What is the Digital Operational Resilience Act (DORA) and how to ensure your organisation is prepared
Allie Westwood 
Date published: Jul 06, 23
As the digital landscape continues to evolve, businesses operating in Europe must be prepared to adapt to new regulations aimed at securing their digital infrastructure. One such forthcoming legislation is the Digital Operational Resilience Act (DORA), which is to come into force in 2025. This comprehensive and far-reaching act will have significant implications for businesses of all sizes, making it crucial for organizations to understand its requirements and take the necessary steps to ensure compliance.
DORA’s main aim is to create requirements in the EU with the intention to improve the cybersecurity and operational resilience of every European financial entities, as well as the third parties that supply these institutions with ICT-related services.
Complying with DORA will not just be a legal requirement; it’ll also serve as an indicator of an organisation's commitment to maintaining robust digital infrastructures and safeguarding customer data. By adhering to DORA's guidelines, businesses will be able improve their overall operational resilience, reduce the risk of cyberattacks, and protect their reputation in the market.
What are the key requirements of DORA?
There are five key pillars that DORA is built upon, which are;ICT Risk Management Requirements
Organisations must implement a comprehensive risk management framework to identify, assess, and mitigate potential risks to their digital infrastructure. This will include regularly reviewing and updating risk assessments, implementing adequate controls, and maintaining a robust incident response plan.ICT-Related Incident Response
Businesses must establish clear and effective incident response plan that outlines the steps to be taken in the event of a cyber incident. This includes identifying key personnel responsible for managing the incident, establishing communication channels, and defining procedures for escalation and resolution – which will benefit employees at all levels of an organisation.
Digital Operational Resilience testing
It’ll become a requirement for organisations to periodically test their risk management framework for preparedness and to aid the identification of any potential weaknesses within the framework. This testing will be proportionate, and dependant on the size, business and risk profiles of each financial entity.
Managing of ICT third-party risk
DORA will place strict requirements on the outsourcing of critical functions, with businesses expected to maintain a high degree of oversight and control over third-party service providers. Businesses must identify and address any operational risks arising from their reliance on third-party providers, including potential disruptions to services and data breaches. This requires implementing robust controls and monitoring mechanisms to ensure the ongoing security and resilience of these relationships.
Information Sharing
The regulation will also allow financial entities to create arrangements, to exchange information amongst themselves retaining to cyber threat information and intelligence.
Whilst larger organisations may already have some measures in place to address digital operational resilience, DORA’s requirements will likely necessitate additional investments in technology, processes and personnel.
For smaller businesses, the impact may be more pronounced, as they may need to build their resilience capabilities from the ground up.
Best Practices for Preparing for DORA (What you can do today to prepare)
To ensure that businesses are prepared for DORA, there are several steps that businesses can take to prepare for the incoming legislation.
- Conduct a thorough assessment of their current digital infrastructure, to identify gaps and vulnerabilities that need to be addressed.
- Develop and implement a comprehensive risk management framework, that incorporates DORA’s requirements into their existing processes.
- Establish a clear incident response plan, that ensures all relevant personnel are trained and aware of their responsibilities.
- Review and update current outsourcing arrangements, ensuring that third-party providers meet DORA’s standards for operational resilience.
In addition, businesses can leverage modern technology solutions, such as Ideagen Risk Management to help minimise risks and assist in compliance.
By automating key processes and providing real-time insights into potential threats, Ideagen Risk Management can help organisations stay ahead of the curve and maintain a resilient digital infrastructure.
Have you considered the major threats AI software tools can pose to your organization?
CPE Webinar On-Demand
AI software tools like ChatGPT are emerging into most facets of life, which is already having a major impact on organizations' risk environments. Watch our latest webinar “Artificial Intelligence & the risks it may pose for your organisation” now and gain one CPE credit throughout the session.
Watch on demand