Achieving DORA Compliance

As the January 2025 deadline for the Digital Operational Resilience Act (DORA) approaches, organisations are facing several critical challenges from a regulatory compliance standpoint. Before we get into these challenges and what can be done about them, a searching question is why organisations are struggling in the first place.? Let’s look at some of the causal factors.

?

Causal Factor 1: Complexity of ICT Infrastructure

Many organisations have highly complex and interconnected ICT infrastructures that are difficult to map and manage comprehensively. DORA requires a detailed understanding of all ICT assets, including their interdependencies and the critical functions they support. The complexity of modern digital systems, often involving multiple layers of technology and third-party services, makes this task daunting. Organisations must also create detailed asset catalogs and perform comprehensive system mappings, which require significant resources and technical expertise.

Causal Factor 2: Stringent Regulatory Requirements

DORA introduces very specific and prescriptive requirements for incident reporting, third-party risk management, and operational resilience testing. These requirements are more detailed and demanding than many organisations have previously encountered, especially regarding the inclusion of third-party providers in resilience testing and the need to regularly assess and mitigate risks. The need to ensure that third-party contracts comply with DORA’s standards adds to the complexity, as organisations must re-negotiate and enforce these agreements within tight timeframes.

Causal Factor 3: Resource Constraints

Implementing DORA’s requirements demands substantial financial and human resources. Many organisations are struggling to allocate the necessary budgets for building comprehensive risk management frameworks, conducting regular testing, and ensuring continuous compliance. Additionally, there is often a shortage of skilled personnel, particularly in areas such as cybersecurity and operational resilience testing, which exacerbates the challenge of meeting DORA’s demands.?

Causal Factor 4: Integration with Existing Systems

Organisations must integrate DORA’s requirements with their existing operational processes and systems. This includes aligning DORA’s specific requirements with pre-existing regulatory frameworks, such as the UK’s operational resilience regime, which may have different or overlapping standards. Harmonising these requirements across different regulatory environments adds another layer of complexity, particularly for organisations operating in multiple jurisdictions.???????????????

Causal Factor 5: Evolving Cyber Threat Landscape

The ever-evolving nature of cyber threats adds further challenges and is not to be underestimated. DORA requires organisations to continuously monitor and adapt their cybersecurity measures to address new vulnerabilities. This necessitates ongoing updates to risk management strategies and resilience testing protocols, making compliance a moving target that requires constant vigilance and adaptation.

?

By its very nature, DORA is designed to ensure that financial entities are not just compliant but are also fundamentally resilient against operational disruptions, particularly in the face of increasingly sophisticated cyber threats and complex digital ecosystems. The regulation’s high standards and broad scope reflect the critical importance of operational resilience, especially in today’s digital economy, but they also impose significant demands on the organisations that must comply with them.

So we have reviewed the context of they main causal factors of the challenges organisations face, let’s look more closely at the challenges themselves.

?

1.????????? Comprehensive ICT Risk Management

One of the biggest hurdles is developing a robust ICT risk management framework that aligns with DORA’s detailed requirements. This includes system mapping, asset cataloging, and conducting business impact assessments. Many organisations are struggling to allocate sufficient resources and budgets to these tasks, which are essential for identifying and managing ICT risks effectively.

2.????????? Third-Party Risk Management

Managing the risks associated with third-party ICT providers, especially those designated as critical, presents another significant challenge. Organisations must regularly review and enforce compliance in their contracts with third-party providers, ensuring they meet DORA’s rigorous standards. This includes addressing concentration risks and ensuring that third-party vendors are integrated into resilience testing programs.?

3.????????? Incident Reporting and Response

Organisations are required to establish sophisticated incident detection and reporting mechanisms. The challenge lies in creating a system that can promptly detect, manage, and report ICT-related security incidents to regulatory authorities. This process needs to be both automated and manual, ensuring compliance with strict reporting timelines and detailed information requirements. Failure to implement these processes could result in severe penalties.???????????????

4.????????? Digital Operational Resilience Testing

DORA mandates regular, scenario-based resilience testing, including threat-led penetration testing for critical and important functions. The complexity of including third-party providers in these tests, coupled with the need to address vulnerabilities identified through testing, poses substantial operational challenges. Furthermore, there is a shortage of qualified personnel to conduct these tests, which exacerbates the difficulty.?

5.????????? Governance and Oversight

Establishing a clear governance structure that includes active involvement from senior management and boards is essential under DORA. This governance framework must ensure that ICT risk management is aligned with the organisation’s risk profile and that it is regularly reviewed and updated. Ensuring this level of oversight and governance across the organisation, while also managing the operational complexities of DORA, is a significant challenge.

?

These challenges highlight the extensive effort and resources required to comply with DORA by the January 2025 deadline. Organisations that fail to address these areas effectively risk not only regulatory fines but also reputational damage and operational disruptions. So what can organisations do to overcome these challenges and set themselves up to succeed and achieve regulatory compliance? ?To assist organisations in effectively implementing and embedding the changes required by DORA into their business and operational culture, the following strategies can be highly beneficial

?

Strategy 1: Start with a Comprehensive Roadmap

Develop a detailed implementation roadmap that outlines each phase of DORA compliance, from risk assessments to testing and reporting. This roadmap should include clear milestones, responsibilities, and timelines to ensure that all aspects of DORA are addressed systematically. It’s important to prioritise areas that pose the greatest risk or are most complex, ensuring they receive adequate attention early in the process. The lower-level plans that drop out from this should also include the skills and expertise required to deliver, especially those that the organisation doesn’t have internally and will need to bring in from external sources.

Strategy 2: Engage Leadership and Ensure Robust Governance

Active involvement from senior management and the board is crucial. This includes ensuring that leadership understands the importance of DORA and is committed to embedding its principles into the organisational culture. Establishing strong governance structures will help ensure ongoing oversight, regular reviews, and updates to ICT risk management practices, aligning them with the organisation’s overall risk profile.

Strategy 3: Allocate Adequate Resources

Ensure that sufficient financial, human, and technological resources are allocated to meet DORA’s requirements. This includes investing in skilled personnel, particularly in areas like cybersecurity, incident management, and resilience testing. If in-house expertise is lacking, consider partnering with managed service providers or consulting firms that specialise in DORA compliance, cyber security and regulatory change.

Strategy 4: Focus on Third-Party Risk Management

Given the critical role that third-party ICT providers play, organisations should implement a robust third-party risk management framework. This involves conducting thorough due diligence, ensuring contracts are compliant with DORA, and regularly reviewing third-party performance. Developing a multi-vendor strategy can also help mitigate concentration risks.

Strategy 5: Promote a Culture of Continuous Improvement

Embedding DORA into the organisational culture requires a shift from viewing compliance as a one-time task to adopting a mindset of continuous improvement. Regular training and awareness programs can help employees at all levels understand their roles in maintaining operational resilience. Encourage feedback and make adjustments based on the outcomes of resilience tests and incident reports.?

Strategy 6: Leverage Technology and Automation

Utilise advanced technology solutions to streamline compliance processes, such as automated incident detection and reporting systems, and tools for continuous monitoring of ICT risks. Automation can also assist in maintaining up-to-date asset inventories and ensuring regular testing of systems.?

Strategy 7: Regular Testing and Review

Conduct regular scenario-based testing, including threat-led penetration testing, to ensure that your systems are resilient against potential threats. Use the results of these tests to refine and strengthen your ICT security measures. Regular reviews of your compliance status, guided by the latest regulatory updates and best practices, are essential to staying ahead of potential issues.

?

By following these strategies and implementing regulatory change the Aerice Consulting way, organisations can better align with DORA’s requirements and embed operational resilience into their core business practices, ultimately safeguarding their operations against the risks that the regulation aims to mitigate.

??

For more information contact:

Dev Sharma – Aerice Consulting

E: [email protected]

?