to Resilience Webinar,’ hosted in partnership with security compliance experts Adoptech.
The launch of The Digital Operational Resilience Act (DORA) on 17th January has been highly anticipated by technology professionals, particularly within the FinTech sector, where digital resilience is paramount. As a recent and significant regulatory development, it remains top of mind for many organisations striving to align with its framework. Given its impact on operational resilience and risk management, today’s webinar provided a timely opportunity to explore its implications and discuss how FinTechs can navigate the evolving regulatory landscape.
Please see below for the full recording of the Decoding DORA: The Road to Resilience Webinar:
https://www.youtube.com/watch?v=up_1Ok1wq38&t=2102s
–
Click here to download a comprehensive guide to DORA, produced by Adoptech.
Joe Roche, FinTech North’s General Manager opened the discussion by welcoming virtual attendees to the webinar, providing an overview of the sector in the north, and the organisation’s purpose, aims, and strategy for the year.
An Introduction to the Panel and DORA
He then welcomed to Rachel Przybylski, CPO of SIGMA Financial AI, who empower investment through analytics, to the virtual stage to moderate the remainder of the webinar. Rachel introduced herself, then welcomed Alastair Goodwin, Co-founder and CEO of Adoptech to the virtual stage.
Alastair provided some information on his background in financial services, trading and tech, before sharing some information on Adoptech, who across multiple frameworks, help FinTechs to connect, manage and automate their company security compliance, certification and risk management tasks.
He shared a brief overview of DORA, the regulators incentives for implementing the act (including increased focus on risk management following the 2008 financial crisis,) the challenges for implementation, and the status of requirements around Threat-Led Penetration Testing which he highlighted have been delayed to Q2 of 2025
He noted that the new regulation imposes strict requirements on third-party risk management, requiring financial institutions to oversee their supply chain and ensure information and communication technology (ICT) providers and their subcontractors comply with resilience, security, and risk management standards.
Alastair stressed: ‘Not being classified as a critical third-party provider (CTPP) doesn’t mean you’re out of scope—everyone providing tech is included; it’s just a matter of the extent to which you are.’
Rachel highlighted the importance of supporting clients by ensuring resilience from the start, ‘We need to do the right things from the beginning.’
She then welcomed the panel to introduce themselves.
Richard Curtis, Director: Technology Risk Assurance and Cyber Security from RSM, was first, sharing some context around his background in cyber security and operational resilience, as a certified ethical hacker, and his role at RSM, who provide tax, audit and consultancy services to businesses.
Next, Dan Rycroft, Sales Director at The Pentest People introduced himself and his organisation, who offer penetration testing of IT systems to identify potential vulnerabilities and recommend effective security countermeasures.
DORA’s Challenges and Implementation in Financial Services
The webinar explored the complex challenges financial services (FS) firms face in implementing DORA. Alastair, Richard, and Dan discussed key pain points, particularly around third-party risk management and the need for enhanced due diligence. Financial institutions must effectively manage risks within their supply chain and ensure that all parties, from direct providers to subcontractors, are compliant with DORA.
Richard stressed the importance of breaking down silos within businesses to improve oversight and governance. “Boards need to think about ICT risk in a more integrated way,” he noted, highlighting the growing responsibility of boards to oversee digital resilience. He also pointed out that this level of responsibility is crucial to managing ICT risks across a firm’s entire ecosystem.
Vulnerability Scanning and Penetration Testing
The discussion then turned to the subject of vulnerability scanning and penetration testing. Dan explained that most mature financial services firms and FinTech’s would already be conducting these exercises, but with DORA now in play, there are new obligations.
To simplify these concepts for a broader audience, Dan used a house analogy. He explained that a vulnerability assessment (VA) is like a house survey — it looks for potential problems without actually testing them. This typically involves automated tools, and some false positives may need to be addressed. A penetration test (PT), on the other hand, is akin to physically trying to break into the house, seeing if anyone can exploit the vulnerabilities.
However, the focus on Threat-Led Penetration Testing (TLPT) under DORA goes further. Dan elaborated, noting that TLPT is about asking, ‘Who usually breaks into houses in these areas, and what techniques do they use?’ He explained the need then apply those techniques to test you defences, from phishing attempts to breaking into your website.
DORA’s Article 25 reinforces that while larger companies may have the resources for comprehensive testing, smaller organisations can take a risk-based approach, balancing resources with the type of risk they face and the criticality of the services they provide. Alastair noted that this is something larger companies might already be doing, but now it’s important for everyone to think through the risks they face in the same way,
TIBER and UK Equivalent Frameworks
The discussion then touched on TIBER-EU, a European framework for Threat Intelligence-Based Ethical Red-Teaming. Dan explained that TIBER provides detailed guidance on how organisations should work with authorities and threat intelligence teams to simulate real cyberattacks. The goal is to identify vulnerabilities and improve resilience through controlled cyber events. He drew comparisons to the UK’s equivalent frameworks, including CBEST and CSTAR, which provide similar red-teaming exercises tailored to specific industries.
The panel stressed that the value of these tests lies in their realism and the continuous improvement process they kickstart. They shared that the NIST cybersecurity framework, with its focus on identify, protect, detect, respond, and recover, is a useful model for broader security efforts, including incident response (IR). The panel also discussed the importance of post-event activity, where lessons learned from an exercise are implemented to improve security going forward.
Questions and Moving Forward with DORA
The webinar saw a highly engaged audience, with nearly 60 attendees who actively participated in polls around DORA-readiness, and asked a variety of questions, touching on topics including the extent of supply chain oversight required for DORA compliance, the role of PCI DSS certification in supporting DORA processes, the scope of DORA‘s impact on both the UK and EU, the regulators’ approach to enforcement versus compliance, how DORA aligns with ESG principles, expectations for DORA compliance by January 2026, and the progress firms should make in the next 12 months, which the experts collectively unpacked.
The session concluded with some key takeaways. As Rachel advised, firms need to start their journey towards compliance with DORA sooner rather than later: ‘The regulator needs to see you implementing a plan this year.’
Alastair also emphasised that many of the requirements under DORA align with existing frameworks and standards, providing a helpful roadmap for organisations that are already working on their operational resilience.
In closing, Richard encouraged companies to have a plan in place and to consider vulnerability assessments, penetration testing, and threat-led tests as part of a continuous improvement cycle. As the webinar highlighted, the importance of resilience cannot be overstated — and DORA is a critical tool for firms navigating the digital landscape in 2025 and beyond.
