Since January 2025, Europe’s financial sector has been governed by the Digital Operational Resilience Act (DORA). This sweeping regulation aims to ensure that financial institutions can withstand, respond to, and recover from IT-related disruptions.

Its enforcement comes at a critical time. The scale and sophistication of cyber threats have reached historic heights, driven by a combination of automation, offensive AI, and the growing interconnectivity of digital ecosystems. In the face of this complexity, one fundamental question arises: is compliance enough to guarantee resilience?

This article offers a first line of reflection. DORA provides a solid foundation, but only an adaptive, anticipatory, and integrated approach will equip organizations to meet the escalating challenges of intelligent and systemic cyber-attacks.

A New Breed of Cyber Threats: Faster, Smarter, More Destabilizing

The year 2024 confirmed a worrying trend: cyber-attacks are becoming self-adaptive, nearly invisible to traditional defenses, and largely orchestrated by generative AI.

At ACG Cybersecurity’s R&D lab, we observed:

• A 230% surge in attacks using AI components
• Ransomware campaigns that mutate to evade detection
• The rise of highly convincing vocal and video deepfakes targeting operational and financial leaders

Cyber-attacks are now industrialized, marketed as turnkey products or services, modular, and accessible to even non-technical cybercriminals. In this landscape, response is no longer sufficient. Anticipation of vulnerabilities before they evolve into systemic collapse vectors is paramount.

DORA Regulatory: Framework or Catalyst for Transformation?

DORA rests on five pillars: ICT risk management, major incident reporting, resilience testing, oversight of critical third-party providers, and information sharing. While it sets a necessary baseline, DORA often lacks strategic interpretation. Many organizations treat it as a compliance checklist, when in fact it represents a governance paradigm shift.

Our field experience shows that:

• Test plans are often static and based on optimistic assumptions
• Critical digital dependencies (APIs, cloud, SaaS vendors) are poorly identified
• Incident response processes lack autonomy, coordination, and real-time analytical capabilities

It is essential to move away from a document-centric mindset and toward a dynamic, evolving vision of resilience.

Rethinking Resilience Through Science and Dynamic Data

In April 2025, our R&D team published a study in IEEE Access titled: “Dynamic Data Updates and Weight Optimization for Predicting Vulnerability Exploitability.” This scientific work proposes a new paradigm in vulnerability management.

Rather than relying on fixed scoring like CVSS, we developed a model that:

• Weighs vulnerability criticality based on exploitation maturity, remediation availability, and business impact
• Introduces a new exploitability formula using weighted dynamic metrics
• Integrates live threat feeds from NVD, ExploitDB, GitHub, and dark web forums
• Predicts real-world exploitability with 82.9% accuracy

This model empowers decision-makers to prioritize actions based not on static lists but on dynamic, context-aware risks a powerful lever for aligning DORA compliance with agility.

Toward a New Doctrine of Digital Resilience

It’s no longer a matter of if a cyber-attack will happen but when and how it will impact your digital value chain. The doctrine we advocate is built on four pillars:

1. Establish Cross-Functional Resilience Governance

Create a Digital Resilience Committee that includes IT, cybersecurity, compliance, crisis management, legal, and executive leadership. This body should lead continuity efforts, crisis response, and strategic arbitration.

2. Integrate AI into the Defensive Chain

AI must be deployed to detect anomalies, simulate attack scenarios, automate incident reports, and recommend corrective actions based on continuous learning models.

3. Stress-Test Systems Under Chaotic Conditions

Go beyond basic continuity drills. Simulations must include complex multi-crisis scenarios ransomware, cloud outages, and regulatory roadblocks occurring simultaneously.

4. Build Co-Resilience Pacts with Critical Suppliers

Evolve toward deeper contractual relationships, enabling joint testing, mutual sharing of robustness metrics, and shared crisis governance.

Key Recommendations for Achieving Real Operational Resilience

Here are the key levers we recommend to help financial institutions move beyond baseline compliance:

• Prioritize business-critical value in risk assessment: Not all digital assets carry equal weight. A customer portal is more critical than an archive server. Resilience must revolve around the business value chain—not just technical infrastructure.
• Adopt a dynamic resilience scoring model: Based on our scientific work, this model integrates emerging threats, vulnerability data, and business context in real time. It enables defense strategies to align with present-day realities.
• Measure the “strategic recovery time”: Beyond the Recovery Time Objective (RTO), organizations must measure the time between incident detection and the first structured decision made by top management. This is the true metric of governance under pressure.

Train teams using AI-driven crisis simulations: Crisis exercises must now include AI-generated scenarios that reflect more realistic, unpredictable, and fast-evolving adversarial behaviors.

Conclusion: DORA Is a Catalyst-Not the Finish Line

DORA is a powerful trigger. But compliance alone does not equate to protection. What truly safeguards an organization is its ability to absorb, adapt, learn, pivot, and continue.

We have entered the age of augmented digital resilience where attacks are powered by AI, where external suppliers are as critical as internal systems, and where every minute of delay in decision-making can result in multimillion-dollar losses or reputational damage.

At ACG Cybersecurity, we believe in a proactive, data-driven, and knowledge-based cybersecurity strategy. DORA is the foundation. But resilience true resilience is a mindset.