Five key areas to reassess as the clock ticks down to DORA

Written by Darren Thomson, Field CTO EMEAI at Commvault 

It’s becoming a race against time as financial services companies prepare for the EU’s Digital Operational Resilience Act (DORA) before it comes into force on 17th January 2025. Maintaining resilience within the financial industry in the face of severe operational disruption is the overriding goal, and many welcome DORA as a positive step towards a more secure financial landscape. However, ensuring the right measures and processes are in place for compliance is a wide-ranging responsibility, involving multiple stakeholders. Misjudging requirements or not appreciating the scope of the regulations could spell disaster.  

From banking and investment institutions to insurance and pension firms, as well as new and emerging services such as crowdfunding and crypto-asset providers, its reach across the financial sector is all-encompassing. Significantly, DORA’s power extends beyond financial services firms to include their critical third-party service providers, whether for cloud services, data analytics, or any ICT service crucial to infrastructure and operations. These providers will need to ensure they too meet DORA’s stringent resilience standards. And, although DORA isn’t a UK law, its jurisdiction covers any financial entity and ICT provider supplying services to organisations within the EU.  

In a similar vein to GDPR, businesses must adhere to the legislation or expect astronomical fines as high as 2% of global annual revenues for the most serious violations. Anyone hoping that this might be an idle threat should take heed of €4 billion in penalties already extracted by EU regulators for GDPR transgressions over the last five years. Firms that don’t pay close attention to the regulation risk highly damaging consequences, if not total failure.  

So, with less than a year to go, how can organisations make sure they are on the right track, incorporating all the relevant parties in their compliance planning? Here are five key areas that should be reviewed to address avoidable pitfalls, as the clock ticks down:  

  • Leadership buy-in 

DORA makes it clear that the Board of Directors and CEO must possess the necessary knowledge and skills to understand and assess digital risks. The active participation of senior management and commitment to DORA initiatives should have a positive impact throughout an organisation. Therefore, make sure leadership support is visible and leveraged. It will draw attention to DORA’s importance, encouraging managers at all levels to apply resources and urgency to related tasks. Leading by example will help to ensure preparations are thorough and never downgraded. In contrast, companies that border on paying lip service to obligations are more likely to suffer a cyber security breach and then be unable to weather its wide-ranging ramifications.  

  • Review and expand cross-functional input 

Having evident leadership buy-in paves the way for the creation of effective cross-functional teams. It’s essential to regularly meet with experts and stakeholders from key areas such as IT, cybersecurity, compliance, risk, and legal, to ensure successful strategy development and execution. But, it’s also important to involve other business areas that might be vulnerable to cyberattacks such as customer service, marketing, sales and HR. A truly enterprise-wide approach will help build a comprehensive and proactive cybersecurity culture and uncover risks in areas that may previously have been overlooked or downplayed. 

  • Re-evaluate procedures 

Never lose focus on DORA’s main areas: ICT Risk Management and Governance, Incident Response and Reporting, Digital Operational Resilience Testing and Third-Party Risk Management. Identify outstanding gaps in policies, procedures, or technical capabilities. Bring in external expertise and perspectives to validate processes and to avoid complacency. Assess the severity of each identified shortfall and question priority levels. Ensure vulnerabilities and potential failings that could significantly disrupt operations or expose sensitive data are given the most attention. 

  • Empower cybersecurity teams 

Proper adherence to DORA makes cybersecurity a central part of operational strategies. So, make sure that compliance and security teams are empowered with sufficient funding and resources to build strong cyber defences as well as create, test, and re-test incident response plans. By having comprehensive cybersecurity programs in place and, importantly, under regular review, organisations will be in a strong position to align with DORA and defend themselves from cyber criminals – plus respond effectively when an incident or breach occurs. 

  • Stay prepared for legislation updates 

Resilience is a dynamic process and the DORA regulations are likely to reflect this with updates in the not-too-distant future. Organisations that are putting their house in order, by keeping compliance and security resilience under constant scrutiny, will be in a good position to respond to changing legal obligations. Moreover, they will benefit from a proactive, enterprise-wide cybersecurity culture where employees are encouraged to play their part in improving security processes and contributing to robust resilience. 


DORA should be embraced as a valuable opportunity for firms to strengthen their operational resilience and cybersecurity posture. Its framework sets out a clear path to help all manner of financial firms identify and manage ICT risks. This is vital to stay operational during aggressive cyberattacks and disruptions. Furthermore, DORA’s focus on third-party risk management will engender a more robust financial ecosystem, benefiting both firms and consumers. 

About Lisa Baker, Editor 2357 Articles
Lisa Baker is the Editor of Always Finance, and writes about Business, Finance Technology and Healthcare. Lisa is also the owner of Need to See IT Publishing.