The Digital Operational Resilience Act (Regulation (EU) 2022/2554) dramatically increases the cyber security burden of financial services entities operating in the EU. In short, every EU financial entity and their service providers must build and maintain a robust cyber security program that contains key cyber controls prescribed by the Act. In this article we break down the 5 key steps to build and maintain a program for DORA compliance.

What is DORA (The Digital Operational Resilience Act)?

The Digital Operational Resilience Act (DORA) is a new EU regulation aimed at strengthening the IT security of financial entities such as banks, insurance companies and investment firms. DORA harmonizes the rules relating to operational resilience for the financial sector entities and Information and Communication Technology (ICT) third-party service providers. DORA went into effect on January 17, 2025. 

What entities must comply with DORA?

DORA applies to 20 different types of financial entities and ICT third-party service providers in the European Union (EU). Some of these include banks, insurance companies, investment firms, stock exchanges and fintech (financial technology) companies.

The EU estimates that DORA requirements may impact over 22,000 businesses. This number does not include the overall impact on ICT service providers, which will be required to adjust their cyber programs to also meet the DORA cyber requirements.. While DORA primarily applies to EU organizations, it affects US-based organizations that provide financial services in the EU or offer third-party services to EU financial services companies.

Entities that are not compliant with DORA’s requirements at that time may face severe fines and penalties.  Firms that violate DORA’s requirements face fines of up to two percent of their total annual worldwide turnover, and an individual faces a maximum fine of 1,000,000 (EU) euro.

What are the key cyber requirements of DORA?

DORA requires financial institutions and their service providers to develop a robust cyber security program that secures the financial information of EU Residents. (ICT Data) DORA streamlines a variety of EU regulations into a single, cohesive regulatory framework.

DORA Covers Six Key Areas of Cyber Resilience

Cyber Risk Management – Organizations must establish and maintain an IT Risk Management Framework that properly identifies, prioritizes and treats information security risk. A critical focus of DORA is on the risk of Third Party Service Providers (TPSP).

System Testing – DORA compliance requires organizations to continually test operations and systems. These tests include, at a minimum, vulnerability testing and system penetration testing. Covered organizations must also monitor other internal cyber controls for ongoing compliance.

Third Party Risk Management – DORA compliance requires organization to establish and manage a Third Party Risk Management Program. This program must include ongoing due-diligence regarding the cyber risk of third-party service providers. The Regulation also requires organizations to review and potentially update Service Provider Contracts to ensure ongoing compliance of DORA within the supply chain.

Cyber Incident Management – DORA compliance requires organizations to develop and maintain an Incident Response and Recovery Program. This includes a complete set of written security policies, procedures and plans that support incident response. According to DORA, organizations must follow specific Standards for the Classification of Cyber Incidents.

Information Sharing – DORA compliance requires organization to participate in Information Sharing Networks to facility cooperation between entities. The United States established similar requirements for NIST-CSF to enhance security of the Critical Infrastructure. These networks will likely take months to establish.

DORA Compliance Steps

Organizations can follow these 5 key steps to build a cyber security program that addresses DORA requirements while also following key industry best practices. While these steps can often be done in parallel, ideally organizations start with a robust design and move forward to documentation and then implementation.

Step 1: Build a DORA Cyber Control Library

The foundation of any cyber security program is the governance “framework.” A Control Framework is a list of information security and data privacy controls that address all of the key functional areas. For DORA these include, at a minimum:

• Cyber Risk Management
• System Monitoring and Testing
• Incident Response
• Third Party Risk
• Information Sharing

To fully comply with DORA, Internal controls must address all of these topic areas based on established industry practices. To fully implement a robust cyber security program, organizations must consider other key domains such as Access Control, Asset Management, Personnel Security, and Physical Security.

As part of the DORA rollout, the EU will continue to develop a set of Related Technical Standards (“RTS”) that provide greater definition and guidance for the implementation of various cyber controls. The technical standards are likely to follow established industry best practices for cyber security such as those established for ISO 27002 and NIST CSF in the Unites States.

2. Develop DORA Information Security Policies and Procedures

Once organizations have designed their cyber program, the next essential step is building a set of information security policies that address all of the key controls. Information security policies provide a key set of evidence that the organization is implementing a cyber program. In many cases, information security policies are the first set of evidence that auditors will examine. To save time and money, organizations can consider using a template library of Information Security Policies that address all key elements of DORA.

3. Implement an IT Risk Management Program

DORA requires organizations to establish and maintain an IT Risk Management Framework that properly identifies, prioritizes and treats information security risk. Risk assessment requires several key controls items, such as establishing a formal “Risk Register” that has common threats and risk events. Once cyber risk are identified, they must be prioritized and then mitigated.

A critical focus of DORA is on the risk of Third Party Service Providers (TPSP). DORA compliance requires organization to establish and manage a Third Party Risk Management Program. This program must include ongoing due-diligence regarding the cyber risk of third-party service providers. The Regulation also requires organizations to review and potentially update Service Provider Contracts to ensure ongoing compliance of DORA within the supply chain.

Note: DORA has a special provision for the oversight of Third Parties that are considered “Critical” according to DORA requirements.

4. Track Implementation of Controls

Once your Control Frameworks has be established and documented via written information security policies, the next step is to begin implementation. In many organizations, some of the common technical controls are already in place. For example, establishing a firewall or enabling anti-malware defenses.

For any type of compliance effort, information security controls must be validated for effectiveness. For example, an Access Control that requires 2-factor authentication can be validated by examining the system that requires 2FA. Another method would be to test the actual implementation using test accounts.

The bottom line is this: Each Control in your cyber program should have some form of “evidence” to support the implementation and testing. Controls can be validating internally with a formal audit function, or externally using a qualified third-party auditor.

5. Control Testing, Response and Remediation

Once the cyber program is in place, DORA requires ongoing testing and remediation of any key areas that are out of compliance. As an example, Vulnerability Scanning software can automatically monitor technical systems for incorrect settings. Log and event monitoring software (SEIM) automates the tasks of audit log analysis.

Many controls will still require manual validation. For example, testing physical access control to the organization’s building will require examination and testing in person. A Change Control Procedure can be validated by examining a change log that documents that key steps have been taken.

A key part of the cyber program in this phase is Incident Response. Incident response is the formal process for identifying possible security problems and handling them according to severity or impact. A complete Incident Response Program is a key part of DORA. Incident response also requires key program components, such as establishing a Computer Incident Response Team (CERT) and formal intrusion response procedures. All of these controls are part of the comprehensive control framework established in Step 1.

Streamlining DORA Compliance

Organizations that wish to get a jump-start on DORA compliance should consider using a compliance automation tool like ComplianceShield. ComplianceShield is a software program that automates many of the key requirements of DORA. For example:

DORA Compliance Baselines – Compliance offers a pre-built Information Security Control Framework that addresses all key cyber requirements of DORA.

Cyber Risk Assessments – Using the Risk Wizard, ComplianceShield enables organizations to quickly build an ICT Risk management program that complies with key DORA requirements. The Risk Wizard contains example Threat and Risk Event libraries that dramatically simplify formal risk assessment.

Ongoing Compliance Assessment – ComplianceShield enables management to have a clear view of the organization’s compliance posture at any moment. The software enables documentation, tracking and validation of each control. Control compliance evidence is encrypted and stored to validate controls and streamline DORA audits.

Third Party Vendor Oversight – ComplianceShield offers a complete Vendor Risk Management Program. Organizations can quickly define, document and implement a TPRM using pre-built policies, vendor assessments and third party assessment automation.

Incident Response and Recovery – ComplianceShield supports Incident Response tracking and resolution, including an Incident Response Policy template and related Incident Response Procedure

A free trial of ComplianceShield is available for any organization that must comply with DORA.