Countdown to DORA

Four months to compliance-Are you ready?

In just four months, the Digital Operational Resilience Act (DORA) will take effect on 17 January 2025. This legislation is set to introduce stringent digital resilience standards across the financial services sector within the European Union. Businesses that fail to comply could face significant operational, financial, and reputational consequences.

As the deadline approaches, companies must address key areas to meet the new regulations. Below, we outline the main challenges and what businesses should do to ensure they are ready for DORA.
 
Challenges for Businesses
While DORA is designed to protect financial systems, implementing these changes presents several hurdles for organisations:
  • Complex ICT Structures
Many financial institutions operate with layered ICT infrastructures that combine legacy systems, modern cloud services, and external vendors. Mapping out the risks associated with each layer is no small task. Companies will need to review their entire IT landscape to identify weak points and potential vulnerabilities to build a robust risk management system.
 
  • Third-Party Providers
A significant aspect of DORA is ensuring that third-party technology providers meet the same digital resilience standards. This means businesses must revise contracts, increase monitoring, and ensure that all service providers—especially those offering critical functions—are compliant. For companies working with multiple third-party vendors, this can be a time-intensive process requiring careful coordination.
  • Resource Constraints
Achieving compliance with DORA requires investment in systems, tools, and skilled professionals. Smaller companies and fintechs may struggle to meet these demands due to budget limitations or a lack of in-house expertise. Hiring cybersecurity and risk management professionals is also becoming more challenging, given the talent shortages in these critical areas.
  • Rigorous Testing Requirements
DORA mandates regular operational resilience testing, including disaster recovery simulations and penetration tests. Many organisations may not have prior experience with these types of exercises, and some may lack the tools or expertise needed to conduct them effectively. Companies will need to prioritise building the necessary infrastructure to support these ongoing evaluations.
 
Steps to Achieve DORA Compliance
With the deadline approaching fast, companies must act quickly to meet DORA's requirements. Here are the steps your organisation should take to prepare:
1. Perform or update ICT Risk Assessment
The first step is to thoroughly evaluate your current digital resilience. Identify any gaps in your ICT risk management practices and assess the effectiveness of your existing incident response and business continuity plans. This will highlight areas where improvements are needed to comply with DORA.
2. Create a Digital Operational Resilience Strategy
Develop a comprehensive strategy that outlines your approach to achieving digital operational resilience. This should include your objectives, key performance indicators, and a roadmap for implementing necessary changes. Ensure that this strategy is aligned with DORA’s requirements and integrates with your overall business strategy.
3. Strengthen ICT Risk Management
Ensure that your ICT risk management framework is well-defined, covering everything from identifying risks to addressing vulnerabilities. Establish real-time monitoring systems to detect threats before they escalate. This should include clear processes for responding to incidents swiftly and minimising downtime.
4. Implement Clear Incident Reporting Mechanisms
Under DORA, financial institutions must report major ICT incidents to regulatory authorities within a specified time. Set up internal procedures that define how, when, and to whom these incidents should be reported. Educate staff on the importance of this process and ensure they are trained to handle it effectively.
5. Enhance Third-Party Oversight
Revisit contracts with your third-party providers to ensure they align with DORA's standards. You’ll need to regularly assess the risks posed by external partners and ensure their digital resilience practices meet regulatory requirements. Establish continuous monitoring to verify their ability to deliver critical services without interruption.
6. Test Your Resilience Frequently
Regular testing is crucial for demonstrating your operational resilience. Conduct cybersecurity drills, business continuity exercises, and recovery simulations. Make sure these tests cover multiple scenarios, from minor technical glitches to significant disruptions, so you can fine-tune your response strategies.

Final Thoughts: Time is of the Essence
The enforcement of DORA will bring significant changes to how the financial services sector approaches digital risk. For many, the act will require a thorough revaluation of current practices, particularly around ICT risk management, incident reporting, and third-party oversight.

With only four months left until DORA becomes fully enforceable, there is little time to lose. 
Companies must move swiftly to address potential gaps, build resilience, and meet the compliance requirements. By taking these steps now, organisations will not only avoid penalties but also enhance their ability to withstand the increasingly sophisticated cyber threats of today’s digital landscape.

For further advice or support on preparing for DORA, reach out to our team at technology@bdo.com.mt, and we’ll help guide you through the process to ensure your compliance by the deadline.

Is your organisation ready for DORA? Contact us today to discuss how we can assist with your compliance journey.


Contact us