With the deadline for complying with the EU's Digital Operational Resilience Act (DORA) set for 17 January 2025, pressure is mounting for financial institutions and service providers across the industry.
Tasked with implementing yet another new set of policies and protocols to reduce cyber security risk and improve operational resilience, small and medium-sized organizations are particularly on edge. Many recognize that achieving compliance may be more than their limited resources can bear.
But rest assured, there's no reason to panic about the DORA deadline. With a sound strategy, a solid governance framework, and trusted tools and partners in place, there's still time to cross the finish line.
The lowdown on the Digital Operational Resilience Act (DORA)
DORA is designed to ensure resilient operations across the EU's financial system by implementing robust standards and procedures to counter the growing risk of cyber threats and disruption.
Given the complex, interconnected, and far-reaching nature of the financial services industry, more than 22,000 entities are subject to the new regulation. That includes any financial organization or service provider operating in or doing business in the EU, regardless of its headquartered location. Just like GDPR, DORA has potentially global implications.
Organizations that fail to comply before the January 2025 deadline are subject to multiple sanctions, including steep penalties, a ban on certain parts of their operations, or a prohibition against using certain third-party providers until compliance is assured.
Not to mention, failure to achieve DORA compliance would cost organizations their reputation, market trust, and future business, jeopardizing their survival.
Your path to DORA compliance may be partially paved
The good news is that many organizations have likely already met some of DORA's requirements.
DORA complements other good governance and operational frameworks like ISO 27001 and SS2/21, and achieving compliance may require only some adjustments to policies, procedures, and risk management strategies, as well as the implementation of specific resilience testing procedures, in addition to what they're already doing.
But for other (mainly smaller) organizations, there can be some significant hurdles, such as:
Strengthening Third-Party Risk Management Practices (TPRM)
DORA requires a more comprehensive approach that ensures all critical suppliers meet the same operational resilience requirements as the primary organization. Given the vast reliance on third-party suppliers across the industry, this can be a tall order.
Operational resistance testing
Red and purple teaming exercises are mandated in the legislation, and there's some indication that DORA may align with standard TIBER testing, but this is still to be determined. Regardless, every organization will need to conduct these scenario-based drills regularly, which can be daunting in scope, resources, and cost for those who've never previously performed these tests. Likewise, scenario testing for insolvency is also mandatory under DORA.
Financial regulators recognize approaches such as software escrow agreements as vital components of stressed exit plans for significant suppliers.
Incident reporting
DORA requires that organizations report any major incidents involving Information and Communication Technology (ICT) to the relevant competent authority in their jurisdiction. The idea is that broad-scale knowledge sharing can help improve security and resiliency across the entire sector.
This is new territory for many organizations, and they'll need the templates, internal plans, policies, and procedures for making those reports.
DORA readiness step-by-step
The most important thing in achieving DORA compliance is that you get started. Here's a quick reference guide to help you plan an effective and efficient strategy:
Beyond compliance: business benefits of DORA
While complying with DORA is mandatory, don't think of it as a burden—it's actually an opportunity. The framework, systems, and reporting DORA requires will absolutely make your business more secure and resilient.
For the wider industry, DORA will create standardized processes and a centralized EU reporting hub to improve the flow of information around significant incidents. That means if you, one of your business partners, or competitors detect suspicious activity, the industry can offer insight on how to respond. Individual companies contributing to this shared knowledge base will bolster EU-wide situational awareness and harmonization around real and perceived threats and mitigation activities.
Once again, DORA's reporting requirements formalize this process by creating the Financial Sector Cyber Collaboration Centre (FSCCC), which acts as a blueprint for collaborative information sharing to standardize reporting parameters.
NCC Group is your one-stop shop for DORA compliance solutions
No matter what stage of DORA compliance readiness you’re in, NCC Group has the expertise, tools, and experience to guide you from start to finish. Our experts have helped dozens of companies across the financial sector implement frameworks to achieve compliance.
Our DORA Readiness Assessment is designed to support financial institutions and critical third parties looking to obtain DORA compliance. A multi-discipline team of experts will provide you with an overview of any gaps in governance procedures and processes relating to the five mandated steps of the DORA legislation.
We’re also uniquely built to help with the more complex and robust areas of DORA, such as supplying software escrow through our Escode team and delivering specialist Red/Purple Team exercises.
From zero to compliance and every bit in between, contact NCC Group to help you get DORA-ready today.
Principal Security Consultant, NCC Group
Emma Smales is a Principal Consultant with over ten years of experience in the privacy and security industry and a passion for regulations within the data protection space. Emma is well-versed in risk management strategy and third-party risk management. She also has experience in auditing against many cyber security frameworks including NIST CSF, ISO27001, ISO27701, Cyber Essentials, and GDPR, assessing compliance, and helping to implement robust security practices. Her work spans across various industries, including manufacturing, telecommunications, and finance.
Emma is an ISO27001 Lead Implementer and Lead Auditor who has also gained her CISMP qualification. Her role involves creating and leading the Digital Operational Resilience Act (DORA) service line at NCC Group.
Get the most comprehensive DORA preparation.
The 2025 deadline is approaching quickly; take advantage of our resources, offers, and expert support to achieve compliance and improve resiliency for your organization.