In recent years, European banks have faced significant disruptions due to high-profile ICT outages. These incidents have revealed critical vulnerabilities and underscored the need for stronger operational resilience within the financial sector. Often, board members and senior managers have been unaware of the substantial ICT risks their institutions face, putting their stability at risk.
To address these challenges and increase the stability, security and competitiveness of Europe’s financial sector, the European Council has introduced the Digital Operational Resilience Act (DORA). This act consolidates and harmonises existing regulations, providing a comprehensive framework to manage ICT risks effectively.
DORA is designed to ensure financial institutions can withstand, respond to, and recover from all types of ICT-related disruptions. Effective from January 17 2025, the regulation mandates that financial institutions — such as banks, insurance companies, investment firms, and third-party service providers — adopt rigorous measures to prevent and mitigate cyber threats, as well as be able to endure, respond to, and recover from any ICT-related disruptions.
The Five Pillars of DORA
DORA is structured around five key pillars that lay out requirements and expectations for different aspects of operational resilience. Here is an overview of these pillars and how we can assist you in meeting the requirements of each:
Areas of our portfolio that can assist you with meeting DORA compliance.
1. ICT Risk Management
This pillar mandates that financial entities implement comprehensive frameworks to identify, assess, manage, and mitigate ICT-related risks. It encompasses risk management strategies, policies, and procedures to protect against potential threats.
How we can help:
- Our award-winning business continuity and ICT service continuity consultants cover the full life cycle of business continuity management and can conduct Current State Assessments (CSAs) and Business Impact Analysis (BIAs) to identify critical assets and vulnerabilities
- Our cyber security specialists can work with you to implement ISMS frameworks to ensure systematic management of information security, adhere to technical security standards and conduct cloud security and cyber security reviews to evaluate and enhance security measures in cloud environments and across digital assets
- Expert penetration testers can help you to stay ahead of cyber threats while mitigating potential risks before they turn into security breaches with our range of penetration testing services
2. Incident Reporting
Financial entities are required to establish mechanisms for the timely reporting of significant ICT-related incidents to regulatory authorities, including detailed documentation and analysis of incidents to prevent future occurrences.
How we can help:
- 24/7/365 incident response provides immediate action to contain and resolve security breaches
- Our managed detection and response (MDR) portfolio offers continuous monitoring and threat detection to quickly identify and address potential threats and our fully managed security operations centre (SOC) delivers round-the-clock surveillance and incident management
- For organisations that don’t have an in-house cyber security function, our virtual Chief Information Security Officer (vCISO) ensures expert guidance and oversight, helping you to navigate regulatory compliance and effectively manage and report incidents in line with DORA’s reporting requirements
3. Digital Operational Resilience Testing
Regular testing of ICT systems is mandated to ensure resilience. This includes advanced testing methodologies such as Threat-Led Penetration Testing (TLPT) to identify and address system weaknesses.
How we can help:
- Expert testing and exercising ensure that your systems are regularly evaluated for resilience against cyber threats
- Purple team testing combines the strengths of both offensive and defensive security teams to simulate real-world attack scenarios and improve response strategies
- Work area recovery ensures operations continue during disruptions, and disaster recovery planning restores critical systems and data
- Data protection and recovery solutions ensure that your sensitive information is safeguarded and quickly restored
4. Third-Party Risk Management
Financial entities must have stringent oversight over their third-party ICT service providers, including contractual obligations, performance monitoring, and exit strategies to manage third-party risks.
How we can help:
- Our multi-award winning business continuity management software Shadow-Planner helps develop and maintain resilient business continuity management plans
- BIA consultancy provides expert analysis of potential risks to critical business functions
- Our supply chain review evaluates the resilience and security of third-party vendors to reduce supply chain vulnerabilities
5. Information Sharing
The final pillar, information sharing promotes a collaborative approach to managing cyber threats, ensuring that financial entities can collectively enhance their defences and respond more effectively to incidents.
How we can help:
- Our cyber incident response reporting ensures timely and accurate reporting of cyber incidents
- We help foster a collective response to cyber threats, enabling proactive measures to mitigate risks and enhance digital operational resilience
- There is no need for media training, we can communicate for you in a calm, clear and empathetic way
Conclusion
Achieving DORA compliance is a comprehensive endeavour that requires proactive planning, robust implementation, and ongoing monitoring.
No matter what stage you are at on your DORA readiness journey, we have the expertise, tools, and experience to guide you seamlessly from start to finish. Our qualified operational resilience and cyber security experts have helped numerous businesses in the financial services sector implement robust frameworks to improve, document and test their DORA preparations, ahead of the January 2025 deadline.
The official text of the regulation can be found here.