A practical approach to navigating DORA

The deadline for the EU’s DORA is in a few months. Giles Inkson at NetSPI explains how organisations should prepare themselves

As conversations around the EU’s Digital Operational Resilience Act (DORA) intensify, it’s important to note that this regulatory act has already been in effect since December 14th, 2022. The key date, however, that most financial institutions have been working towards is January 17th, 2025, when the core operational requirements of DORA come into play.

With the deadline now just months away, businesses may be feeling the pressure or even uncertain about what’s required.

Despite what the headlines might say, not every organisation will be compliant by this date, but that too can be navigated. Fundamentally, companies should be able to demonstrate substantial progress, showing awareness of any gaps and having a plan in place to close them. 

So, what does ‘substantial progress’ look like in reality? Let’s explore how DORA will impact businesses and some practical strategies for managing the legislative framework more effectively from today.

Keep calm and focus on preparation

Firstly, don’t panic. By the time the DORA deadline arrives, organisations will need to show they have made advances in operational resilience. For example, this includes demonstrating that annual resiliency testing and red teaming practices are in place.

Furthermore, some may be asked to perform a red team exercise aligned with the TIBER framework by their monetary authorities or TCTs. Some organisations might have as much as three years to reach full compliance in this aspect, while others may have this challenge earlier. The best approach is always to gear towards doing this as soon as possible internally and with third parties to be ready for when the time comes.

The priority is to begin preparations now, consult trusted testing partners, and gather relevant threat intelligence as early as possible.

To understand DORA’s potential influence, consider the sweeping changes to data privacy brought by GDPR. While DORA’s immediate impact may not be as profound – financial penalties may be about half of what GDPR incurred – it remains critical in reinforcing ICT processes to enterprise resilience in today’s digital economy. 

Resilience and industry collaboration

Businesses need to continually demonstrate that they are actively conducting tests. These tests must encompass both enabling ICT systems and the entire organisation as an entity, including supply chain and the market it operates in.

This approach not only enhances resilience, but also aligns with DORA’s emphasis on industry-wide knowledge sharing. One of DORA’s key aims is to foster standardised processes and establish a centralised EU reporting hub to streamline the flow of information around significant incidents. This means that if a business, or one of its partners or competitors, identifies suspicious activity, there is a structure in place for sharing insight.

Individual companies contributing to this shared knowledge base will bolster EU-wide situational awareness and harmonisation around real and perceived threats and mitigation activities. 

DORA also brings long-standing initiatives by the ECB, such as TIBER testing and red teaming, into a legal framework that enforces good practices. These are being administered by three monetary authorities (ESAs): EBA, EIOPA and ESMA. It mandates that all financial institutions, including those new to such requirements like crypto exchanges and small wealth management firms, comply with its standards, as well as the big banks and insurers or payment providers.

By developing a rigorous testing framework and engaging in knowledge-sharing initiatives, organisations can meet DORA’s standards while helping to create a more secure and resilient financial ecosystem.

Embrace DORA’s challenges with confidence

While DORA may seem complex and intimidating at first, the reality is though well-structured, it is less complex than previous compliance frameworks. For businesses that lack internal resources or expertise to conduct the required testing, partnering with external providers who offer DORA-compliant testing schemes is a wise approach.

Many companies are already taking positive steps by conducting dry runs and preparatory tests, which are helping organisations get comfortable with the process of these tests.  These efforts can also position them favourably when monetary authorities or TCTs ask them to perform more stringent TIBER tests. This preparatory work encourages organisations to be ready ahead of the compliance deadline.

While time is running out, taking proactive steps now will ensure preparedness by January 2025 – think of it not as hitting the snooze button on the clock, but waking up before the alarm goes off.

Although DORA is mandatory and presents new compliance challenges, it is not an undue burden. In fact, resiliency testing, which is now a core part of DORA, has been shown to deliver significant benefits to organisations that embrace it. By developing a solid testing framework, engaging in knowledge-sharing efforts, and leveraging existing compliance solutions, financial institutions can smoothly navigate DORA’s requirements.

The key is preparation and continuous improvement, starting today, to ensure a successful transition to DORA compliance. 

Giles Inkson is Director of Services EMEA at NetSPI

Main image courtesy of iStockPhoto.com and Dmytro Yarmolin