DORA compliance: navigating the path to cyber resilience (Part 1)

The Digital Operational Resilience Act (DORA) is set to revolutionise the way financial institutions approach cyber security and risk management. As the threat landscape continues to evolve, with increasingly sophisticated attacks targeting the financial sector, DORA provides a comprehensive framework to bolster operational resilience and protect against ICT disruptions.

While the official implementation date is 17 January 2025, forward-thinking financial firms globally are already taking proactive steps to align their strategies with DORA’s requirements. By embarking on this transformative journey now, these organisations are not only ensuring compliance but also gaining a competitive edge in an industry where trust and resilience are paramount.

The five pillars of DORA

To provide a comprehensive framework for digital operational resilience, DORA is built on five key pillars:

  1. ICT Risk Management: Implement a robust framework to identify, assess, and mitigate ICT risks through continuous monitoring and regular reviews.
  2. ICT-Related Incident Reporting: Establish systems for monitoring, classifying, and reporting significant ICT incidents to authorities, covering both internal and external communication.
  3. Digital Operational Resilience Testing: Conduct periodic tests of ICT risk management frameworks, including Threat Led Penetration Testing (TLPT) to address high-risk exposures.
  4. ICT Third-Party Risk Management: Perform thorough due diligence on ICT third-party providers and maintain strong contractual agreements to ensure adherence to high security standards.
  5. Information Sharing: Encourage the exchange of cyber security information and threat intelligence among EU financial institutions to foster a more secure financial infrastructure.

These pillars are supported by Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS), with the final set of RTS due for release on 17 July 2024, further clarifying compliance requirements.

The cost of non-compliance

Failing to meet DORA’s requirements can result in significant financial penalties, reputational damage, and a loss of customer trust. A recent Ponemon Institute study[1] revealed that the average cost of a data breach in the financial sector reached a staggering $5.9 million in 2023, the second highest among all industries.

The study also highlighted that organisations with high levels of non-compliance with regulations experienced an average cost of a data breach that exceeded the overall average cost by 12.6%.

These findings underscore the critical importance of proactive cyber resilience measures in today’s evolving threat landscape. Prioritising DORA compliance is not only essential for mitigating the risk of financial and reputational damage but also for demonstrating your organisation’s commitment to safeguarding sensitive customer data and maintaining operational resilience.

It’s important to note that DORA’s impact extends beyond the EU. It will affect any organisation, including those in the US, that offers financial services within the EU or provides third-party ICT services to EU financial service companies. This broad scope underscores the global significance of DORA compliance.

Overcoming common challenges

Resource constraints and skills shortage

Implementing DORA compliance can be a complex and resource-intensive endeavour, presenting CISOs and business leaders with a range of challenges. One primary hurdle is navigating resource constraints, particularly in light of the global cyber security skills shortage. Recent estimates from ISC2 suggest that approximately 4 million professionals are needed to fill the growing cyber security workforce gap globally[2]. This shortage significantly impacts an organisation’s ability to staff compliance efforts adequately.

Compliance initiatives often require substantial investments in technology, personnel, and training. Financial institutions may need to upgrade legacy systems, implement new security tools, and provide additional training for staff, all while competing for scarce talent and balancing other business priorities.

Technology and infrastructure challenges

Moreover, managing complex IT environments can be a daunting challenge. Legacy systems and disparate technology stacks can hinder efforts to gain a comprehensive view of your organisation’s compliance posture and risk landscape. Integrating DORA requirements into existing processes and systems requires careful planning and execution, which can be time-consuming and potentially disruptive to ongoing operations.

Evolving regulatory landscape

CISOs and business leaders must also contend with a constantly evolving regulatory landscape. Staying agile and adaptable is crucial to ensure that compliance strategies can accommodate new guidelines and best practices as DORA’s requirements continue to take shape and evolve over time.

The ITC advantage

To overcome these challenges and achieve DORA compliance efficiently and effectively, partnering with a trusted cyber security provider like ITC can be invaluable. ITC’s unique capabilities and specializations position us as a trusted partner in achieving DORA compliance.

As a Microsoft Solutions Partner with advanced specializations in Cloud Security, Threat Protection, and Identity and Access Management, ITC possesses the knowledge and experience necessary to help financial institutions navigate the complexities of DORA compliance. These specialisations demonstrate our commitment to delivering best-in-class solutions that align with Microsoft’s rigorous standards and industry best practices.

ITC’s integrated delivery model is a key differentiator, combining advisory, technical, and managed services to provide end-to-end support throughout the compliance journey. This holistic approach ensures that organisations receive comprehensive guidance and support, from initial assessments and strategy development to implementation and ongoing management.

The path forward

As the DORA compliance deadline approaches, it is crucial for financial institutions globally to take proactive steps to align their strategies and strengthen their cyber resilience. By partnering with a trusted provider like ITC, organisations can navigate the complexities of DORA compliance with confidence and position themselves for long-term success in an ever-evolving threat landscape.

To support your compliance journey, our partners offer comprehensive solutions tailored to meet DORA’s requirements:

  1. Microsoft Product to DORA Regulation Mapping – Guide for Customers: This resource provides valuable insights into how Microsoft’s suite of products aligns with DORA’s mandates.
  2. Comply with Digital Operational Resilience Act (DORA) Requirements with Silverfort: This guide demonstrates how Silverfort’s solutions map to specific DORA articles.

We encourage you to explore these resources for detailed information on how technology can support your compliance efforts.

While the path to DORA compliance presents significant challenges, it also offers an opportunity for financial institutions to strengthen their operational resilience and gain a competitive edge. By understanding the five pillars of DORA, recognising the costs of non-compliance, and addressing common challenges head-on, organisations can position themselves for success in an increasingly digital and interconnected financial landscape.

In the next part of this series, we’ll delve deeper into practical steps for achieving DORA compliance and explore how partnering with a trusted cyber security provider like ITC can streamline this journey, helping you turn regulatory requirements into a strategic advantage.

[1] Cost of a Data Breach Report 2023: Ponemon Institute and sponsored by IBM

[2]  ISC2: Cybersecurity Workforce Study 2023