Preparing for DORA: countdown to the 17 January deadline
The deadline for the Digital Operational Resilience Act (DORA) is fast approaching.
What do CISOs need to know about the requirements of the forthcoming DORA regulation?
The widely publicised regulation impacts the EU financial services landscape and is designed to improve the sector’s cyber resilience. However, any entity, whether EU based or not, must abide by the sweeping regulation if they do business with any one of the EU’s 22,000 financial entities.
Similar to other global regulators, such as the Hong Kong Monetary Authority, the EU is now mandating a comprehensive range of security requirements that are legally enforceable under DORA.
The key aim of the regulation is to ensure that financial firms in the EU, and their partners, can remain resilient in the face of disruptions which can be caused by cyber incidents or outages.
Today, financial organisations are increasingly reliant on third-party technology to deliver their services, but when these providers face disruptions, this threatens the stability of the entire financial sector.
If resilience plans are not in place, these risks can impact customers and businesses while threatening the overall EU economy. These are risks DORA has been designed to thwart. The regulation will work to ensure outages never threaten the stability of the EU’s financial sector.
Ensuring that all financial organisations in the EU can still operate even if key partners are potentially facing disruptions adds a layer of resilience around the sector which should safeguard it in the face of digital breakdowns.
But, in an increasingly complex digital world, where the supply chains of financial players can span the world, putting the regulation into practice will prove to be a massive undertaking.
So, what do CISOs need to know about the requirements of the forthcoming DORA regulation?
Understanding DORA’s requirements
Full compliance with the DORA regulation becomes mandatory on 17 January 2025. The main DORA act brings with it a host of binding security requirements in areas such as ICT incident and supplier management.
The true breadth of the regulation becomes evident when scrolling through the 500+ requirements in the underlying ICT Risk Regulatory Technical Standards.
These include foundational elements of security such as:
- IT asset management.
- Encryption protocols.
- Vulnerability and patch management.
- Access control measures.
It’s essential to recognise that much of what DORA requires aligns closely with the practices organisations should have already adopted as part of their wider cyber strategies. Many of DORA’s requirements are foundational and have long been advocated by established frameworks, such as NIST and the CIS.
Take IT asset management as an example. Since 2014, NIST has emphasised the importance of tracking and managing IT assets. DORA reinforces this by requiring organisations to “develop, document and implement a policy on the management of IT assets”.
The regulation further outlines nine key details that must be recorded for each asset, including its criticality and the business functions it supports. Why is this so crucial? Because IT asset management underpins effective security.
Without a comprehensive inventory, organisations cannot ensure their security measures address all endpoints, vulnerabilities and systems. For example, a business must understand which assets are safeguarded by security solutions, such as endpoint protection, vulnerability scanning and Security Information and Event Management (SIEM) systems.
Additionally, failing to prioritise assets based on their business value can lead to inefficiencies, with resources being spent on securing lower-risk assets while critical ones remain vulnerable. IT asset management is far more than a regulatory obligation—it’s a vital component of risk management and robust security practices.
When it comes to the requirements for ICT third-party risk management, the regulation requires financial players to carry out due diligence on suppliers before entering contracts with them.
It also says financial organisations must assess concentration and operational risks, and ensure suppliers meet specific security requirements. This will be a big undertaking for many organisations, but it’s an important step to improve the resilience of the financial sector.
The EU clearly wants to identify technology companies which are heavily concentrated and ensure they practice good cyber hygiene and have operational resilience plans in place. Otherwise, an outage at a ubiquitous provider could threaten the stability of the entire financial market.
Turning DORA into opportunity
DORA represents a turning point for organisations when it comes to establishing strong cybersecurity foundations. For CISOs, the regulation provides an opportunity to focus efforts where they are needed most, providing the drivers to secure the necessary investment for these initiatives.
Those that act now will benefit by significantly reducing their security risks and improving operational resilience.
DORA’s detailed requirements can serve as a baseline for what must be in place, ensuring that even the most reluctant businesses meet minimum security standards, which in turn will significantly improve the overall operational resilience of the entire EU financial sector.
