Swan adds €42M to its Series B to expand embedded banking across Europe. Read more here.
Blog

Beyond Compliance: Navigating DORA and operational resilience

What you need to know about the EU’s Digital Operational Resilience Act, in place as of 17 January 2025.

Steph Smith
January 17, 2025

If you work in the financial services sector, you’ll likely have heard the name “DORA”. And while this regulation definitely requires some good navigation skills, we’re not talking about Dora the Explorer. We mean the EU’s Digital Operational Resilience Act (DORA), effective as of January 17, 2025. This regulation requires financial institutions to get serious about their operational risks—focusing on enhancing cybersecurity across the financial sector.

But DORA isn’t just another compliance checkbox.

It's an opportunity to build the kind of resilience that keeps organizations running smoothly, even if things go sideways—it’s a roadmap to future-proofing. Sure, there’s work involved—vendor assessments, system tests, and tightening incident reporting. But the reward is a business that doesn’t just survive unexpected obstacles but thrives despite them.

At Swan, we see regulation as a lever for sustainable business. We don’t just “comply”—we build processes and tools that make navigating DORA less of a headache. Whether it’s simplifying vendor risk assessments or navigating reporting requirements, we’re here to help.

DORA isn’t just regulation—it’s about building resilience, trust, and an edge in a competitive market. Let’s dive into how we can comply with and benefit from this regulation—and how Swan’s approach might help you do the same.

Understanding the 5 pillars of DORA

While DORA is a comprehensive regulatory framework, its contents can be distilled into five core pillars.

  1. Information Communication Technologies (ICT) risk management: turning reactive IT-related risk management into proactive, well-documented processes.
  2. Incident reporting: standardizing the process for incident reporting, including IT incidents and cyber threats.
  3. Digital operational resilience testing: requiring organizations to evaluate their cyber vulnerability and prove that suitable measures are in place to guard against such attacks.
  4. Third-party risk management: mandating that businesses have oversight of and conduct ongoing due diligence with ICT providers.
  5. Cybersecurity information sharing: encouraging financial institutions—and critical suppliers to the financial sector—to share practices and learnings related to digital operational resilience.

The challenge of identifying and managing critical risks

If you’ve ever had the pleasure of mapping out your company’s critical processes, systems, and vendors, you know it’s no simple task. Sure, identifying core systems like your payment gateways or core banking platform seems easy enough, but what about the behind-the-scenes vendors—those who handle your data, store your documents, or even manage your infrastructure? The complexity quickly ramps up, especially when DORA comes into play, requiring you to assess not just your own systems, but your entire ecosystem of partners.

At Swan, we’ve been proactive in building a structured framework for vendor risk assessment. And it’s not about ticking boxes; for us, it’s about understanding who our critical vendors are, how they affect our operations, and ensuring they’re just as resilient as we are. For example, we’ve identified 20+ critical vendors, each of which must meet strict criteria to ensure they align with DORA’s requirements for operational resilience.

Here’s a 3-step checklist to get you started with your own assessments:

  • Critical business processes identification: What processes or systems could cause operational disruption if they failed?
  • Vendor dependency mapping: Which vendors support those critical processes, and how would their failure impact your business?
  • Risk mitigation plan: Do you have clear backup solutions, business continuity plans, and exit strategies in place if a vendor goes down?

Swan’s Security Officer, Sahra Toksöz, shares that “creating a risk framework is challenging because it requires a very thorough impact analysis to understand which processes are critical”. She explains:

"You need to determine how to classify an incident as major or minor, and how to meet reporting obligations for major incidents. For minor but recurring incidents, you must also define the course of action. It requires building a large diagram that includes all team members involved at different stages.”

You can learn more about Swan’s internal security procedures on our Trust Center.

Preparing for the unexpected

Reversibility is one of those things you don’t think about until you really need it—and by then, it might be too late. For cloud-based services, it’s not just about crossing your fingers and hoping for the best. Reversibility means having a plan in place to transition to another provider or system without losing your data or operations. For example, at Swan, we have multiple SMS providers available to support our Strong Customer Authentication (SCA) operations. Why? So we have confidence in our business continuity should one provider temporarily go down.

With 150+ businesses relying on us to provide banking features to their end users, Swan takes this very seriously. We don’t wait for disasters to happen to find out if our reversibility plan works. We do “tabletop exercises,” where we simulate potential disruptions and assess how we’d move operations from one service provider to another. And just in case, we have detailed migration plans—so we know exactly what steps to take and how long it would take to execute them. As Sahra Toksöz explains:

“We’ve implemented a backup plan for each critical vendor. We regularly analyze potential alternative providers and monitor whether our vendors comply with KPIs and service level agreements (SLAs). If they fail, we’re ready to migrate and know how long it would take.”

For teams looking to get ahead of reversibility, start with these steps:

  1. Identify critical services and systems that could cause the most disruption if something goes wrong.
  2. Draft migration plans for these critical services—don’t just talk about them; write them down and communicate them to all relevant teams.
  3. Test the plan regularly, even if it’s just a dry run with key stakeholders.
  4. Keep it proportional: You don’t need a 100-page plan for every service, but make sure you have one that fits the scale of your business.

By building a solid reversibility plan, you’re not just ticking a box for DORA—you’re ready for any curveballs that might come your way.

4 lessons from Swan’s approach to DORA

Standardized reporting under DORA is like assembling a puzzle—there are a lot of small pieces to fit together, and you can’t afford to miss one. Thankfully, it doesn’t have to be painful. To stay ahead of the game, Swan reached out to the regulator (ACPR) to be part of the voluntary DORA dry run. Our success in the exercise proves that a structured approach can make the process far smoother than you might expect.

How did we do it? Automation was key. By using tech to handle repetitive tasks, we freed up time to focus on the real work—analyzing and assessing risk. Structured risk assessment helped us organize data efficiently, ensuring everything was in the right place when it came time to report.

For teams tackling this themselves, here are a few of our top tips:

  • Automate where you can—no one has time for manual data entry anymore.
  • Organize your data before reporting starts—create a standardized structure for your risk data (think spreadsheets, templates, or whatever makes sense).
  • Test your reporting process regularly so it’s not a scramble at the last minute.
  • Keep it simple: focus on the most critical risk data for your business, and ensure your reports are easy to digest.

With these steps, you’ll be in a healthy compliance position from the outset. To explore our internal controls more deeply, check out Swan’s Trust Center.

Making DORA and security a company-wide culture

Security isn’t just a “one department” job. If DORA’s going to stick, it needs to become part of the company’s DNA—especially from the top down. That means getting everyone, from your compliance team to your executive leadership, on the same page.

At Swan, we do this by prioritizing internal education. We don’t simply hand off the responsibility to the legal team. We hold regular internal workshops, cross-departmental meetings, and share updates through our internal comms. The goal? Making sure everyone understands DORA’s impact on their specific roles and how each department contributes to operational resilience. When leadership becomes an advocate for its importance and potential, the rest of the company follows. Here are 4 steps to help align your teams with DORA:

  1. Executive buy-in: Make sure leadership is aligned and actively involved. They set an example for the company.
  2. Regular education: Hold monthly sessions (or weekly, depending on your business) to update teams on compliance changes, challenges, and successes.
  3. Cross-departmental communication: Security is a team sport. Get finance, tech, product, and legal talking to each other, not just ticking boxes.
  4. Real-world application: Use case studies and examples to illustrate the impact of non-compliance and the importance of DORA security processes such as those established by DORA. At Swan, we run fraud drills to train employees to detect and respond to potential, real-life threats.

When you make DORA a collective mission, it stops feeling like an afterthought and becomes a shared responsibility. That’s how strong business resilience is established. Thomas Caplin, Swan’s VP of Security, shares:

“We believe that DORA is more than a regulatory requirement—it's a chance to create a culture of resilience that influences every part of our business. Building awareness from the ground up, across all teams, ensures that we're not just ticking regulatory box, but making compliance a strategic advantage that strengthens our entire operation, especially alongside ISO 27001, for which we’re targeting certification very soon.”

The road ahead: DORA as an opportunity for better business

DORA’s not a “compliance burden” to bear. If you look at it the right way, DORA can act as a framework to elevate your operational resilience. Design your processes not only to meet regulatory demands but also to anticipate challenges and stay competitive.

When you can confidently assure your stakeholders that your operations are built on a foundation of resilience, you’re building stronger, long-term customer relationships. End users want to know their financial service providers aren’t just meeting the minimum standards—they want to know their data is protected, their transactions are secure, and their operations are rock solid. And now you can leverage DORA to work towards this.

Steph Smith
January 17, 2025
Share article
Contents
Heading 2
Elevate your company's product and create new revenue streams with banking features.
Talk to a fintech expert.

Related Blog Articles

Embedded finance

Why embedded banking needs to be on your product roadmap in 2025

Now is the time for product leaders to put embedded banking on their roadmap. Scale your business by embedding accounts, cards and payments.

Embedded finance

European expansion: 5 tips to build a cross-border product

Expand your product across Europe with these top tips, including leveraging embedded banking solutions for better user experiences.

Customer stories

The new Compte Pro: stars of French Tech are eating up embedded banking

Pennylane, Indy, Libeo, Agicap and so many other French SaaS in financial management are embedding banking services to build seamless, all-in-one solutions for individuals and businesses alike.