top of page

Alaska Airlines Illustrates How DORA Raises the Bar for Cyber and Operational Resilience

  • Writer: Weave Labs
    Weave Labs
  • Nov 6
  • 6 min read
ree

Alaska Airlines has experienced two major flight groundings this year due to IT system failures—an illustration of how operational disruptions now carry far greater regulatory and financial consequences under DORA.


Alaska Airlines is not an isolated example. Many high-profile outages and supply-chain breaches have demonstrated the urgency of DORA’s requirements for end-to-end ICT governance, incident response, and third-party oversight across the financial ecosystem:


  • The 2018 TSB core-banking upgrade failure in the UK locked out ~1.9 million retail customers and triggered a £48.65 m regulatory fine – highlighting the critical need for change management, migration oversight and end-to-end operational risk controls.


  • The February 2025 multi-bank outage in the UK (Barclays, Lloyds Banking Group, others) left over 1.2 million customers unable to access pay-day funds and prompted a parliamentary inquiry – underscoring the regulatory focus on continuity of customer services and major-incident reporting.


  • The May 2023 MOVEit supply-chain breach impacted ~66 million individuals via vendor exposures and resulted in global losses up to USD 12 billion – a textbook “fourth-party” disruption and the exact scenario DORA’s third/fourth-party oversight pillar targets.


  • The October 2025 Amazon Web Services (US East-1) outage knocked out UK banking apps (Lloyds, Halifax) and HMRC services for several hours, illustrating concentration risk in cloud-dependencies and reinforcing the imperative of vendor/diversified infrastructure strategies under DORA.


Across all examples, the absence or immaturity of formal testing, vendor-chain mapping, incident classification/reporting, and backup/restore protocols were evident. DORA’s five pillars—ICT Risk Management; ICT-related Incident Reporting; Digital Operational Resilience Testing; ICT Third-Party Risk Management; and Information Sharing – map directly to these failures.


The majority of financial institutions in Europe and around the world are not prepared to comply with the extensive list of DORA requirements. In fact, a recent survey found that 96% of European financial institutions believe their current level of data resilience falls short of DORA’s expectations.


Financial institutions therefore face two urgent steps:


  1. Move from non-compliance to compliance.


  2. Build the foresight and agility to stay ahead of evolving DORA enforcement, emerging cyber threats, and market disruptions, recognizing that both risk and regulation can shift overnight.


For Chief Risk Officers (CROs) and Third-Party Risk Management (TPRM) executives, DORA represents both a wake-up call and an opportunity. It’s the first regulation to hold boards directly accountable for digital resilience and to require continuous proof of control effectiveness across every ICT and vendor dependency.

The age of annual compliance checklists is over.


From IT Concern to Continuous Risk Governance


DORA transforms digital resilience from an IT issue into a core pillar of enterprise risk governance.


Unlike older frameworks built on periodic attestations, DORA requires ongoing monitoring and reassessment of ICT posture, regular testing and remediation, and dynamic vendor classification whenever exposure changes.


Supervisors expect “living evidence”—control metrics that update continuously, dependency maps that reflect current realities, and dashboards that prove leadership knows exactly where risk resides and how it’s being mitigated.


The Six Pillars That Define DORA


DORA formalizes six interlocking domains—risk management, incident reporting, testing, vendor oversight, intelligence sharing, and regulatory coordination—creating a holistic framework for digital resilience across the financial system.

To understand DORA’s impact, it’s helpful to see how each pillar reinforces the others. Together, they form a continuous control loop that connects ICT risk, testing, vendor oversight, and regulatory assurance into a single framework:


  1. ICT Risk Management: Ongoing identification, protection, detection, and recovery from ICT-related incidents.


  2. ICT Incident Reporting: Harmonized classification and a strict 4-hour notification rule for major incidents.


  3. Digital Operational Resilience Testing (DORT): Continuous validation of ICT systems, including Threat-Led Penetration Testing (TLPT) every three years for critical services.


  4. Third-Party Risk Management: Oversight of all ICT service providers—including cloud vendors—with lifecycle governance and a mandatory dependency register.


  5. Information and Intelligence Sharing: Secure, voluntary collaboration across institutions to detect and mitigate systemic risk.


  6. Regulatory Oversight: Direct supervision by the EBA, EIOPA, and ESMA, extending to Critical Third-Party Providers (CTPPs) such as hyperscale cloud and infrastructure providers.


In this environment, traditional risk models and manual processes are no longer enough. Governance must evolve to meet the pace and precision DORA demands. As if governance teams didn’t already have enough complexity to manage, DORA brings a net-new category of compliance work to the table.


Together, these pillars establish one truth: resilience must be proven, not presumed.


Why Traditional Checklists Fail


For years, financial institutions relied on compliance checklists and static attestations to demonstrate readiness. Under DORA, that model collapses. The regulation no longer asks, “Do you have a policy?”—it demands “Prove it works, continuously.”

DORA Requirement

Why a Checklist Fails

Threat-Led Penetration Testing (Art. 26)

Requires active, red-team testing of live production systems—cannot be validated by forms or interviews.

Board Accountability & Strategy (Art. 5–6)

Calls for board-approved metrics, meeting minutes, and ongoing evidence—not self-certified statements.

Critical Third-Party Oversight (Art. 31–39)

Mandates inventories, resilience metrics, and contractual proof—far beyond annual vendor reviews.

Supervisors now expect proof of control effectiveness: real-time dashboards, measurable remediation timelines, and direct traceability between control design and outcome.


Under DORA, remediation isn’t optional, it’s mandatory and time-bound. Institutions must not only detect control failures but also document corrective actions, assign accountability, and evidence timely resolution.


Regulators will review whether identified gaps were closed within prescribed timelines and whether retesting confirmed their effectiveness. This makes the remediation process itself a regulated control activity, not just a governance best practice.


This is why annual checklists no longer work. DORA’s expectation is clear—resilience must be evidenced in real time.


It represents a fundamental shift—from treating compliance as paperwork to demonstrating resilience through evidence.


Beyond Cyber: The Systemic Risk Mandate


Although DORA is often labeled as a “cyber regulation,” that description undersells its scope. The Act governs all ICT-related operational disruptions—not just cyberattacks, but also software defects, internal failures, and vendor collapses.

Regulators are zeroing in on key systemic vulnerabilities:


  • ICT concentration risk — over-reliance on a small number of service providers.


  • Data localization and access — ensuring regulators can retrieve data, no

    matter where it’s hosted.


  • Quantifiable resilience metrics — Recovery Time Objectives (RTOs), service availability, and control maturity tracking.


The intent is simple but profound: prevent systemic contagion in a hyperconnected financial ecosystem where one vendor’s failure could ripple across the sector.


Simply checking the boxes isn’t enough. Financial institutions must understand their compliance position in context—benchmarking against peers, surfacing vulnerabilities across internal and third-party relationships, and maintaining the agility to adapt as regulations and risks evolve.


This is where the gap between knowing and proving resilience becomes the defining challenge—and where Weave.AI bridges that divide.


How Weave.AI Turns Compliance Into Continuous Intelligence


Weave.AI helps financial institutions go beyond DORA compliance by delivering real-time intelligence that unifies oversight across ICT systems, third parties, and regulatory requirements. Built on neuro-symbolic AI, Weave.AI’s platform continuously maps relationships between internal controls, vendor dependencies, and risk exposure—surfacing weak points that traditional systems miss.

DORA’s complexity is precisely where Weave.AI provides a strategic advantage. Our platform helps institutions transform static compliance into continuous operational intelligence, closing the gap between regulation and resilience.


  • Predictive Resilience, Descriptive Precision: Real-time visibility across ICT, third-party, and governance domains—aligned directly with DORA’s ongoing monitoring, testing, and reporting mandates. Weave.AI is designed to detect ICT concentration risks and emerging compliance gaps tied to DORA’s resilience requirements—providing contextualized evidence and recommendations before those weaknesses escalate into operational incidents.


Once gaps are identified, Weave.AI doesn’t stop at detection, it generates tailored guidance and next-best-action recommendations derived directly from DORA’s control logic. Each issue is linked to its underlying article or regulatory clause, with actionable remediation steps, responsible owners, and progress tracking until resolution. This enables CROs to demonstrate not just identification of weaknesses but measurable, auditable closure—exactly what supervisors expect.


  • Continuous Regulatory Mapping: Automated alignment with DORA, NIS2, GDPR, NIST CSF, ISO 27001/22301, Basel III/IV, and other major supervisory frameworks (including FFIEC, OCC, MAS, and APRA CPS 230) ensures that controls remain current, defensible, and regulator-ready across jurisdictions.


  • Explainable Intelligence: From incident-level anomalies to enterprise-wide oversight, Weave.AI connects micro-risks to macro-resilience with full explainability and traceability.


Beyond compliance, Weave.AI gives institutions the foresight and agility to anticipate and adapt to change. By combining machine learning and pattern recognition with symbolic reasoning, the platform identifies emerging risks, benchmarks performance against peers, and highlights shifts in cyber, market, or regulatory conditions.


The result is not just regulatory readiness, but a dynamic and defensible risk posture—one that allows financial leaders to stay ahead of threats and turn DORA’s demands into a strategic advantage.


This continuous detect-to-remediate loop provides living evidence of control performance—proof that every identified weakness is addressed, verified, and documented in line with DORA’s mandated remediation timelines.


By combining symbolic reasoning with machine learning, Weave.AI produces regulator-ready evidence that proves resilience is being managed in real time—not just declared annually.


It’s how financial institutions can meet, sustain, and surpass DORA’s expectations.

With Weave.AI, organizations can achieve that standard—substantiating resilience through verifiable, regulator-ready evidence.


 
 
 

Comments

bottom of page