When the Digital Operational Resilience Act’s (DORA) deadline arrived on January 17, 2025, organizations that had invested in Continuous Delivery (CD) were already compliant; in fact, they sailed through DORA’s deadline. In contrast, those relying on manual controls for compliance were still racing to comply.
The Digital Operational Resilience Act (DORA) was developed to protect the financial sector from the increasing number of cyber attacks. It provides a valuable opportunity to assess the impact and cost of implementing changes to comply with new regulations on technology teams. Our Compliance through Continuous Delivery report examined how organizations in financial services are navigating this new reality, and the results reveal surprising truths about compliance in regulated industries.
Unlike their unregulated counterparts, financial institutions face a unique dilemma: slow down to validate changes, or speed up to rapidly address compliance deadlines. Our research shows the highest performers have escaped this perceived trade-off entirely.
The real cost of compliance
The numbers tell an important story: 37% of organizations are losing more than a fifth of their development capacity to compliance tasks. Things are even worse for some organizations, as 9% spend 40-60% of their time on compliance, and 3% report that 60-80% of their effort goes toward regulatory overhead rather than delivering value. Every compliance hour costs development dollars.
Organizations reporting significantly lower compliance overhead when adopting the DORA had something in common. They had existing standards, such as ISO:27001 or the NIST Cybersecurity Framework. Because they already had mechanisms in place for compliance, they just needed to close gaps rather than build from scratch.
The investment has been far greater for organizations driven by the DORA, which modernized compliance and regulations. These teams are not only documenting existing practices but also transforming how they deliver software while maintaining velocity.
The pattern is straightforward: the more you automate and standardize, the less compliance hurts. In regulated industries, the smartest organizations use CD and DevOps to achieve their compliance goals and increase their ability to ship working software.
More than half of the organizations we surveyed are now looking to automate processes in their software delivery pipeline (55%), improve security and compliance (53%), standardize processes (27%), and enhance tooling (29%). These measures will help teams increase deployment frequency, enabling a more resilient system, as required by the regulations. They have learned that compliance through automation is cheaper than compliance through human oversight.
The deployment bottleneck nobody talks about
A key factor setting the pace for software delivery performance is the number of deployers. We discovered a surprising bottleneck: more than 60% of organizations have fewer than 4 people who can trigger a production deployment. These deployment gatekeepers reduce throughput and deployment frequency, presenting a damaging bottleneck in software delivery.
The impact is significant. When organizations cross the threshold from 3 to 4 or more authorized deployers, the median delivery score (based on deployment frequency and change lead time) increases from 42 to 59. Adding just one more authorized deployer drives a 40% performance improvement, from addressing what appears to be a simple administrative constraint.
Limiting deployments to one or 2 people means releases get stuck and bottlenecks form as deployers are unavailable. It creates knowledge silos, and deployers deploy code they didn’t write. This insight is consistent with our 2023 Deployment survey report, which revealed that deployment gatekeepers hindered organizations from achieving the expected efficiency gains from deployment automation initiatives. You can automate your entire pipeline, but if deployments are waiting on one or 2 people, you haven’t solved the problem.
There is a reason that a minimum of 4 deployers works better for software delivery. It represents the minimum viable coverage for CD, and more importantly, forces organizations to build proper controls into the pipeline rather than relying on individual manual checks for security.
What high performers do differently
High-performing organizations in our study share common patterns, starting with automation. Examining the delivery scores by automation level reveals that full automation achieves a 60% improvement over manual processes, and crucially, partial automation falls short of this mark. The organizations that achieve scores over 50 have automated both application and database deployments, making automation the only path to production.
The last point is a crucial finding: high performers automate deployments and eliminate alternative routes. This means that every change goes through a rigorous pipeline, which is thoroughly tested, scanned, and auditable. This prevents drift, ensures changes are in version control, and dramatically reduces the number of people who need access to production.
Our research confirms what many suspected: tool sprawl actively undermines organizational progress. We found that delivery scores increase as organizations reduce the number of deployment tools they use. High-performing organizations have converged on a deployment platform, often through Platform Engineering initiatives. Too many tools create friction between teams and increase cognitive overhead due to the use of multiple tools and interfaces.
You get 2 compliance benefits from standardization. When organizations need to implement new regulations or provide evidence for auditing, platform teams can roll out changes across all pipelines simultaneously, rather than making individual updates for each deployment script.
Successful and reliable deployments
The formula for compliance without sacrificing performance:
- Have at least 4 deployers (no gatekeepers) to avoid bottlenecks.
- Automate deployments for everything (applications and databases across all environments, building compliance evidence along the way).
- Standardize tools across the organization.
- Make the pipeline the only path to production, with no exceptions.
As regulatory requirements intensify for the financial services industry, organizations clinging to manual compliance processes will be left behind. Our findings show there’s no trade-off between compliance and speed, as those who automate deployments, eliminate gatekeepers, and standardize tools can turn their compliance and regulation burden into a competitive advantage. Success belongs to those who recognize that compliance and CD work better together.
Happy deployments!
Tags:
