DORA - The Compliance Explorer (1)

Episode 1 - Explore the world of DORA

1/10/20256 min read

white concrete building
white concrete building
What is DORA?

DORA is a European Law that enters into effect on the 17th of January 2025 which establishes a comprehensive framework for digital operational resilience in the financial sector. It aims to ensure that financial institutions, ranging from banks to payment processors, can manage and mitigate risks associated with information and communication technology.

Why is it important?

Before DORA, risk management regulations for financial institutions in the EU primarily focused on ensuring that firms had enough capital to cover operational risks. While the European Banking Authority released guidelines on ICT risk management and ICT third party management, these guidelines did not apply to all financial entities equally, and they often relied on general principles rather than specific technical standards. In the absence of EU-level ICT risk management rules, EU members - including Luxembourg- issued their own requirements (e.g. CSSF 20/750, CSSF 22/806). This patchwork of obligations has proven difficult for financial entities to navigate. DORA is coming to address these issues with key areas harmonizing the approaches taken to address incident reporting, regular ICT risk assessments, resilience testing, third-party risk management, and maintaining a robust governance framework.

The 17th of January is one week away! What challenges do “in scope” firms need to overcome?

Organisations face a strict deadline to comply with DORA, leaving little time for further system upgrades, and process implementation. European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) have emphasised that there will be no transitional period beyond January 17, 2025, underscoring the urgency for entities to finalise their compliance efforts, putting many organizations under pressure.

Key challenges to be overcome include:

  • Resource constraints and time limits, which will disproportionately impact smaller organizations that may lack the financial and human resources to fully implement DORA requirements, especially for ongoing monitoring and testing.

  • Third Party Risk Management, this can be incredibly challenging given the complex relationships and dependencies in the supply chain. Implementing strict due diligence and contract management processes with third-party providers and conducting regular assessments of their resilience when faced with a large number of ICT providers (which is the case of many financial institutions), requires a lot of effort and resources as well as knowledgeable employees. DORA further requires organizations to closely monitor and assess ICT service providers, ensuring they meet resilience standards

  • Operational Resilience Testing under DORA poses significant challenges for financial entities, as it demands rigorous assessments to ensure IT systems can withstand, respond to, and recover from disruptions. Resilience testing requires organizations to simulate a wide range of potential disruptions, from cyberattacks to natural disasters. Covering all critical business functions, inter-dependencies, and IT components can be problematic, especially for entities with complex and legacy systems. Testing involves significant time, expertise, and financial investment. Smaller entities may lack the resources to design, execute, and analyze resilience tests effectively, particularly when specialized tools and expertise are needed for scenario creation and simulation. DORA mandates adherence to specific testing methodologies and reporting standards. Organizations must ensure that tests align with regulatory expectations and document findings accurately, which requires a deep understanding of the law and additional administrative effort. Testing must include critical third-party service providers to validate end-to-end resilience. Coordinating and securing participation from these vendors while respecting confidentiality and data-sharing agreements adds complexity.

  • Integration of ICT Risk Management raises challenges as many organizations lack robust frameworks for managing ICT risks, making it difficult to integrate DORA’s risk management requirements. These requirements will force certain organizations to establish or upgrade ICT risk management frameworks to include continuous monitoring, threat detection, and risk assessment.

  • Timely incident reporting to authorities, as mandated by DORA, will be difficult for organizations with limited experience in real-time reporting to undertake. Investing in automated reporting tools and establishing clear internal protocols to facilitate prompt incident notification will be required in many cases.

  • Addressing the evolving nature of cyber threats requires organizations to keep up with the pace to protect themselves while also ensuring compliance with the regulation. Frequent updates to testing protocols are necessary to address emerging threats. This constant adaptation creates additional pressure on resources and processes.

  • Training and awareness sessions are required for employees who may lack knowledge about DORA and the skills needed to comply with its operational resilience requirements. Conducting regular training programs for staff and raising awareness about the importance of digital resilience will add to the already long list of tasks and activities needed to be performed to meet DORA obligations.

How is DORA approached today

Organisations, depending on their size, financial power, operational complexity, opt for different strategies to address these challenges: hiring consultants, leveraging a parent organization’s resources, fully managing compliance in-house, or adopting a reactive approach.

  1. Engaging external consultants: What we see is that many organisations engage third-party consultants seeking specialised guidance on DORA compliance. These experts offer tailored solutions, industry best practices, and advanced testing methodologies, such as penetration testing and resilience stress tests. Consultants can expedite the compliance process by deploying pre-existing frameworks and tools. They also reduce the burden on internal teams, allowing organisations to focus on their core operations while ensuring DORA compliance. While effective, this approach can be costly, especially for smaller entities. Additionally, over-reliance on consultants may leave organisations without the necessary internal expertise to manage future resilience requirements independently.

  2. Leveraging upon the parent company: For subsidiaries within larger corporate groups, leveraging upon the parent company’s resources is a strategic option. Many parent organisations already have well-established operational resilience frameworks that can be extended to their subsidiaries. Centralising DORA compliance at the group level reduces costs and ensures consistent application of resilience standards. Subsidiaries benefit from group-level expertise and economies of scale in testing tools, processes, and governance structures. Customisation can be a significant hurdle. Group-level frameworks may not fully align with local regulatory requirements or the specific operational risks faced by individual subsidiaries. This approach also requires robust communication and coordination between entities to avoid implementation delays.

  3. Do it entirely in-house: Some organisations prefer to handle DORA compliance altogether internally, investing in the development of their operational resilience frameworks and conducting necessary tests. This approach promotes internal expertise and independence, enabling organisations to tailor resilience measures to their specific needs. It also allows for seamless integration of DORA requirements into existing risk management processes. Developing and implementing an internal resilience strategy requires significant investments in tools, personnel, and training. Organisations must also stay up to date on evolving regulatory requirements, which can be resource-intensive.

  4. Wait and see: A more cautious, but potentially dangerous, strategy involves observing how industry leaders and regulators interpret DORA before taking significant action. Organisations adopting this approach aim to learn from early adopters’ experiences and best practices. This minimises initial expenditures and reduces the risk of over-committing to untested compliance strategies. It allows organisations to benchmark against proven industry practices. Waiting carries significant risks, including regulatory penalties for non-compliance if deadlines are missed. Additionally, this approach can result in rushed implementations, increasing the likelihood of errors and inefficiencies.

What do we recommend?

Organisations face a variety of options for addressing DORA’s challenges. Each approach has distinct benefits and trade-offs, and the optimal choice often depends on factors such as the organization’s size, resources, and operational complexity. While hiring consultants offers specialized expertise, leveraging a parent company’s resources provides cost efficiency. Building internal capability ensures independence, while waiting offers a low-cost but high-risk alternative. Ultimately, a hybrid approach that combines external support with internal capacity building may provide the most effective path to sustainable compliance under DORA. By proactively addressing these challenges, organizations can strive not only to achieve regulatory adherence, but also enhanced operational resilience and stakeholder confidence.

In our next series - we will explore how this could be done more efficiently using GenAI, coupled with the risks that this may entail, and the corresponding controls that we would advocate to mitigate them. Stay tuned.

About the authors:

Catalin Tiganila is an experienced consultant and program manager with experience in Cyber Security, Cloud Security, IT Governance, Risk Management and Compliance and AI Governance, Risk and Compliance (GRC). With more than 20 years practice in leading and executing advisory and audit engagements, as part of different consulting firms, Catalin delivered numerous projects as part of international teams in different geographies covering a wide range services in diverse industries: finance and banking, technology, telecommunication, start-ups, energy, healthcare, retail and manufacturing. He is a Board Member of ISACA Luxembourg professional association where is responsible for the chapter membership and is also leading the AI GRC Working Group.

Shariq Arif - in addition to being Co-Founder at IntGen.AI - a RegTech GenAI Compliance start-up, he is also a seasoned Personal Data Protection professional. In 2017 he co-founded the Data Protection practice at a leading Professional Services firm in Luxembourg, and was systematically communicated for all external Data Protection Officer mandates at this organization to several National Data Protection Authorities. Shariq also co-led this organization's application to become a GDPR-CARPA certification body in 2023. Shariq is also a certified Data Protection Officer Coach (PECB), and a Board Member of the APDL Association pour la Protection des Données au Luxembourg.