Simon Lawrence
Director at i-confidential
The Digital Operational Resilience Act (DORA) is currently a top priority for anyone involved in the EU's financial services landscape. This sweeping regulation affects not only EU-based organisations but also any outside suppliers serving the EU's over 22,000 financial entities.
Similar to other global regulators, such as the Hong Kong Monetary Authority, the EU is now mandating a comprehensive range of security requirements that are legally enforceable under DORA.
What this means is that implementing robust cyber security measures is no longer optional—it’s an obligation. For today’s Chief Information Security Officers (CISOs), already juggling numerous responsibilities, DORA adds another significant layer of compliance.
There is a silver lining though. With the right support and approach, DORA can lead to positive outcomes that strengthen organisational resilience and security posture.
Understanding DORA’s Requirements
Full compliance with DORA regulation becomes mandatory on 17th January 2025. The main DORA act brings with it a host of binding security requirements in areas such as ICT Incident and Supplier Management.
The true breadth of the regulation becomes evident when scrolling through the 500+ requirements in the underlying ICT Risk Regulatory Technical Standards.
These include essential elements such as:
IT Asset Management
Encryption Protocols
Vulnerability and Patch Management
Access Control Measures
For those seeking to explore the regulation in depth, try this excellent DORA Navigator provided by Springflod.
No organisation can afford to overlook these mandates, and the impact will vary based on the maturity of existing security measures. The truth is, no organisation manages cyber security perfectly. CISOs face hard decisions and must make the most of the resources they have. For some, the arrival of DORA might feel like a heavy blow, especially considering the amount of work required to meet its demands.
You Should Be Doing This Already
It's important to recognise that much of what DORA requires aligns with what organisations should already be doing. Many of these measures are foundational and have been promoted by existing frameworks, like NIST and CIS, for years.
Take IT asset management as a prime example. Since 2014, NIST has highlighted the importance of tracking and managing IT assets. DORA echoes this, stipulating that organisations must, “develop, document, and implement a policy on the management of IT assets.”
The regulation then goes on to specify nine key details that must be recorded for every asset, such as its criticality and the business functions it supports. Why is this so vital? Because IT asset management is the cornerstone of effective security.
Without a comprehensive inventory, organisations can’t be certain their security measures cover all endpoints, vulnerabilities, and systems. For instance, a business must know which assets are protected by its security solutions, such as endpoint security, vulnerability scanning, and the SIEM (Security Information and Event Management).
Furthermore, without prioritising assets based on their business value, companies may waste time by investing in securing lower-risk assets while neglecting critical ones. IT asset management is not merely a regulatory box to tick, but a fundamental aspect of risk management and effective security practice. CISOs should not wait for regulators to force their hand. Taking proactive steps now can prevent costly disruptions later.
Turning Compliance Into Opportunity
DORA represents a turning point for organisations that have struggled to establish strong cyber security foundations. For CISOs, this regulation provides an opportunity to focus efforts where they are needed most, providing the drivers to secure the necessary investment for these initiatives.
Those that act now will benefit by significantly reducing their security risks and improving operational resilience. DORA’s detailed requirements can serve as a baseline for what must be in place, ensuring that even the most reluctant businesses meet minimum security standards.
It’s important to say, however, that evaluating your security against these regulations, identifying gaps, and determining the solutions and resources required to close them, can be daunting. This is where external support becomes invaluable.
i-confidential's experienced security consultants are ready to help you navigate these requirements. By doing so, you not only meet regulatory demands, but also build a security environment that protects your organisation’s future.
Comments