The CISO’s guide to complying with DORA

An abstract image of padlocks overlaying a digital background.
(Image credit: Shutterstock) (Image credit: Shutterstock)

I recently attended the Gartner Security & Risk Management Summit in London, where security professionals gathered to share ideas on increasing our collective cyber resilience and, time permitting, stock up on as many free T-shirts as possible. But as I prepared for this summit, I was thinking about the idea of voluntary cybersecurity compliance versus a more aggressive, regulatory approach. And nowhere is this tension more apparent than in the upcoming Digital Operational Resilience Act (DORA). This pivotal piece of legislation in the European Union (EU) is ushering in a new era of cybersecurity. It will mandate that financial institutions and select ICT third-party providers adopt robust cybersecurity measures.

Steve Cobb

Steve Cobb is SecurityScorecard’s CISO.

The goal of DORA

The goal of DORA is to: counter the speed and scale of cyber threats; improve the resilience of critical IT infrastructure; and create a unified regulatory framework. DORA comprises five key pillars that will shape how financial services organizations manage Information and Communication technology (ICT) and cyber risks, they are: ICT risk management; incident reporting; digital operational resilience testing; third-party risk management; and sharing of information and intelligence. Any financial institution or third-party vendor that does business in the EU will need to comply.

But many organizations—and their security teams—will face challenges in getting prepared and meeting compliance. Failure to meet these requirements will result in a fine up to 10 million euros or 5% of annual turnover. Whether it’s adding security talent to identify, manage, and remediate risks; testing incident response plans to meet the reporting requirements; or gaining visibility into the ecosystems of their third and fourth parties, now is the time to act.

Though DORA won’t fully take effect until January 17, 2025, it signifies a cross-functional strategy with cooperation from more than just IT. Legal, compliance, risk management, and other teams must unite alongside the CISO to meet their goal. This collaboration ensures swift and efficient DORA compliance. Over the next 16 months, organizations must prepare for the DORA journey. Policies and protocols already in place need refinement. And the goal is clear: streamline cybersecurity and amplify cyber resilience. With that in mind, security practitioners would benefit from taking the following steps.

Steps to take

Organizations must develop and implement a comprehensive ICT risk management framework as part of their overall risk management system. Having a platform in place that can help develop, implement, and monitor this framework will address regulatory requirements, while cybersecurity ratings will provide a quantitative, data-driven assessment of your organization's cybersecurity posture.

Under DORA, financial institutions are required to report ICT-related incidents to regulators in a timely manner. The following details should be reported: the number of users affected; the amount of data lost; the geographical spread; the economic impact; and more. This plan should also include a detailed description of how employees will respond in the event of a cyberattack, and how operations will be restored if such a breach occurs.

Continuous monitoring of your cybersecurity posture will keep your organization informed of potential risks so that it can quickly address any issues that arise. This includes regularly monitoring and evaluating the security posture of your third-party vendors to identify any changes or vulnerabilities that may impact your organization’s overall risk profile.

DORA will mandate that third-party risk be managed as an integral component of overall ICT risk, to ensure that providers will support your firm in the event of a cybersecurity incident and adhere to tighter security standards. As a result, organizations should regularly assess and monitor these relationships in order to gain instant visibility and keep an eye on red flags and the providers who are critical to the supply chain.

DORA requires relevant entities to regularly test their cyber resilience, which can include conducting vulnerability assessments, penetration tests, red teaming, tabletop exercises, and more. Staying proactive will help to identify and mitigate potential risks while ensuring business continuity in the event of a cyber incident. It’s also worth noting that in addition to DORA, organizations will still need to comply with other pertinent regulations, such as the General Data Protection Regulation (GDPR), which applies to EU countries and several non-EU countries.

We've featured the best business VPN.

Steve Cobb is SecurityScorecard’s CISO with 25 years of consulting surrounding IT infrastructure, cybersecurity, incident response, and cyber threat intelligence. Previously he was a Senior Security Engineer with Verizon and a Senior Escalation Engineer with Microsoft.