The Key Steps to Ensuring DORA Compliance

By Alasdair Anderson, VP of EMEA at Protegrity.

  • 3 days ago Posted in

As we approach 2025, financial institutions across the EU face the challenge of complying with the Digital Operational Resilience Act (DORA), which is set to take effect on the 17th of January. DORA is focused on strengthening cybersecurity and operational resilience across financial ecosystems, with the consequences for non-compliance ranging from regulatory fines to reputational damage and an increased risk of cyberattacks. However, while leaders must go beyond internal systems, addressing risks across their third-party vendors and ecosystems whilst balancing budgets and tight deadlines, DORA compliance can be simplified – and offer new business opportunities.

 

Addressing Third-Party Risks

Financial institutions – including third-party ICT Service Providers like cloud vendors and data centres – must evaluate their DORA readiness. Historically, third-party vendors have not had to shoulder as much regulatory pressure, often shifting the burden of breaches back onto the institutions they serve. For example, third-party cloud providers have previously been able to avoid disclosing their cybersecurity measures, leaving organisations at risk of violating their own policies. Third-party risks such as these have led to high-profile data breaches across 2024, notably, the Santander hack earlier this year, and the recent Finastra breach, which provide examples of underscoring vulnerabilities in financial ecosystems. Third party risk can often lead to a single point of failure which can disrupt an entire financial ecosystem. Alongside the consequences of regulatory fines and reputational damage, single points of failure can also incur extensive costs for institutions due to downtime and reparations.

 

DORA aims to harmonise security standards across the financial sector to mitigate the risk of third-party breaches. It also aims to enhance resiliency in everyday operations to reduce the risk of single points of failure, by requiring businesses to plan and be prepared for such events. These requirements to amend risk assessments, policies, and perhaps entire IT infrastructures, will extend beyond EU borders: affecting all organisations providing services to EU-based entities.

 

To ensure DORA compliance, organisations can begin by building third-party risk monitoring and management into its risk management strategy. Opting for a zero-trust framework, which assumes that every identity and device is a threat, and deploying privacy-enhancing technologies (PETs) such as tokenisation and encryption will help mitigate the risk of third-party breaches. Through anonymising data at rest, in motion, and in transit (for example, whilst being shared), PETs provide an extra layer of defence and ensure sensitive information is protected even in the event of a breach. Safe data practices such as these enable organisations to securely back-up their processes and data, further mitigating the risk of single points of failure disrupting an entire ecosystem, and maintaining DORA compliance.

 

Key Steps to Compliance

Preparing for any new regulation and implementing changes in existing IT infrastructures is always a challenge. However, data security tools can help teams create a structured, simple, and effective plan. By following these six key steps, teams can streamline the journey to compliance and drive down operational costs. 

  

Conduct a Gap Analysis

A gap analysis using data protection tools will help companies to review whether existing systems, processes, and risk management measures are aligned with DORA’s requirements. 

  

Develop an Action Plan

Create a detailed plan of action for data security and resiliency. Outline the specific steps the organisation will take to meet DORA’s standards, set realistic deadlines, and allocate responsibilities.

  

Strategically Allocate Resources

Allocate an appropriate budget for upgrading technology, bringing in expert assistance, and providing necessary training for the teams that will be responsible for implementing measures to meet the DORA compliance standards.

  

Engage All Stakeholders

DORA compliance requires collaboration across the whole organisation. Ensure senior management, risk teams, and third-party vendors fully understand their roles.

  

Test, Validate, and Report

Regular testing, such as penetration testing and simulated cyberattacks, will help to identify and address any weaknesses before they turn into real issues. Through enhancing resiliency in everyday operations, organisations mitigate the risks of unexpected denial of service attacks, stress due to business periods, and unexpected natural disasters. Further, reporting on these tests will also demonstrate compliance with DORA.

  

Maintain Ongoing Monitoring

Compliance requires continuous monitoring to keep up with evolving threats and any changes in the regulation. To enhance efficiency over the long term, parts of this process can become automated.

  

By following these steps, organisations can enhance cybersecurity, strengthen operational resilience, and build trust with clients by demonstrating their commitment to safeguarding assets.

  

Unlocking Opportunities with DORA

According to the World Economic Forum, businesses that focus on digital resilience and operational efficiency are likely to be more agile, profitable, and forward-thinking in the future. As such DORA compliance can unlock new horizons, enabling organisations to explore cutting-edge processes and responsibly integrate emerging technologies.

  

For example, one of the world’s largest banks, supporting over 200 million customers across 160 countries, faced the challenge of complying with global privacy regulations while maintaining operational efficiency. Instead of duplicating infrastructure in 130 countries or outsourcing to costly local data processors, the bank implemented a data security platform with privacy-enhancing technologies. This allowed it to protect sensitive customer data globally, comply with regulations, and unlock new use cases like fine-grained marketing and fraud analytics.

   

This example highlights how DORA compliance can drive innovation and unlock new partnerships and data insights. For financial institutions across the EU, DORA offers the chance to strengthen resilience while exploring transformative business opportunities.

 

Confidently Approaching the DORA Deadline

With the January 2025 deadline rapidly approaching, financial institutions across the EU must prioritise compliance to safeguard operations and future advancements. However, ensuring compliance doesn’t have to be complicated, and it can be a strategic opportunity to future-proof operations, strengthen resilience, and drive growth.

By Eric Herzog, Chief Marketing Officer, Infinidat.
By Shaun Farrow, Security Practice Lead at Bistech.
By Andre Schindler, GM EMEA and SVP Global Sales at NinjaOne.
By Darren Thomson, Field CTO EMEAI, Commvault.
By Oliver Feiler, Head of Global Alliances and Strategic Partnerships EMEA, Nozomi Networks and...