When the Digital Operational Resilience Act (DORA) arrived, many companies treated it as another compliance checkbox. For Formance, it struck at the core of what we already do. Our platform sits at the center of clients’ critical financial flows, so things like reliability, security, and operational resilience aren’t extras: they’re expectations. DORA puts formal language around responsibilities we’ve long taken seriously.

And today, we’re very happy to be able to share that Formance is DORA compliant.

Given the challenge of DORA compliance, we want to explore in more detail why we pursued it early, what it required, and how the process ultimately strengthened our operations.

Why DORA Became a Strategic Priority

For a company that handles and reconciles sensitive financial transactions, operational resilience isn’t optional. Our customers include regulated financial institutions that depend on us to maintain the integrity of their most critical flows. When DORA emerged, it aligned directly with the standard they already expected from their technology partners.

We also saw an unmistakable shift in the market. By early 2025, many clients and prospects were evaluating DORA internally, and some were already treating compliance as a prerequisite for moving forward. We had started our own preparation months earlier, which meant we were ready when those conversations arrived.

But the decision wasn’t only reactive. Pursuing DORA early was a strategic step toward staying ahead of regulatory expectations, strengthening internal governance, and reinforcing the trust on which our platform is built. Rather than taking a “checkbox” approach, we viewed compliance as a way to deepen the disciplines that make our service reliable in the first place.

Inside the DORA Compliance Journey: What It Actually Took

DORA touches every part of a company’s digital and operational backbone, so we approached compliance as a company-wide project rather than a security exercise. Engineering, operations, product, security, legal, and corporate services all participated in a structured review, each owning a piece of the framework.

The first step was mapping every internal policy, workflow, and control against DORA’s requirements. That meant revisiting business continuity plans, strengthening documentation standards, formalizing risk assessments, and aligning processes that had previously lived within individual teams. The goal was straightforward: to create a single, coherent operating model that made compliance auditable and repeatable.

We also refined how we evaluate the tools and partners that support our platform. DORA requires clear oversight of critical Information and Communications Technology (ICT) providers, so we introduced more consistent criteria and monitoring to ensure every external service meets the same expectations our customers hold us to.

In parallel, we modernized the legal foundation supporting customer relationships. Updating our master service agreement and data protection agreements ensured our contractual commitments matched current regulatory expectations and gave customers a clearer view of how we manage risk.

The Hard Part: Speed, Interpretation, and Dependencies

For all the structure DORA provides, implementing it in real time was anything but simple. The first challenge was speed. Once it became clear that both existing clients and major prospects expected DORA compliance, the timeline compressed overnight. We had to align engineering, security, operations, product, and legal teams quickly enough to support ongoing contract negotiations, and we had to do it during a period when schedules are notoriously fragmented. Updating our master service agreement and data protection agreements ensured our contractual commitments matched current regulatory expectations and gave customers a clearer view of how we manage risk.

The second challenge was interpretation. DORA is comprehensive, but comprehensive regulations aren’t always immediately clear when more specific, practical issues arise. Understanding what each requirement meant in practice involved constant dialogue with legal specialists, security partners, and even customers who were grappling with the same questions on their end. Every answer raised new considerations: Which processes needed refinement? Which controls needed strengthening? Which assumptions required revisiting?

Then there were the dependencies. DORA requires companies to ensure their critical ICT providers meet the same standards they do. That meant reassessing partners like AWS, Atlassian, and other vendors, then making difficult calls when a provider couldn’t meet the bar. Compliance isn’t meaningful if it only applies internally, and DORA reflects this, as it requires vendors to be DORA compliant, too. And so every one of our tools and subcontractors had to withstand the same scrutiny our own systems faced.

Internally, this also required a cultural shift. New processes only work when people understand and use them, so training became a significant part of the effort. Many employees had to adopt new workflows or learn the reasoning behind requirements that weren’t always obvious at first glance.

Ultimately, the most challenging part wasn’t the regulation itself, but rather keeping pace with the demands, aligning dozens of moving parts, and ensuring that every dependency, inside and outside the company, met the same high standard.

Proving It: How Formance Demonstrates DORA Compliance Today

DORA isn’t something you can merely claim for yourself. You must be able to prove you’re compliant. Demonstrating compliance requires clear evidence that controls work in practice, not just on paper. Internally, we maintain dedicated documentation and run regular audits to verify that every policy, process, and technical safeguard meets the regulation’s requirements. Any gaps trigger immediate decisions to improve controls or adjust our vendor ecosystem.

We also rely on automated tooling to maintain visibility across the organization. Platforms like Vanta help detect missing controls, track progress, assign owners, and evaluate the risk level of every ICT tool or device connected to the company. This gives us a real-time view of compliance health and ensures new tools meet DORA expectations before adoption.

For customers, transparency is central. Our Trust Center (available under NDA) consolidates everything they need for due diligence: SOC 2 and ISO certifications, penetration test results, audit reports, our complete subcontractor list with risk assessments, and a precise mapping of how we meet DORA requirements. Customers don’t have to take our word for it. They can review the same evidence regulators expect to see, all in one place.

The result is faster onboarding, smoother procurement, and a higher baseline of trust in our technology and the rigor behind it.

Why It All Matters: The Value for Clients and the Future of the Ecosystem

DORA ultimately raises the standard for everyone involved in financial infrastructure—not just regulated institutions, but every technology partner they rely on. Even for customers who aren’t directly in scope, the benefits of our compliance are immediate. Stronger continuity planning, tighter security controls, clearer subcontractor oversight, and consistent operational discipline all translate into lower risk and greater confidence in the systems that move their money.

It also simplifies their own due diligence. Because our controls, policies, and evidence are already in place, onboarding is faster, and compliance reviews are far less burdensome. In many cases, the heavy lifting is already done before a customer ever asks the first question.

For us, becoming DORA compliant wasn’t just a requirement. It was a chance to strengthen our foundation, deepen our transparency, and stay ahead of where the industry is headed. Most importantly, it reinforces the trust our customers place in us: trust that their most critical financial processes are handled with the resilience and rigor they deserve.