How Businesses Can Prepare For The Implementation of DORA

Financial institutions and IT service providers have just six months to comply with the European Union’s Digital Operational Resilience Act (DORA). Set to apply to businesses from January 17th, 2025, DORA aims to bolster the cybersecurity of European banks, insurers, investment firms and other financial institutions, as well as the third-party vendors that provide them with ICT services.  

To ensure the increasingly digitised European financial services sector can function during a severe cyber attack or IT outage, DORA’s stringent requirements cover ICT and third-party risk management, digital operational resilience testing, cyber incident reporting, threat intelligence sharing and many other areas. It’ll impact not only EU-based firms but also British businesses that supply financial or ICT services to European clients. So, how can companies prepare for DORA’s implementation? 

Preparing for DORA

As businesses prepare for DORA’s introduction and look to ensure compliance, they should take time to understand its key requirements and how these will impact their day-to-day operations and activities.  

Rayna Stamboliyska, CEO of foresight-driven strategists RS Strategy, says there are two important aspects for businesses to consider here. The first is to achieve operational resilience by identifying and addressing risks using threat-led penetration testing. Secondly, businesses need to ensure that all their contracts and partnerships meet DORA’s requirements as part of a thorough third-party risk management process.  

She tells ISMS.online: “Then, you can set forth a reasonable and structured approach to aligning with DORA and letting your customers and partners know you are on the path to compliance.” 

Another key step is implementing DORA compliance policies for every security tool used across the business, according to Crystal Morin, a cybersecurity strategist at cloud security firm Sysdig. Doing so will enable firms to check their cybersecurity and IT stacks for policy issues, she says.  

She also recommends that businesses adopt Infrastructure-as-code (IaC) and policy-as-code (PaC) for codifying their management and compliance requirements, which will help streamline the compliance process. 

Morin explains: “As-code artefacts are defensible and can be used during regulatory, risk, and audit reviews. Furthermore, these artefacts scale easily and maintain consistency across environments.” 

Managing IT Risk

To meet their DORA obligations, businesses must develop and implement a robust IT risk management strategy. This strategy should comprise policies, procedures, and tools for managing all areas of risk, including governance, monitoring, and reporting, argues Graham Thomson, chief information security officer at law firm Irwin Mitchell. “The framework should align with your business strategy and objectives, and it should be regularly reviewed and updated,” he says.  

In the event of a serious incident affecting IT system continuity, integrity, security or availability,  businesses will need to report it to relevant authorities under DORA. Thompson says this requires them to establish a dedicated reporting process using a “standardised format” that complies with “specific timeframes and thresholds” of each authority.  

To identify and mitigate technical faults, Thompson urges businesses to test their IT systems regularly using vulnerability scans, penetration tests, continuous cloud security posture management and scenario-based red teams. He adds: “Document the results and take action to fix any weaknesses.” 

As a final step of DORA preparation, Thompson recommends that businesses perform thorough due diligence on their third-party IT service providers to identify and manage outside risk factors. He adds:  “Ensure your contracts include important rights like access, inspection, and data protection.” 

The Impact On UK Businesses

Despite the UK leaving the European Union in 2020, many British businesses will be impacted by the introduction of DORA and, consequently, must take steps to comply with the new law ahead of the January 2025 deadline.  

Stamboliyska of RS Strategy explains that any UK-based businesses that offer financial or critical information and communication technology services to customers located in the EU will need to abide by DORA requirements. 

Ignoring these regulatory commitments could result in significant financial and reputational damage for UK businesses operating in the EU. “Failing to comply with DORA will cost 1% of your daily turnover for up to six months,” continues Stamboliyska.  “And as usual with sanctions, should you be subject to one, it would also hamper your access to the EU market and your business reputation.” 

She says UK businesses will demonstrate their commitment to “robust security and operational resilience” by adhering to DORA. This will help them attract more clients and partners in the EU, increasing their “overall market competitiveness”. 

In addition to fines imposed on the business as a whole, individuals who fail to comply with the DORA may also be found liable. Sean Wright, application security lead at Featurespace, explains: “This is a significant difference from other such regulations, where individuals as well as the organisation can be accountable for non-compliance.” 

Anticipating large numbers of British businesses being affected by DORA in the coming months, Morin of Sysdig calls on them to begin planning as a matter of urgency. A big part of this is evaluating their client bases, supply chains and any other business relationships to find areas of risk within DORA’s jurisdiction. She adds: “Furthermore, they must keep DORA regulations in mind as their business operations and clientele develop over time.” 

The Role Of Frameworks

While complying with DORA may be a daunting prospect for many businesses, industry frameworks like ISO 27001 provide a baseline from which they can understand and manage cyber risk. 

Marc Lueck, CISO of EMEA at IT security firm Zscaler, explains: “Frameworks like ISO 27001 are a great start to match requirements with the new regulation, as they demonstrate that some of the basic controls are already in place, like providing connectivity into core systems.” 

In addition to implementing a professional cybersecurity framework as part of DORA compliance, Lueck advises complementing it with a zero-trust approach. He explains that this would help businesses assess and measure third-party risks.  

Martin Greenfield, CEO of cybersecurity continuous controls monitoring platform Quod Orbis, agrees that ISO 27001 and similar frameworks provide businesses with “a solid base” for addressing their IT risks and following the DORA requirements.  

However, he notes how DORA “introduces additional elements” around third-party risk, and he says businesses should compare ISO practices with DORA requirements if they plan on using them together. “This analysis should pay particular attention to the third-party risk management aspects, as this is where significant differences may lie,” he says.  

With time quickly running out to prepare for the DORA January 2025 deadline, it’s clear that both European and UK financial firms and ICT providers need to begin understanding and implementing DORA’s stringent requirements if they haven’t already. In light of the Crowdstrike outage that devastated businesses’ IT systems globally, it seems managing third-party ICT risk as part of DORA is in the best interest of all companies and not simply a tick-box exercise.