DORA Regulation & Compliance: What It Means for Your Business

Technology runs our world—until it doesn’t. With apps, websites, and IT systems woven into nearly every aspect of life, it’s easy to forget how much we rely on them. But when things go wrong, the impact can be immediate and severe.

In July 2024, a glitch in a widespread security software update led to thousands of canceled flights, hospitals losing access to their patient records, and extensive disruptions across many other industries.

Our growing reliance on technology is precisely why the upcoming Digital Operational Resilience Act (DORA) regulations are critical.

What Is the Digital Operational Resilience Act (DORA)?

The financial sector depends heavily on outside tech companies for its services, which makes it vulnerable to cyberattacks. If not managed well, these risks can disrupt services and impact the broader economy (much like the outage mentioned above). That’s why the European parliament developed DORA—to strengthen operational resilience in the financial services sector.

This EU regulation will act as a prevention policy, ensuring financial services firms can withstand, respond to, and recover from all ICT-related disruptions and threats. (ICT, being information and communications technology.) The regulation aims to simplify reporting and improve incident management. The act places accountability on companies and organizations, making them responsible for developing and approving plans to ensure digital resilience.

The regulation entered into force on January 16, 2023, and financial entities have until January 17, 2025, to comply with the requirements.

Who Does DORA Apply To?

If you think DORA affects only big banks in Europe, think again. DORA casts a wide net across the EU’s financial sector and third-party ICT service suppliers—regardless of where those service providers are based.

DORA compliance applies to financial institutions and related entities, including:

• Banks
• Investment firms
• Insurance companies
• Credit rating agencies
• Crowdfunding service providers
• Crypto-asset service providers
• Trade repositories
• Payment processors
• Account information service providers
• Employer-sponsored retirement plan providers
• Data reporting service providers

What Systems and Strategies Does DORA Cover?

The official DORA regulation is comprehensive, covering several areas related to IT security and operational resilience:

ICT risk management

Financial organizations need robust systems to handle ICT risks (like outages, spam, viruses, cyberattacks, data breaches, or other service failures). Established risk mitigation strategies can help prepare your organization to detect, respond to, and recover from ICT problems and incidents.

Incident reporting

The DORA legislation sets a standard process for reporting ICT-related incidents and cyber threats, including who and when to report to and how to categorize these incidents.

Digital operational resilience testing

Organizations are required to regularly test their ICT systems, including checking for vulnerabilities, testing network security, and, in some cases, performing advanced cyberattack simulations.

Third-party risk management

Financial organizations need to actively check and monitor the security practices of their key partners to reduce and manage risks from outsourced ICT service providers.

Oversight framework for critical ICT service providers

The directive is a regulatory framework for overseeing critical third-party ICT service providers, even those outside the EU.

How Can Businesses Prepare for DORA?

With the January 2025 compliance deadline approaching, now is the time to prepare for DORA compliance. The steps you take today will significantly strengthen your operational resilience and keep your business running smoothly in the face of challenges.

The following practical steps can serve as a jumping-off point:

1. Do a gap analysis

Start by assessing your current readiness. Conduct a gap analysis, such as an operational risk assessment, to see where you stand and identify weak spots.

1. Review DORA’s essential requirements across core compliance areas: ICT risk management, incident reporting, digital resilience testing, and third-party risk management.
2. Compare these requirements to your organization’s existing risk management plans, procedures, and practices.
3. Identify specific areas where your current approach falls short of DORA standards.

2. Upgrade your ICT risk management practices

Once you’ve completed risk identification and know where you fall short, create an implementation and/or improvement plan. For best results, your ICT risk management plan should address all stages of the risk management lifecycle. Involve senior management in the process to give your initiatives the momentum and buy-in they need.

Depending on your current situation, the following ICT risk management strategies may apply:

• Implement stronger security measures like access controls, authentication, and encryption
• Create standard procedures for monitoring, classifying, and reporting ICT incidents to competent authorities
• Regularly test ICT systems with vulnerability assessments and penetration tests
• Practice incident response plans with tabletop exercises or drills
• Take a risk-based approach to network and infrastructure management
• Stay updated on new cyber risks and regulatory requirements
• Define clear roles and responsibilities for ICT risk management
• Use threat intelligence to constantly identify and monitor ICT risks, cyber threats, and vulnerabilities
• Build a security operations center to handle ICT threats proactively

3. Strengthen third-party risk management

DORA may shift the way you work with subcontractors or outside vendors. Instead of simply taking them at their word, your organization must manage third-party risks in line with DORA guidelines. Due diligence for critical ICT third-party service providers will be multi-faceted and could include:

• Defining risk appetite and tolerance levels to guide decision-making
• Evaluating the provider’s security measures, policies, and controls
• Investigating their reputation and track record
• Assessing their operational resilience and ability to recover from disruptions
• Verifying regulatory compliance, especially with DORA standards
• Including DORA-aligned contract language, such as for audit and inspection rights, and termination conditions for non-compliance
• Continuously monitoring and assessing third-party compliance with security standards
• Classifying third parties into risk categories (high, medium, low), with enhanced due diligence for high-risk providers

4. Run training and awareness programs

If you’re reading this, you probably already know that a risk awareness culture goes a long way in making your company safer. Studies show that the majority of data breach incidents are caused by employee mistakes—as much as 74%, according to one report. This indicates that security awareness training programs can help organizations respond better to and prevent more such incidents.

The most effective training and awareness efforts are ongoing and multi-faceted, helping you cover all your bases and operate in a state of continuous improvement. Go beyond simply briefing your teams on DORA requirements—consider some or all of the following initiatives:

• Offer year-round training on DORA requirements, ICT risks, and security best practices
• Create clear ways for staff to report risk-related issues
• Use a mix of training methods like simulations and workshops to keep employees engaged
• Run regular phishing tests to improve spotting and reporting of suspicious emails
• Develop specific training for different roles based on their unique risks
• Track how well training works by measuring KPIs such as incident rates and response times
• Build a culture where employees feel safe reporting risks
• Update training frequently to cover new threats and changes in cybersecurity
• Use rewards or games to motivate staff to follow security practices and engage in training

Staying Ahead With Digital Resilience and DORA

Our dependence on technology for essential services is only going to increase, so the ability to bounce back from disruptions is more important than ever. As we face growing demands and potential threats, having a solid digital resilience strategy helps safeguard your business and prepares you for new regulations like DORA.

Preparing for the DORA mandates now will give you a head start. By boosting your digital resilience, you’ll be well-equipped to meet upcoming requirements, reduce risks, and stay competitive, even when things don’t go as they should.