The state of DORA readiness

In our webinar, Is anyone ready for DORA?, Shreeji Doshi looked at how well preparations across the sector are going for the full DORA implementation deadline of January 2025. This article summarises the key points and the five aspects of DORA that entities should pay particular attention to. 

The five pillars of DORA 

DORA is structured around five key pillars that collectively address various aspects of digital operational resilience: 

ICT risk management: This pillar emphasises the establishment of a comprehensive ICT risk management framework, which includes governance structures, the implementation of the three lines of defence model, and the active involvement of management in overseeing operational resilience risks. 

Incident response and reporting: DORA seeks to standardise incident reporting across all EU Member States, detailing how incidents should be classified, reported, and managed. A critical requirement under this pillar is the need for a crisis communication strategy, a component often missing in less mature incident management processes. 

Digital operational resilience testing: This pillar outlines expectations for resilience testing programmes, including vulnerability assessments, penetration testing, and threat-led penetration testing (TLPT). It's broadening the scope of TLPT, which was enforced in the banking sector across Member States with the TIBER framework. 

ICT third-party risk management: Building on existing guidelines, DORA introduces more stringent requirements for managing ICT third-party risks. This includes the need for exit strategies for critical providers, assessment of ICT concentration risk, and the inclusion of specific contractual clauses in ICT relationships. 

Information and intelligence sharing: Although not mandatory, this pillar encourages voluntary sharing of cyber threat intelligence among financial entities. The aim is to foster a collaborative approach to identifying and mitigating emerging threats. 

Preparing for compliance: Time for a health check 

As the January 2025 deadline looms, financial entities are urged to assess their readiness for DORA compliance. Many organisations are still in the process of evaluating gaps and defining their compliance roadmaps. The finalisation of the second batch of implementing standards earlier this year has added further clarity to the requirements, particularly in areas such as ICT risk management and incident classification. 

It is now of vital importance that organisations conduct a “DORA health check” to ensure that compliance efforts remain on track. This involves revisiting existing plans and making necessary adjustments based on the latest regulatory texts and standards. Special attention should be given to the classification of ICT-related incidents and the completeness of incident response processes, as these areas are likely to require significant updates. 

Incident notification timelines and final reports  

Organisations will need to reevaluate their ICT incident management processes for two reasons.  

One is the incident notification timeline. If an incident is identified as ‘major,’ the initial notification must be made not later than 24 hours from when the incident is identified. The intermediate report must be filed no later than within 72 hours. Organisations must issue the final report within a month.  

Organisations need to run a tabletop exercise to ensure that they can populate these reports within the timeframes that DORA specifies. Will all the information be readily available? And will the reporting align with the regulatory technical standards (RTS)?  

The second reason lies in the information required for the final report.  

An organisation is expected to submit a lot of ‘loss data’ in its final incident notification. That is, details of what the incident has cost the organisation in terms of downtime, response costs, data and so on. Is the organisation ready to provide this information in the final notification? Only an incident simulation will provide the answer. 

Enforcement and penalties 

One of the most frequently asked questions regarding DORA is what will happen after the compliance deadline passes. While it is difficult to predict the exact nature of enforcement, DORA allows Member States to define their own penalties for non-compliance. These could range from fines and public reprimands to more severe measures, such as withdrawal of authorisation or compensatory damages to clients. 

Competent authorities across the EU are at varying stages of readiness in terms of enforcing DORA, and some are doing more than others to help organisations through their implementation activities. For example, Germany’s BaFin and Malta’s MFSA have been proactive in providing guidance and resources to help organisations achieve compliance. Meanwhile, other Member States are still refining their approaches, indicating a potential disparity in enforcement across the EU. 

The road ahead 

With the final DORA deadline now within sight, financial entities are under pressure to ensure that their operational resilience measures are robust and compliant. The key takeaway from the webinar is clear: organisations should not delay their compliance efforts. Conducting thorough assessments, refining existing processes, and staying informed about regulatory developments will be crucial in navigating the complexities of DORA. 

Achieving DORA compliance is not just about meeting regulatory requirements; it’s about building a resilient operational foundation that can keep pace with digital and technological developments. For those who are still catching up, there is time—but the clock is ticking.