The five pillars of DORA

Anthony Long at LRQA outlines five key areas that organisations must focus on if they are to prepare successfully for compliance with the EU’s Digital Operational Resilience Act

 

As financial organisations in the European Union brace for the implementation of the Digital Operational Resilience Act (DORA) in January 2025, the need to strengthen operational resilience in the face of cyber-threats has never been more critical. 

 

The act is designed to address the growing threat landscape of the financial services sector, by laying out a robust regulatory framework for establishing that financial entities can prevent, withstand, recover from, and adapt to ICT-related incidents.

 

Compliance is more than a checkbox; it is a strategic marker in a cyber-security landscape that is evolving and it is essential for financial institutions to fully understand the five key pillars that make up DORA. 

 

1. Risk management and proactive protection

Risk management lies at the heart of DORA’s framework, mandating organisations to take a holistic and proactive view of digital risks. This goes beyond identifying vulnerabilities – companies must assess the full scope of threats, from near-misses, cyber-attacks to operational disruptions, and develop comprehensive mitigation strategies. 

 

At its core, risk management under DORA is about digital resilience being a priority across all levels of an organisation. This means developing the capability to quickly detect and respond to threats while maintaining continuous operational capability, regardless of the severity of the disruption. Financial institutions will need to continually refine their risk management practices to stay ahead with an evolving threat landscape.

 

Failure to effectively manage these risks can lead to regulatory penalties, financial loss, and reputational damage, underscoring the importance of getting risk management right. Implementing an agile risk management framework that evolves with the organisation’s digital ecosystem is crucial for long-term resilience.

 

2. Swift response to emerging threats

One of the key requirements of DORA is the establishment of an effective incident management process. It is critical that businesses implement early warning systems capable of identifying cyber-security incidents before they have a chance to escalate. Beyond detection, firms must classify incidents according to severity and supply real-time regulatory notifications.

 

A well-prepared incident response capability is not only about managing the event itself. It also includes having a structured approach for classifying the severity of the incident in place and that all incidents can be swiftly reported it to relevant authorities. Under DORA, the speed and accuracy of incident reporting are essential as they enable broader coordination and systemic risk management across many businesses.

 

To enable this, many organisations will rely on Security Operations Centres (SOCs) to continuously monitor systems for potential threats. A SOC aids in rapid detection and in executing a coordinated response across multiple teams. By implementing a centralised incident management framework, financial institutions can respond to cyber-events in real time, classify them accurately, and report them in accordance with regulatory requirements.

 

3. Testing beyond the basics

Under DORA, financial institutions will no longer be able to rely on basic cyber-security testing. The regulation calls for comprehensive and independent testing of an organisation’s digital resilience. This requirement goes beyond vulnerability assessments to include sophisticated intelligence-led strategies such as penetration testing, red teaming (simulated attacks by adversaries), and purple teaming, which involves close collaboration between offensive (red) and defensive (blue) security teams.

 

One feature of DORA’s approach to resilience testing is the focus on both human and technological elements. In an era where cyber-threats are becoming increasingly sophisticated, having a human-centric testing strategy is critical. By conducting frequent, real-world tests of their systems, financial entities will be better equipped to uncover hidden vulnerabilities and respond effectively under pressure.

 

These tests are not one-off exercises but must be integrated into the organisation’s ongoing operational processes. Regular testing helps validate the effectiveness of risk controls and identifies weaknesses that can then be promptly addressed, not to mention also reassuring regulators of an organisations’ preparedness

 

4. Securing the supply chain

No organisation operates in isolation, especially in today’s highly interconnected digital landscape and financial institutions frequently rely on third-party providers for critical ICT services. This dependency introduces additional layers of risk. Under DORA, companies are required to incorporate third-party risk management into their overall ICT risk framework, to establish that external service providers meet the same rigorous security standards.

 

Financial entities must conduct regular risk assessments of their third-party providers, confirming that these vendors have robust security measures in place. This could involve reviewing contracts, conducting audits, and enforcing continuous compliance checks to corroborate that third-party risks are being managed effectively. DORA significantly raises the stakes by bringing third-party ICT providers into the regulatory fold, with a particular focus on those classified as “critical” by European supervisory authorities.

 

5. Resilience through collaboration

In a sector as vast and interconnected as financial services, information sharing is a powerful tool for enhancing resilience. DORA encourages the exchange of cyber-security threat intelligence among financial institutions, ICT service providers, and regulators. This collaborative approach allows organisations to stay ahead of emerging threats by learning from the experiences of others.

 

By participating in information-sharing networks, financial institutions can benefit from collective intelligence, gaining insights into potential vulnerabilities or attack patterns before they become direct threats. This proactive sharing of data fosters a more collaborative approach to cyber-security, reducing the overall risk across the industry.

 

The importance of preparedness

With the deadline to comply to DORA fast approaching, financial institutions must act now to be ready. Each of the five pillars represents a crucial component of a comprehensive operational resilience strategy. Organisations that fail to prepare, risk not only penalties from regulators but also exposure to cyber-threats that could have catastrophic consequences.

 

DORA is more than a regulatory requirement but a blueprint for building a digitally resilient future. Experts, such as those at leading global assurance partner LRQA, can help businesses apply the blueprint and meet compliance. Working with an assurance partner, along with aiding compliance, will also help position businesses to thrive in a world where cyber-threats are only becoming more sophisticated.

 

As the financial industry gears up for DORA, it is clear that those who proactively embrace these pillars will be better equipped to navigate the challenges of tomorrow’s digital landscape. Now is the time for organisations to assess their readiness, close any gaps, and ensure they are prepared for the regulatory landscape of the future. 

 

---

 

Anthony Long is VP, Advisory Consulting at LRQA. For more on how your business can prepare now for DORA, see LRQA.com.

 

Main image courtesy of iStockPhoto.com