Countdown to DORA: How CISOs can prepare for EU’s Digital Operational Resilience Act

The finance sector has been among cybercriminals’ favourite targets. Nearly one-fifth of all recent cyberattacks were aimed at financial firms, with banks being the most vulnerable of all, according to the International Monetary Fund. To help financial institutions stay resilient against these threats, the EU has introduced the Digital Operational Resilience Act or DORA, which will apply starting on 17 January 2025.

The DORA aims to strengthen the security of both traditional and non-traditional financial entities including banks, investment firms, credit institutions, audit firms, credit-rating agencies, as well as crypto-asset service providers and crowdfunding platforms. This regulation goes one step further and applies to third-party services providers that work with financial entities, meaning that infrastructure providers like data center operators and cloud services providers must adhere to the standards outlined in the document.

DORA has two goals

Simply put, the DORA has two goals: it aims to offer a comprehensive framework to address risk management in the financial sector, and it also hopes to harmonize risk management regulations across the EU, because different countries currently have different rules for financial organizations.

Harmonization is one of DORA’s greatest achievements and the document “is going to simplify things for everyone in the long run,” says Joel Brandon, head of sales for EMEA at ProcessUnity. 

The Act gives financial entities the opportunity to focus on building resilience against threats, Brandon adds, and will encourage organizations to enhance their overall security posture and foster collaboration. “What we really appreciate about DORA is the opportunity it affords in-scope entities to really focus their minds on ICT disruption and the impact it could have on not just their own business functions but also on the wider ecosystem in which it operates,” Brandon tells CSO.

However, achieving the DORA compliance by January 2025 is easier said than done, and many CISOs could struggle with that in the coming months. While many have made efforts to prepare, there’s still a lot of work ahead. A small McKinsey survey conducted in March 2024 revealed that five of the 16 executives and program leaders questioned doubted they would meet the DORA deadline, and only five of them were confident in their ability to comply on time.

With the clock ticking, financial entities need to intensify their efforts and establish their priorities.

“Many firms don’t realize just how complex DORA compliance can be, especially since it involves so many different parts of the organization working together,” Brandon says. “We see customers often underestimate the resources and time needed, particularly for managing third-party risks and setting up effective incident reporting systems.”

What is the Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act sets out requirements in four key areas: risk management, incident response, digital operational resilience testing, and third-party risk management. In addition to that, it encourages financial entities to share information regarding cyber threats, but this is not mandatory.

The first of the four, risk management and governance, puts the responsibility on the shoulders of the management body. It stipulates that board members, executive leaders, and senior managers need to define solid risk management strategies and make sure they are implemented. Moreover, the DORA requires all decision-makers to stay up to date with the latest security risks. Failure to comply with any of this means that board members and managers can be held personally accountable.

In this context, the CISOs’ role of providing stakeholders with information on security trends becomes increasingly important. They face the challenge of offering clear information to non-technical audiences and making sure everyone understands the risks involved. “Once board members and other executives can be held responsible, they will take security more seriously,” says Sagie Dulce, VP of research at Zero Networks.

The Act also requires financial entities to “identify, track, log, categorise and classify ICT-related incidents according to their priority and severity and according to the criticality of the services impacted,” the document reads.

The impact of an incident is determined based on several criteria which includes the number and relevance of clients affected, the duration of the incident, the geographical spread, the potential data losses, the criticality of the services affected, and the direct and indirect costs and losses involved.

When critical incidents occur, organizations have to notify the competent authorities. There will be three notifications: an initial one that acknowledges the incident, an intermediate report followed by updated notifications every time new information is available to explain how the incident is handled, and a final report that looks at the cause, the real impact, and mitigation measures.

Another key aspect is the requirement to test systems regularly. Vulnerability assessments and scenario-based testing need to be carried out once a year, while threat-led penetration has to be conducted every three years.

DORA addresses third-party risk

What’s notable about the Act is that it doesn’t only apply to financial entities — third-party services providers also have to strengthen their security.

Managing third-party risk is one the areas financial organizations struggle with, according to the McKinsey survey. More than half of the executives and program leaders questioned for this small study said this is one of the most complex elements of the DORA to fulfill. The CISO plays a key role in this as they help employees evaluate supply chain cyber threats and ensure they understand the information security consequences of engaging with a particular partner.

Financial entities that don’t have a dedicated third-party risk program will need to implement one. “We’re going to see much stricter oversight and less tick-box due diligence both at the start of a third-party engagement and throughout the lifecycle,” Brandon says. “This will have an impact on the way firms contract with their third parties and we’re expecting a far greater focus on security clauses, audit rights, reporting mechanisms, as well as stringent termination clauses, allowing organizations to more easily exit relationships in case of incidents.”

Top priorities in the lead up to January 2025

With the DORA starting to apply in just six months, organizations that operate in the financial sector need to accelerate their efforts, and CISOs need to make sure they are enforcing all the security policies required by the Act. “Six months is a very tight deadline,” says Wayne Scott, regulatory compliance solutions lead at Escode, part of NCC Group. “Ideally, the regulated entities would have already completed a large number of their scenario tests, with a high percentage of successful tests,” he adds. 

CISOs working for small or mid-sized organizations that haven’t invested enough in cybersecurity will face numerous challenges. Scott says that a good starting point would be to perform a gap analysis to determine where the existing controls meet DORA’s requirements and where more work needs to be done. With the deadline approaching fast, it’s unrealistic to meet every single obligation in time, so one recommendation is to start by focusing on the most critical ones.

Of course, at this point, mapping the environment is crucial. Organizations need to “make sure they can answer the basic questions of who has access to what, including internal workers and third parties,” adds Dulce. “They must be performing comprehensive pentests and have some form of logging and monitoring in place.”

CISOs also need to be mindful of legacy systems that might need to be upgraded to meet the DORA requirements. Upgrading them might be challenging and expensive at this point, however, doing so will theoretically make the organization more secure in the long run.

Financial entities also must fine-tune their stressed exit plans. According to the DORA, exit plans should be comprehensive, “sufficiently tested and reviewed periodically.”

“These plans should be demonstrably successful, they should clearly show that the regulated entity can bring the management of a failed service in house or pass the management of the service to a third party,” Scott adds. “Clearly establish if fully scenario tested escrow solutions are in place.”

The DORA doesn’t directly name escrow as a viable proportional component of stressed exit plans, but that doesn’t mean escrow isn’t the solution. “Remember, DORA is technology agnostic and cannot name a solution, but there’s a clear reason why the likes of the PRA, OCC, RBI, and MAS all name escrow: It works,” Scott says.

Regardless of the priorities set by an organization, it’s important to have a multidisciplinary team in which technical staff plays a central role, and CISOs should advocate for this. That way, compliance and security measures can go in tandem. Focusing solely on a top-down compliance approach without involving technical staff might create problems down the line, according to Beltug, the largest Belgian association of CIOs & Digital Technology leaders.

If getting ready for the Act seems overwhelming, hiring the right people and bringing in advisory and legal expertise can help. Brandon says that once there’s “a good understanding of what’s in scope, it will be easier to form an internal team from relevant departments, such as infosec, compliance, procurement, and legal.”

Mistakes to avoid while preparing for the DORA

There are also common pitfalls CISOs need to be mindful of. Perhaps the biggest mistake they could make when it comes to aligning with the DORA is “move too slowly, make it more complicated than it is, and not take outside advice,” says Rois Ni Thuama, cyber governance and risk compliance expert.

ProcessUnity’s Brandon agrees, adding that “the key mistake is leaving things too late or deliberating over action for too long.”

CISOs should also be aware of how the DORA overlaps with other requirements. A common mistake is assuming that it fully covers the NIS-2 directive, which is false. “NIS-2 takes precedence in areas where DORA lacks specific requirements,” Beltug told CSO in an email. EU member states must adopt the NIS-2 directive by 17 October this year.

There are also things financial organizations tend to underestimate: supplier failure, service deterioration, and concentration risk. Scott says license agreements should be amended to include the requirements for successful stressed exit plans from the supplier. This, however, might be difficult to do given the short time left until the deadline. “Contractual negotiations take time, and with only six months left on the clock, there may not be enough time to conclude those negotiations,” Scott adds.

DORA’s impact outside of the EU

The Digital Operational Resilience Act will likely make a difference both within the European Union and globally. If proved successful, the regulation could potentially be replicated in other parts of the world, making banks and other financial firms better prepared for tech-related incidents.

“The US regulators have given clear indication of their admiration of DORA and have heavily hinted that the US can expect similar regulatory discussions in the not-too-distant future,” Scott says.

To his knowledge, some CISOs and organizations based in New York are also keeping a keen eye on the DORA to see how it’ll change Europe’s financial sector and how it could produce waves across the world.

Brandon adds that DORA could ultimately make the global financial sector safer, stopping financial entities from haemorrhaging money as a result of tech-related incidents. “It’s all about setting up a unified set of rules across countries, which should help manage risks from outside tech services better.”

DORA has the potential to impact other sectors as well, not just finance. “I believe we’ll see these regulatory changes spread outside of financial services, primarily to the energy and communications industry,” Scott says. 

As the ripple effects of the Act become more evident, it might be useful for other sectors to be prepared for similar regulatory shifts. As Rois Ni Thuama put it, “DORA is just the beginning of much needed changes.”

Related reading:

• EU’s DORA regulation explained: New risk management requirements for financial firms
• EU resilience regulation DORA has financial CISOs waiting for answers