It’s now been a full calendar year since the European Union’s Digital Operational Resilience Act (DORA) became enforceable in January 2025, marking a clear shift in how regulators expect organizations to manage digital risk.
In the UK, the proposed Cyber Security and Resilience Bill points in a similar direction. It raises expectations for how organizations prepare for, respond to, and report cyber incidents, signaling that digital resilience is now a regulatory concern, not solely an operational one.
Looking at DORA one year in is useful, not because it offers a perfect model, but because it highlights a recurring challenge in cyber regulation: improving visibility after incidents versus reducing the likelihood and impact of incidents in the first place.
What Is DORA and Who Is in the Crosshairs?
DORA applies specifically to financial entities operating in the EU, but its implications extend beyond those entities, particularly to information and communication technology (ICT) third-party service providers that support critical operations.
The intent is to ensure that organizations can withstand, respond to, and recover from ICT disruptions consistently. Not every technology provider falls directly under DORA, but the regulation makes clear that resilience does not stop at organizational boundaries. At Sonatype, we see this as a necessary step forward. The growing scale and frequency of cyber incidents have exposed the limits of relying on organizations to report issues on their own timelines. Dependencies matter, and regulators are paying much closer attention to the risks they introduce.
Tara Houlden, Director of Product Security Compliance and Risk at Red Hat, recently joined a Sonatype webinar to reflect on DORA’s first year, saying, “Mature organizations are the ones that understand its path to deliver products or services and have a plan to support the areas where they have dependencies. A really mature organization is testing its (Read more...)
