Skip to content

Achieving DORA compliance: Essentials to consider when preparing

by Tomasz Ślubowski

BR-AG | Senior Business Analyst, Practice Lead

by Mateusz Stefański

BR-AG | Senior Business Analyst, Practice Lead

The Digital Operational Resilience ACT (DORA) regulation becomes enforceable in the European Union on 17 January 2025. It sets out requirements for financial entities to ensure they can withstand and recover from ICT-related disruptions and threats. Having left less than a year to prepare for DORA compliance, impacted entities are bracing up to the new set of requirements.

DORA goes beyond previous regulations and requires financial institutions to manage every component of operational resilience. The new regulatory framework includes details for third-party risk monitoring, set rules for ICT risk management, incident reporting, and operational resilience testing.

Who must comply with DORA Regulation?

DORA is an EU regulation, approved by the EU Parliament. It affects financial services organisations operating in the EU – and organisations providing services to EU financial service firms. Hence, U.S., UK and other non-resident firms are required to comply if they provide financial services within EU member states directly or as a third-party service provider.

The full list of impacted entities is provided in Article 2 of the Regulation. Among other entities, it includes:

  • The Financial Services Industry
  • Payment institutions
  • Investment firms
  • Insurance companies
  • Credit rating agencies
  • Crypto-asset service providers
  • Crowdfunding service providers
  • Data analytics and audit services
  • FinTech
  • Trading venues
  • Financial system providers
  • Credit institutions.

It is now evident that, regardless of their current level of digital maturity and operational resilience, all entities within the scope of DORA should treat it as a trigger to initiate or enhance their resilience efforts.

Who oversight?

The DORA oversight framework assigns to the three European Supervisory Authorities – ESAs (European Banking Authority – EBA, European Securities and Markets Authority – ESMA, European Insurance and Occupational Pension Authority – EIOPA) the role of Lead Overseer, to ensure that CTPPs are adequately monitored on a Pan-European scale, for the risks that they may pose to EU financial sector.

In their oversight roles, the EBA and other ESAs may request information from CTPPs, conduct off-site investigations and on-site inspections, impose penalties, and issue recommendations.

Get familiar with key DORA requirements

The DORA regulation consists of five key pillars that outline requirements for financial entities to withstand, respond to, and recover from ICT-related threats. Here, we explain what each of these pillars entails.

Below, we are sharing a brief recap of these and other essential points of DORA:

  • ICT Risk Management: Entities must establish comprehensive frameworks to manage ICT risks, ensuring business continuity and disaster recovery.
  • Third-Party Risk Management: Including monitoring of third-party service providers, management of risks associated with third-party ICT service providers and ensuring these providers also comply with DORA requirements.
  • Oversight of third-party providers: Oversight conducted by ESAs.
  • Digital Operational Resilience Testing: Conducting regular tests of their infrastructure and procedures, including threat-led penetration testing.
  • Incident Reporting: Reporting major ICT-related incidents to the relevant authorities within specific timeframes.
  • Information Sharing: Collaboration and information sharing on cyber threats and vulnerabilities among entities and authorities.

While most of the DORA elements are well known to the financial institutions, it is worth noting that the Act includes a dedicated structured reporting obligation on the Register of Information on contractual arrangements with ICT third-party service providers.

Connect with our dedicated experts to learn more about this reporting and other obligations under the DORA Act.

Everything begins with the data: Issues that might hinder your DORA compliance

With a dry run exercise with selected entities started by EBA in May 2024 – the rest of the EU financial sector should follow suit to avoid rushing through last-minute compliance efforts.

Everything starts with the data, and it fairly should be one of the top priorities for management, as it underpins every aspect of operations and affects compliance significantly.

For example, financial organizations often face challenges due to data being dispersed across numerous locations. This widespread data sprawl, largely due to the adoption of multi-cloud strategies complicates the task of locating specific information for sharing and introduces significant security risks. The Flexera’s 2024 State of the Cloud Report indicates that 90% of organizations utilize the multi-cloud approach.

These risks are heightened when multiple copies of sensitive documents exist in various locations, increasing the likelihood of unauthorized access and wasting storage space.

Supplier relationships are another critical area of the DORA regulation. Strategic partners often need access to specific parts of a financial firm’s system, and ensuring they can access this data without compromising other sensitive information is crucial.

Additionally, financial firms must be able to quickly identify alternative service providers to ensure continuity in case a supplier fails. Properly organized data is essential to meet these requirements.

Achieving DORA compliance requires organizing data into a manageable structure through several key steps. This process begins with a comprehensive data audit to identify data locations, storage types, retention periods, and last access dates, providing a snapshot of the current data landscape. Next, fragmented data should be relocated to more logical locations and clearly tagged to facilitate easy identification for sharing or reporting purposes.

Becoming responsive to change requires innovation and robust technology at hand

As the financial sector increasingly relies on technology to move ahead with innovation, it must also address the associated risks. With the DORA compliance deadline approaching, which includes stringent requirements for incident reporting, ICT risk management, operational resilience testing, and third-party oversight, financial firms need to tackle their data challenges by assessing their current situation and implementing more efficient data management practices.

At BR-AG, we see DORA as both a challenge and an opportunity for financial entities. To ensure and demonstrate a consistent level of cybersecurity and operational resilience across all their EU operations, financial entities must start not only by preparing their data but also by educating and upskilling their teams.

Our experts continually evaluate regulatory updates and reporting obligations to help impacted entities understand what needs to be considered, implemented, and demonstrated for DORA compliance. Additionally, we continuously enhance our technology solutions that help to organize data into a manageable, unified structure powered by global data standards and establish more robust data management practices.

Connect with our experts to get more detailed guidance on the latest DORA requirements and discuss your specific questions:

Follow us on →