16 Oct The Digital Operational Resilience Act (DORA) Deadline is Approaching: What to Do If Your Organization Isn’t Ready Yet

Updated on October 20, 2024 by David Lalire

As the financial sector becomes increasingly dependent on digital technologies, the European Union has introduced the Digital Operational Resilience Act (DORA) to ensure that financial entities across Europe can remain operational and resilient in the face of severe IT disruptions.

Enacted on January 16, 2023, DORA imposes stringent requirements on financial institutions, including banks, insurance companies, and investment firms, as well as ICT service providers who work with them.

The full implementation of DORA is set for January 17, 2025, and it will apply to all financial entities operating within the European Union. The regulation is designed to harmonize IT risk management across the sector, ensuring that these organizations can withstand, respond to, and recover from a wide range of operational disruptions, including cyber-attacks and ICT system failures.

DORA’s framework not only covers financial institutions but also extends to third-party ICT providers, making the entire financial ecosystem more secure. With the deadline fast approaching, if your organization isn’t fully prepared, immediate action is necessary. Here’s what you can do to get ready.

Before We Begin
If your organization hasn’t started preparing for DORA yet, you might want to skip ahead to point 7. But for those of you ready to take a more measured approach, read on—there’s still time to get everything in order.

1. Conduct a Compliance Gap Analysis

A compliance gap analysis is essential for assessing your organization’s current state compared to DORA’s requirements. This process involves a thorough review of your ICT infrastructure, risk management practices, and operational procedures to identify any discrepancies between your current setup and DORA’s mandates.

Start by reviewing key areas such as ICT risk management, third-party oversight, and incident reporting. Are you conducting regular operational resilience testing? Do you have systems in place for reporting ICT-related incidents to the authorities? This analysis will highlight gaps and help prioritize areas needing immediate attention.

Action point: Engage both internal teams and external auditors to perform a detailed gap analysis. Use the results to create an actionable roadmap toward compliance.

2. Strengthen Your ICT Risk Management Framework

One of DORA’s primary requirements is a robust ICT risk management framework. This framework must effectively identify, assess, and mitigate ICT-related risks across the entire lifecycle of your technology operations, from acquisition and implementation to maintenance and decommissioning.

If your risk management framework is not up to par, it’s time to strengthen it. This might involve implementing automated monitoring systems, adopting best practices, or increasing staffing in your IT security department. The framework should be adaptable, capable of addressing both existing risks and emerging cyber threats.

Action point: Review and upgrade your ICT risk management framework to meet DORA’s standards. Ensure you have the necessary governance structures in place for continuous monitoring and risk mitigation.

3. Review Contracts with Third-Party ICT Providers

DORA places significant emphasis on managing risks posed by third-party ICT service providers. Financial entities must have full visibility into the risks associated with external vendors, such as cloud service providers or cybersecurity firms.

Reviewing and, if necessary, renegotiating contracts with these providers is crucial. Ensure that your agreements include the required provisions for risk management, incident reporting, audits, and performance benchmarks. This is especially important for critical third-party providers whose services are essential to your operations.

Action point: Conduct a comprehensive review of your third-party contracts. Update them to include DORA’s mandated provisions for risk management and incident response.

4. Establish a Robust Incident Response Plan

A key component of DORA is the ability to respond effectively to ICT-related incidents. These could range from cyber-attacks to system failures. An incident response plan should outline the specific roles and responsibilities within your organization, detailing how incidents are detected, escalated, and resolved.

Regularly testing and refining this plan through simulations or “fire drills” will help your teams respond quickly and effectively in real-world scenarios. Being able to report and manage major ICT-related incidents promptly is essential for compliance with DORA.

Action point: Develop or update your incident response plan in accordance with DORA. Ensure it is tested regularly and that your staff is fully trained on the appropriate response procedures.

5. Start Preparing for Digital Operational Resilience Testing

DORA requires financial institutions to conduct operational resilience testing, both basic and advanced, to simulate potential disruptions such as cyber-attacks or service failures. The goal is to ensure that your organization can continue operating, even under adverse conditions.

Begin with basic tests that stress your systems to assess their capacity to handle disruptions. Advanced tests, such as cyber-attack simulations, can help identify vulnerabilities that need addressing. Where necessary, engage external experts to conduct these resilience tests to ensure compliance and effectiveness.

Action point: Schedule regular operational resilience tests to assess your systems’ robustness. Begin simulations as early as possible to allow time for addressing any weaknesses.

6. Train Your Teams on DORA Compliance

DORA compliance isn’t solely the responsibility of your IT department. It requires coordination across legal, risk management, operations, and compliance teams. Without proper training, critical steps may be missed, or roles may be unclear in times of crisis.

Training should ensure that every department understands its responsibilities under DORA. This includes recognizing ICT risks, reporting incidents, and ensuring compliance with operational resilience measures. Continuous training and updates are necessary to maintain readiness.

Action point: Implement a company-wide training program focused on DORA compliance. Ensure all relevant teams understand the regulation’s requirements and their specific roles in ensuring compliance.

7. Seek External Support if Needed

If your internal teams are struggling to meet DORA’s requirements or if you lack the necessary expertise, external support may be essential. Specialized consultants can provide an expert assessment of your current status and offer guidance on closing any compliance gaps.

These professionals can assist with complex areas such as contract renegotiations, advanced testing, or enhancing your ICT risk management framework. While it may require an investment, the potential penalties for non-compliance and the risk of operational disruptions make this a worthwhile step.

Action point: If internal efforts are insufficient, consider hiring consultants with DORA expertise to help you meet the regulatory requirements in time.

As the January 2025 deadline approaches, financial institutions that are not yet fully prepared for DORA need to take immediate action. By conducting a gap analysis, strengthening ICT risk management, reviewing third-party contracts, and ensuring that teams are trained and ready, your organization can ensure compliance. Beyond regulatory obligations, these steps will enhance your organization’s overall resilience, safeguarding it against rising ICT risks in an increasingly digital world.