By Jakub Lewandowski, Associate General Counsel EMEA at Commvault
With the EU’s Digital Operational Resilience Act (DORA) now in force, organisations – including many in the UK – are under direct pressure to comply. However, that isn’t as black and white as it sounds. The technical standard documents organisations need to understand DORA in more detail were not finalised in time, meaning that most IT teams have had to take an educated guess as to what they must do to avoid a regulatory breach.
To recap, DORA requires financial entities in the European Union (and those in the UK that work with EU customers or financial institutions) to adopt a range of measures to improve cyber resilience. It establishes a harmonised regulatory framework across the EU to strengthen risk management, incident reporting, third-party oversight, and testing requirements. According to PwC, it impacts more than 22,000 banks and insurance companies and is “unique in introducing a Union-wide Oversight Framework on critical ICT third-party providers.”
Despite some ongoing difficulties, DORA has the potential to significantly increase the compliance workload for businesses and their third-party ICT suppliers across the finance ecosystem. Adding to the challenge is that many organisations already struggle with managing complex digital ecosystems, dealing with legacy technology, and overseeing third-party relationships. As a result, achieving and maintaining compliance with DORA demands a strategic, well-resourced approach to cybersecurity and operational resilience.
Five foundations to ensure compliance
For those organisations – and there will be many – who have yet to fully understand the implications of DORA and their associated responsibilities, it’s now essential to address a range of foundational requirements.
Understand DORA’s scope and assess current risk levels
Organisations must determine whether they fall within the scope of DORA and, if they do, fully understand its requirements, including ICT risk management, incident reporting, resilience testing, and third-party oversight. This process should be backed by a comprehensive risk assessment to identify, document, and manage all ICT-related risks.
Enhance security and operational resilience
Armed with this insight, organisations are much better placed to implement robust security measures based on recognised best practices (e.g., NIST CSF) for risk identification, prevention, detection, response, and recovery.
This is particularly important for those organisations adopting a Minimum Viable Company (MVC) approach, where they have identified the critical set of applications, assets, processes, and people required to operate a minimum business. When organisations can’t meet their MVC requirements, the implications can be devastating. What, for example, is the cost of a minute, hour, or day of MVC downtime? What are the potential customer, reputational, and regulatory implications? Ensuring resilience means protecting these essential functions against disruption, making MVC considerations a key component of DORA compliance efforts.
Develop an incident response and reporting framework
To minimise the impact of disruption caused by a security breach, DORA also requires organisations to develop an incident response plan. This should address a range of priorities, including establishing clear roles, responsibilities, and communication protocols backed by effective training. Additionally, DORA mandates timely reporting of ICT-related incidents and risks, so companies must develop efficient mechanisms for collecting and submitting reports while maintaining audit-ready documentation.
Manage third-party risks and strengthen governance
Given the ubiquitous reliance on third-party technology providers, organisations must conduct due diligence, enforce compliance with ICT risk management standards, and include strict contractual terms focusing on security, reporting, and audits. This should form part of a wider commitment to good governance, where senior management actively oversees resilience efforts, receives regular risk reports, and ensures alignment with DORA’s regulatory framework.
Foster a resilience culture
Finally, for DORA compliance to remain in place over the long term, organisations should move beyond processes and technologies to a point where resilience is embedded into their culture. This requires focused commitment and investment in raising awareness, ongoing employee training, and proactive risk management as part of everyday employee behaviour. When these capabilities are in place, a strong resilience culture supports continuous improvement while advancing risk management.
These are essential undertakings, and as PwC puts it, “The strategic and operational challenges raised [by DORA] are complex and require the involvement of several internal functions . . . and more particularly the strong sponsorship of Management in the establishment of an appropriate governance.” However, those organisations that proactively integrate DORA’s requirements into their broader risk management and resilience strategies will not only remain compliant but also stand to significantly improve their operational resilience – an invaluable advantage in a volatile security environment.
