Skip to content

DORA is coming, are you ready?

What is DORA and why does it matter

DORA, or the Digital Operational Resilience Act, is a European Union regulation designed to strengthen the digital resilience of the financial sector. The legislation provides a comprehensive framework to ensure that financial service providers are able to withstand, recover from and adapt to technological disruptions and cyber threats.

DORA aims to increase transparency in the sector. The legislation will require financial sector organizations to review and strengthen ICT-related processes, risk management and cyber security. These measures will strengthen consumer confidence in digital financial services. In the big picture, the benefits of DORA include greater stability in financial markets and better protection for consumers.

DORA will apply from 17 January 2025 and a transition period is underway right now.  Organizations therefore have less than a year to adapt to the new requirements and strengthen their digital resilience.

Current state and challenges

DORA has generated a lot of debate among financial actors. Although the regulation has already been formally published, it will continue to evolve as new regulatory standards are published. As an example, the situation in the Finnish financial sector can be said to be, for the most part, already quite good. Thanks to the solid foundation provided by ISO27001.

Although many organizations are already certified to ISO27001, DORA sets new, more specific requirements on top of this. These requirements will require organizations to review their existing practices. For example, one major area is the management of service providers, where DORA sets more detailed requirements for the management and control of outsourced services and service providers. These requirements cover the entire life cycle of a service provider, from pre-contract negotiations to ending the partnership.

It is also worth noting the identification requirements. With DORA, the financial services industry needs to understand and define on which IT assets (assets) mission critical and important processes depend. This may sound simple, but when the number of assets is large, this can easily take a surprisingly long time to accomplish.

One surprise that DORA brings is the accuracy and regularity of the testing requirements. Random testing is no longer enough, a consistent and repeatable testing process is required. DORA also stresses the need for comprehensive and detailed documentation, ranging from policy documents to daily practical measures.

For many financial organizations, the challenge posed by DORA is to move from rapidly implemented interim solutions to clear and efficient processes that are easy to maintain. For example, many organizations have relied on Excel spreadsheets to manage their risk management as a whole. These may work in the short term, but can be very difficult to maintain later. Not to mention if the whole compliance process is built on top of Excel. The shift towards more sustainable solutions requires a change in mindset, practical planning and choosing the right tools to implement DORA compliant practices.

How to get started

The changes required by DORA can seem challenging for many financial organizations. However, there are ways in which organizations can approach change in a systematic and effective way. Here are our suggestions on how an organization can start preparing for DORA compliance.

Identify current state and conduct a gap analysis

The first step is to identify the current state and potential gaps. This starting point will provide a clear picture of where your organization currently stands in relation to the DORA requirements. Few organizations are fully prepared, so a well-led gap analysis will reveal where the main gaps are and where action is needed as a matter of priority.

Draw a roadmap and prioritize actions

The next step is to draw up a roadmap, i.e. a plan on how to move forward. This includes defining the most urgent actions and identifying the “low-hanging fruits”. These are things that are relatively easy to implement and that will quickly deliver value. For example, business impact analysis (BIA) is a good tool for prioritization. BIA helps to understand which systems and processes are most critical to the business.

Take a human-centered approach to continuity

At DORA, the ability of an organization to continue operating as quickly and seamlessly as possible after a disruption is key. This requires a people-centered approach that defines responsibilities and coordinates actions in a clear and consistent manner. It is important to ensure that the organization has the necessary resources and skills to implement these measures. For example, responsibility for documenting processes should be assigned to people with a deep understanding of the organization’s current processes and capabilities.

Use tools to improve management

Instead of Excel spreadsheets, organizations should make use of appropriate tools to manage processes and documentation. Tools, such as ServiceNow, allow for much more efficient documentation and process management in line with DORA requirements. They reduce errors, increase transparency and enable real-time monitoring of compliance.

What to prepare for?

The introduction of DORA brings with it a range of challenges that have raised uncertainties and questions.

  1. The purpose of DORA and its requirements may not be fully understood by everyone, and it is not always clear how to start or proceed in meeting the requirements of the regulation. This can seem like a daunting task, especially for those who are not used to dealing with a similar regulatory jungle.
  2. The human challenges, such as a lack of adequate skills and resistance to change, become more pronounced as organizations try to navigate through the requirements of DORA.
  3. Time pressures create additional stress as upcoming January’s deadline is approaching fast. Organizations need to ensure that they get the necessary measures in place in time.
  4. Companies that have become accustomed to relying on temporary manual solutions now face a practical challenge as they seek to improve these quick fixes to build a more sustainable model.

Overcoming these challenges requires careful planning, timely allocation of resources and organizational commitment from the top down. This will ensure compliance with DORA requirements and achieve the digital resilience it brings.

Summary

When an organization starts to work on meeting the requirements of DORA, a systematic and prioritized approach is essential. While DORA is a massive undertaking and its requirements may initially seem overwhelming, it is also important to recognize the benefits that the regulation brings. Its aim is to create a more secure financial sector, which is essential for the sustainability and reliability of Europe’s financial infrastructure as a whole.

DORA will not only improve the ability of financial organizations to manage and respond to digital threats, but it will also strengthen confidence in the sector as a whole. It is important that such a critical sector is comprehensively secured across Europe.

This journey doesn’t have to be taken alone. Having a trusted partner to support will bring stability and clarity of direction. This is important given that time is a limited resource in this case. Sofigate has supported its clients in increasing their digital resilience and maturity to meet DORA requirements.

Author

Kati Piipari is an experienced risk management professional. She has 15 years of professional experience, more than 10 years of which she has worked in the financial sector. Her current focus is on helping her clients develop their capabilities to meet DORA requirements.

Search