The Digital Operational Resilience Act (DORA) has been in effect for over two months (since 17th January 2025, with the previous two years for preparation), but some organizations are still unprepared. While this regulation directly affects the financial sector of the European Union (EU), it also impacts US companies providing services to EU financial firms, including US firms providing services to their EU subsidiaries.
This is perhaps the most significant yet underrated aspect of DORA. Not only does DORA mandate higher resilience standards of EU financial institutions, but it also requires the management of third-party risk, similar to DoD CMMC, but with even more depth and detail. This means European financial institutions must be wary of third-party vendors and partners they work with, while U.S. companies that want to do business these firms must be compliant and be prepared for audits. These audits include the ability to upload metrics and data, in a Register of Information, regarding their third parties.
DORA is a prime example of how connected businesses around the world are today and why IT management and service providers must be able to adapt to new security and resilience requirements, no matter what region the regulations come from.
Virtual Chief Information Security Officer at Thrive.
What DORA is and Who it Affects
At a basic level, DORA is an EU regulation that requires financial institutions – including banks, insurance companies, and investment firms–to meet specific standards for IT security, detection, recovery, and resilience. The purpose of this regulatory framework is to protect financial entities against operational disruptions from the growing number of cyber threats and their increased tenacity. This includes varying types of severe operational impact from denial of service (DDoS) attacks and ransomware.
To adhere to DORA’s requirements, EU financial firms must have proactive resilience protocols in place that include advanced risk management frameworks designed for the prevention, detection, and resilience against cyber threats and disruptions.
These organizations are also required to report any significant disruptions from data breaches or cyberattacks within 24 hours. But because of DORA’s third-party mandate, U.S.-based solutions and service providers must also abide by these regulations and be able to detect incidents and respond in time to be compliant.
DORA mandates the analysis, documentation, and management of third-party risks, so it’s critical for financial organizations to be sure that any organization they do business with meets DORA’s standards.
Not complying with DORA can lead to varying types of penalties – including criminal repercussions – against an organization. These can include legal, financial, and operational consequences – such as fines of up to 1% of an organization’s daily global revenue – in addition to reputational damage to a brand.
How to Comply with DORA
DORA compliance will require some organizations to update their existing IT infrastructure, policies, and protocols. When upgrading an IT environment to comply with any regulation, there must be a long-term view. Any plan in place must be sustainable and adaptable to any challenges that may come down the road. Security threats are always evolving, so security protocols and solutions must continuously advance as well.
Improvements and testing to security frameworks should be continuous and ongoing, which makes company security an advantage. Rather than setting compliance as a goal, it becomes a standard. Financial firms and third-party vendors that have a continuous focus on cybersecurity threats and preparation are more resilient during times of crisis and prepared to ward off threats than those who take a different approach.
This strength has a ripple effect in positive outcomes for organizations in terms of data protection, brand reputation, customer satisfaction, and business opportunities. Additionally, organizations who meet DORA compliance and have a security posture of continued readiness and improvement will be more prepared for the next regulatory standards that come down the pike.
For U.S. companies to meet DORA compliance, they should run assessments on their security and resiliency standards. Doing so would enable them to identify weaknesses and create a plan of attack on where to improve, whether it is regarding incident response time or risk management. These assessments should include regular testing of IT environments, such as penetration testing and vulnerability evaluations to pinpoint potential susceptibilities and blind spots.
Digital operational resilience
Complete digital operational resilience, disaster recovery, and business continuity testing helps organizations evaluate the effectiveness of alternative processes to seamlessly switch to secondary methods during disruptions. Furthermore, documenting these tests, their results, and the protocols for when an incident does occur, will showcase an organization is compliant and prepared for crises.
Another way companies can demonstrate DORA compliance is by conducting detailed audits and automating logs of user activities. This facilitates information sharing around threats seen or experienced, particularly regarding zero-day attacks.
Companies also need to have systems in place for monitoring to enable quick incident response times to meet DORA’s strict 24-hour reporting window. By creating attack and disruption simulations, companies will have a game plan in place during a time of crisis and will know what preemptive measures to take to improve on weaknesses and hasten their response.
U.S. companies providing solutions and services to EU financial firms also need to adhere to DORA regulations pertaining to third-party risk management with their own subcontractors and suppliers in mind. Working with entities that do not live up to DORA’s standards can risk their own compliance status.
The same way an EU financial firm needs to be sure a U.S. service provider is compliant, that same US-based organization needs to keep their own third-party entities in-check. To do this, U.S. providers should conduct audits and look for certifications to help show compliance and preparation for any attacks, outages, or disruptions that may come. The key is to not only be compliant but also be able to document this compliance to depict confidence from an EU firm.
While the advancement of modern technology leads to improved productivity and efficiency, it also advances the threat levels of cyberattacks, meaning organizations must continue to improve their cyber defenses. This is not just to comply with new regulations such as DORA, but to protect their data and brand reputation.
We feature the best Active directory documentation tool.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
English (US) ·