The second annual HANFA DORA conference took place on 24 November 2025, in Zagreb, Croatia. This year, the conference focused on the challenges of implementing DORA, and the efforts that HANFA, the Croatian financial services supervisory agency, and the Austrian regulator, the FMA, are making to provide regulatory support and oversight.
Analysis of DORA
This year, Thomas Murray was invited by HANFA to conduct DORA analysis using our Orbit Security tool, and to report our findings on the state of the Croatian financial services market.
Having undertaken a similar exercise last year, we were able to show a slight increase in the collective external attack surface management of regulated entities – which is a good sign for all involved. Unfortunately though, it’s still slightly below the global average.
This time around, we extended the exercise to include key suppliers and shed some much-needed light on the maturity of IT service providers, in much the same way as we had previously done with the HANFA community. Our findings show that these IT service providers have been performing below the standards of the HANFA community.
Key DORA takeaways from senior figures
In Zagreb, a number of senior business figures sat on a DORA-focused panel, covering pensions, investment managers, and insurance - a cross section of the HANFA community – and they offered up some fascinating insights.
Below is a summary from this panel, as well as of key conference findings from HANFA, the FMA, the Croatian National Cyber Security Centre, and a leading Croatian cybersecurity organisation.
- DORA has had a significant impact on business: The size of DORA’s impact on the financial services sector was likened to a shift in accounting standards, shaping the way business operates and requiring significant (but valuable) effort by firms to address DORA’s prescriptive requirements.
- Boards are still engaged: Personal accountability is a key consideration for companies, with dashboards and regular reporting of DORA-related KPIs now in place in some organisations.
- Concern over third party risk management processes: There is growing concern around the size and scale of efforts to manage third party risk. The impact that conducting reviews on previously non-regulated entities is having, particularly on smaller businesses, is an explicit worry. However, the importance of having a robust process in place to do this is now recognised by most.
- Engagement with regulators is high: Both HANFA and the FMA remain highly engaged with their respective communities and are very willing to provide support where required.
- Registers of Information (ROI) have been a challenge: The ROI requirement of DORA, and its strict formatting and data structure, has presented a challenge to firms - and the need to improve the quality of submissions next year was a key theme at HANFA.
- A clear ongoing commitment to DORA compliance: Complying with DORA is still a priority for business, with the adoption of operational headcounts an obvious sign of this commitment.
Improved oversight of third parties is a priority
The HANFA event highlighted the clear need to improve oversight of third parties. One statistic that brought this home was that approximately 60% of risk incidents in Croatia this year have involved a third party.
Thomas Murray research shows that the Croatian market’s external attack surface requires improvement for both the directly regulated entities and their IT service providers - and there is a clear need for continuous attack surface monitoring within third party risk management frameworks. With personal accountability also a significant concern, board members should trust but verify the robustness of their existing DORA compliance activities.
Thomas Murray's DORA managed services offer enhanced digital operational resilience
We deliver expert-led solutions and comprehensive support for financial institutions navigating DORA compliance.
