Pioneering global cyber security and investigations consultancy S-RM has identified five critical steps for financial institutions and their ICT providers to achieve compliance with the Digital Operational Resilience Act (DORA), which will enter force from 17 January 2025.
DORA establishes an EU-wide oversight framework designed to ensure the financial sector can withstand severe operational disruptions. Covering over 20,000 entities, including financial institutions, crypto-asset service providers, credit rating agencies, and ICT service providers, the regulation introduces strict requirements for cyber risk management, incident reporting, resilience testing and third-party risk monitoring.
Steps to prepare for DORA
To help organisations prepare for DORA, S-RM recommends the following steps:
- Conduct a gap analysis to identify weaknesses against DORA’s requirements and establish a targeted plan to address them
- Educate management on their responsibilities under DORA and adopt a top-down approach to cyber security
- Test incident preparedness and recovery with key business and IT stakeholders
- Ensure readiness to classify and report security incidents to relevant authorities within 24 hours
- Update contractual relationships with relevant ICT third parties to include obligations around information security and risk management as well as rights for inspection, access to information and secure exit strategies
Impact of cyber incidents
DORA marks a notable step in aligning cyber security needs applied to critical national infrastructures across the EU
DORA marks a significant step in aligning cyber security requirements applied to critical national infrastructures across the EU and strengthening the operational resilience of the financial sector and critical ICT providers that support it. It represents both a challenge and an opportunity for the organisations that will be brought within its scope, including those companies headquartered in the UK with service offerings in the EU.
By following these steps, organisations can strongly position themselves to detect cyber threats, limit the impact of cyber incidents and prepare for the requirements that DORA imposes on them.
Cyber security practices
Katherine Kearns, Head of Proactive Cyber Services at S-RM, comments: “While DORA may seem complex, it essentially aggregates and prioritises many of the cyber security practices that financial entities in Europe have already been working towards."
"By focusing on the actionable steps outlined, organisations can not only meet compliance requirements but also strengthen their overall resilience to cyber threats. At S-RM, we remain committed to helping organisations navigate regulatory hurdles like DORA and build robust cyber resilience across their business.”
