There has been quite a bit of buzz in the Business Continuity/ Enterprise Resilience space focused on the Digital Operational Resilience Act (DORA) of 2025. Understanding DORA is vital to the organization as it sets out noticeably clear and stringent requirements to ensure that financial organizations and their important vendors can withstand and recover from ICT (Information and Communication Technology) related disruptions.

We are also seeing our global customers that are considered a Technical Service Provider (TSP) to financial institutions having to contractually comply with DORA, in line with the FFIEC Appendix J. There are clearly defined contractual obligations to ensure third-party compliance with DORA requirements.

We are currently working with customers that need to comply with DORA as a vital third-party vendor to global financial organizations. Experiencing the lack of understanding of DORA and its implications in their company, the time is right for this article.

Key Objectives of DORA

Looking at the essence and goal of DORA is to establish a robust digital operational resilience framework across the EU financial sector. A summary of the key objectives include:

1. Third-Party Risk Management: DORA imposes strict contractual guidelines for managing risks associated with third-party ICT service providers.
2. Enhancing ICT Risk Management: DORA mandates comprehensive ICT risk management practices to identify, manage, and mitigate risks effectively.
3. Ensuring ICT Incident Reporting: Financial entities must have mechanisms to report major ICT-related incidents promptly and accurately.
4. Strengthening Digital Operational Resilience Testing: Regular testing and assessment of digital operational resilience capabilities are required to ensure preparedness.
5. Information Sharing: Promoting information sharing and collaboration among financial entities to tackle common threats and vulnerabilities.

Deeper Dive into DORA

The actual document is around 64 pages and can be found here, on the EUR-LEX website. I have taken a lighter approach to the document with a breakdown of the proposed framework for DORA, starting with the most impactful to companies that are third party to EU based companies.

Third-Party Risk Management (TPRM)

I stated earlier that DORA is following along the lines of FFIEC Appendix J with far more robust requirements. It is especially important to note that DORA places significant contractual emphasis on managing risks associated with third-party ICT service providers, including those based in the US.

Requirements for third parties include:

• Contractual Agreements: Clearly defined contractual obligations to ensure third-party compliance with DORA requirements.
• Continuous Monitoring: Ongoing monitoring of third-party performance and risk management practices.
• Due Diligence: Thorough assessment of third-party service providers before engagement.

ICT Risk Management

DORA requires financial institutions to implement a comprehensive ICT risk management framework that includes:

• Risk Identification: Systematic identification of ICT risks, including cyber threats, software failures, and hardware malfunctions.
• Risk Assessment: Evaluation of identified risks in terms of their potential impact on the institution’s operations.
• Risk Mitigation: Development and implementation of strategies to mitigate identified risks, such as deploying security measures, conducting regular updates, and patch management.

ICT Incident Reporting

Financial entities must establish procedures for the timely and accurate reporting of major ICT incidents. This includes:

• Incident Detection: Mechanisms to detect ICT incidents promptly.
• Incident Classification: Criteria to classify incidents based on their severity and impact.
• Reporting Channels: Defined channels for reporting incidents to the relevant authorities and stakeholders.
• Follow-up Actions: Procedures for post-incident analysis and remediation to prevent recurrence.

Digital Operational Resilience Testing

Resilience Testing takes tabletop testing to an entirely different level with simulation testing. Testing of digital operational resilience is a cornerstone of DORA. Financial entities must establish and maintain a comprehensive digital operational resilience testing program. Your testing program should include a variety of assessments, such as vulnerability assessments, penetration testing, and other types of testing to identify weaknesses in ICT systems. Critical systems and applications supporting important functions must undergo testing at least once a year.

• Penetration Testing: Regular penetration tests to uncover and rectify security weaknesses.
• Scenario-based Testing: Conducting tests based on realistic scenarios to assess the entity’s preparedness for various ICT disruptions.
• Simulation Testing - Threat-Led Penetration Testing (TLPT): DORA mandates advanced testing via Threat-Led Penetration Testing (TLPT). This type of testing mimics real-life threat scenarios to evaluate the resilience of critical functions. TLPT must be conducted at least once every three years, covering critical or important functions and involving third-party ICT service providers where applicable.

The scope of TLPT should encompass all critical or important functions that, if disrupted, would significantly impair the financial performance or continuity of the entity’s services. The testing frequency may be adjusted based on the entity’s risk profile and operational circumstances.

• Reporting and Compliance: After conducting TLPT, financial entities must summarize the results and remediation plans, provide an attestation from the relevant authority, and notify the competent authority of these summaries and plans. Red Teaming, or Threat-Led Penetration Testing (TLPT) is the simulation of sophisticated cyberattacks to assess the effectiveness of an organization’s defenses. The primary goal is to identify vulnerabilities and gaps in security measures by mimicking the tactics, techniques, and procedures (TTPs) of real-world adversaries.

IInformation Sharing

To foster a collaborative approach to digital operational resilience, DORA encourages information sharing among financial entities. This includes:

• Threat Intelligence: Sharing information about emerging threats and vulnerabilities.
• Best Practices: Dissemination of best practices for managing ICT risks and incidents.
• Incident Information: Sharing details of
• ICT incidents to help other entities prepare and respond effectively.
  
  

Implications for Business Continuity, Information Security, and Risk Professionals

Enterprise resilience professionals whose companies are either an ICT/TSP to a financial organization, or in the FINTECH industry, must align their practices with DORA’s requirements to ensure compliance and enhance their institution’s resilience. Key implications include:

• Enhanced Governance: Strengthening governance structures to oversee ICT risk management and compliance with DORA.
• Resource Allocation: Allocating sufficient resources to implement and maintain robust ICT risk management frameworks.
• Training and Awareness: Ensuring that employees and contractors are adequately trained and aware of their roles in maintaining digital operational resilience.
• Collaboration: Fostering collaboration with other financial entities and stakeholders to share information and best practices.

Conclusion

The Digital Operational Resilience Act of 2025 represents a significant step towards enhancing digital operational resilience in the EU financial sector and globally. Enterprise resilience professionals need to have a strong understanding of DORA’s requirements and implementing them is critical to safeguarding their institutions against ICT-related disruptions. Adopting comprehensive risk management practices, ensuring timely incident reporting, and fostering a collaborative approach to resilience, ICTs and financial entities can navigate the complexities of the digital landscape and maintain operational continuity.

We here at OpResONE have been focused on elevating our clients Enterprise resilience. Subscribe to our newsletter to learn more, or reach out to schedule a time to see how OpResONE can help you and your company better prepare for DORA, including certification training.