The Digital Operational Resilience Act (DORA) has officially arrived, marking a significant shift in how financial institutions manage their digital resilience. While organizations have spent the past two years meeting compliance deadlines, the real work is only just beginning. Much like the introduction of the General Data Protection Regulation (GDPR), achieving baseline compliance is only the first phase. The ongoing challenge will be embedding resilience into the very fabric of financial operations.
So, what’s next that the January 17 deadline has passed? And what strategic steps should organizations take to turn compliance into a competitive advantage? Let’s explore.
As immediate next steps, the European Supervisory Authorities (ESAs) require the compilation of registers for ICT services to be submitted by national regulators before April 30, 2025. Most national regulators will request firms to submit their registers before this deadline. For example, a recent announcement by the Central Bank of Ireland has called for firms to submit their registers during the window of 1 to 4 April 2025. However, for companies that have now complied with DORA, the future presents an opportunity to strengthen their operational resilience further and enhance their risk management frameworks.
DORA’s origins track back to 2016, when ICT risk management was covered under various fragmented EU laws, such as the Network and Information Systems (NIS) Directive and the European Banking Authority (EBA) outsourcing guidelines. In 2020, the European Commission proposed DORA, recognizing the need for a unified regulation, to strengthen ICT resilience across all financial entities. After extensive discussions, the EU Parliament formally approved the DORA on November 28, 2022. This long-term evolution illustrates a global shift in the management of digital risks with a focus on cyber resilience, risk management, and regulatory oversight.
It’s also important to note that DORA will likely influence compliance standards across other industries, including healthcare, energy, and critical infrastructure. DORA’s principles are highly adaptable and with a focus on proactive risk management and accountability, it is likely to serve as a blueprint for cross-industry regulations.
We’ll be discussing more on this in our upcoming webinar Digital Operational Resilience: Practical Guidance and Insights from Implementations with experts from Advantage Reply and MetricStream. We’ll also be covering key insights on DORA’s early implementation and AI’s potential in building digital resilience.
With compliance pressures easing slightly, organizations have an opportunity to refine their frameworks, reduce inefficiencies, and embed resilience into their operations. Here are some of the key steps they should take:
Conduct a Comprehensive Gap Analysis
Now that the initial compliance rush is over, a deeper gap analysis will help identify vulnerabilities in areas such as incident reporting, third-party risk management, and operational testing.
Key Actions:
Strengthen ICT Risk Management Frameworks
Financial institutions must continue to strengthen ICT risk management with formal processes in place to identify, assess, mitigate, and monitor risks across all critical systems.
Key Actions:
Enhance Incident Reporting Mechanisms
Under DORA, financial institutions will already have mechanisms in place to report ICT-related incidents in a timely and structured manner. Organizations will also need to ensure that they have well-defined escalation procedures and response frameworks.
Key Actions:
Strengthen Third-Party Risk Management
DORA places significant emphasis on third-party risk oversight, particularly for critical ICT service providers such as cloud vendors and cybersecurity partners. Organizations must now ensure their external vendors meet DORA’s stringent resilience requirements.
Key Actions:
Implement Operational Resilience Testing
DORA requires organizations to conduct stress tests and scenario analyses to assess their ability to withstand ICT disruptions. Regular testing will help identify weaknesses before they lead to real-world incidents.
Key Actions:
Invest in Employee Training and Awareness
Financial institutions must ensure employees at all levels understand DORA’s requirements and their role in maintaining digital resilience. A well-informed workforce is crucial for long-term compliance.
Key Actions:
Leverage Technology for Compliance Efficiency
Meeting DORA’s requirements can be time-consuming and complex, but technology can streamline compliance efforts. Organizations should invest in solutions that automate risk assessments, incident reporting, and regulatory monitoring.
Key Actions:
Engage with Industry Groups and Regulators
DORA is just the beginning, and regulatory expectations are expected to evolve. It is beneficial for financial institutions to stay informed and actively engage with regulators and industry groups will be better positioned to navigate future changes.
Key Actions:
The message is clear: Compliance is not the finish line with DORA; it’s the starting point for continuous digital resilience. MetricStream’s CyberGRC product ensures effective collation, management, and utilization of enterprise data followed by accurate measurement and reporting. With MetricStream, your organization is empowered with:
To learn more about how MetricStream can help with digital resilience, request a personalized demo today!
Register for our upcoming webinar: Digital Operational Resilience: Practical Guidance and Insights from Implementations
DORA (the Digital Operational Resilience Act) is an EU regulation that came into full force on January 17, 2025. It applies to financial institutions, including banks, insurers, asset managers, and ICT service providers, requiring them to establish robust ICT risk management, incident reporting, third-party oversight, and operational resilience testing frameworks.
The European Supervisory Authorities require financial institutions to submit registers of ICT services to national regulators by April 30, 2025. For example, the Central Bank of Ireland called for firms to submit their registers between April 1-4, 2025. Organizations must also ensure that incident reporting mechanisms, third-party risk oversight, and resilience testing programs are fully operational.
Before DORA, ICT risk management was fragmented across multiple EU laws, including the NIS Directive and the EBA outsourcing guidelines. DORA replaced these with a single, unified regulation covering all financial entities, establishing consistent standards for ICT risk management, incident classification and reporting, digital resilience testing, and third-party ICT provider oversight.
DORA places significant emphasis on third-party ICT risk, particularly for critical providers like cloud vendors and cybersecurity partners. Organizations must update vendor contracts to include resilience and reporting obligations, conduct regular risk assessments, develop contingency plans for third-party service failures, and integrate third-party risk management into their overall compliance strategy.
Yes. DORA's principles around proactive risk management, continuous monitoring, and organizational accountability are highly adaptable. Experts expect DORA to influence compliance standards in other critical sectors, including healthcare, energy, and critical infrastructure, potentially serving as a blueprint for cross-industry digital resilience regulations.
Subscribe for Latest Updates
Subscribe Now