The European Union’s Digital Operational Resilience Act (DORA) comes into force on 17 January amidst warnings that many companies are still unaware of its impact and what needs to be delivered.

DORA establishes an EU-wide oversight framework designed to ensure the financial sector can withstand severe operational disruptions.

Covering over 20,000 entities, including financial institutions, crypto-asset service providers, credit rating agencies, and ICT service providers, the regulation introduces strict requirements for cyber risk management, incident reporting, resilience testing and third-party risk monitoring.

resilience (2)

Many experts say that the implications of the new regulations have yet to be fully appreciated with many businesses still unprepared for its implementation.

Andy Norton, European cyber risk officer at Armis explained: “Many financial institutions are woefully unprepared for DORA’s upcoming January deadline. In fact, 35% of UK IT leaders within the financial services sector acknowledge that their firms lack sufficient budget allocations for cybersecurity programs, people and processes.

“To meet DORAs stringent requirements, firms must first prioritise cybersecurity basics, like shoring up multi-factor authentication (MFA), firewalls, network visibility and regular software updates. Equally important is adopting automation and bringing all security tools and processes under a unified management system to create better visibility and faster, more streamlined operations.

“Once these fundamentals are sorted, advanced solutions like AI-powered threat intelligence enable firms to transition from reactive cybersecurity measures to a proactive defence strategy, identifying and neutralising threats before they occur.”

Key gaps emerge

SecurityScorecard said its research has found critical vulnerabilities across Europe’s top 100 companies. The findings emphasise the urgent need for enhanced cyber risk management, particularly in the face of increasing threats to supply chains and third- party ecosystems.

It added that Europe’s largest organisations are facing mounting cybersecurity challenges, with third- and fourth-party ecosystems emerging as major points of vulnerability. Alarmingly, 98% of European companies experienced third-party breaches in the past year, leaving businesses exposed to operational disruptions and reputational risks.

“European companies must prioritise third-party risk management and leverage rating systems to safeguard their ecosystems.”

Ryan Sherstobitoff, SVP of Threat Research and Intelligence at SecurityScorecard, said: “Supply chain vulnerabilities remain a critical threat, as adversaries exploit these weak links to infiltrate global networks. With regulations like DORA set to reshape cybersecurity standards, European companies must prioritise third-party risk management and leverage rating systems to safeguard their ecosystems.”

Si West, director, customer enforcement at Resilience, added: “DORA is more than just another regulatory framework - it represents a fundamental shift in how financial institutions should view digital threats, including incident response, third-party risk management, information sharing and security testing.

“All financial entities are expected to comply with its requirements by January 2025 – a challenging deadline for businesses to meet. A McKinsey survey found that although 94% of financial institutions are fully engaged in understanding the detailed requirements of legislation, many are concerned over the timeline of implementation and struggling with limited clarity.

“It is therefore essential that firms understand the ramifications of DORA, how they can prepare for compliance, and navigate these complex regulatory waters.”

Getting Dora-ready

Experts say improving cybersecurity hygiene is a top priority for many European companies as nearly all have faced third- and fourth-party breaches, exposing them to significant risks.

Global cyber security and investigations consultancy S-RM said there are five critical steps for financial institutions and their ICT providers to achieve compliance with DORA.

  • Conduct a gap analysis to identify weaknesses against DORA’s requirements and establish a targeted plan to address them.
  • Educate management on their responsibilities under DORA and adopt a top- down approach to cyber security.
  • Test incident preparedness and recovery with key business and IT stakeholders
  • Ensure readiness to classify and report security incidents to relevant authorities within 24 hours.
  • Update contractual relationships with relevant ICT third parties to include obligations around information security and risk management as well as rights for inspection, access to information and secure exit strategies.

Katherine Kearns, head of proactive cyber services at S-RM, explained: “While DORA may seem complex, it essentially aggregates and prioritises many of the cyber security practices that financial entities in Europe have already been working towards.

“By following these steps, organisations can strongly position themselves to detect cyber threats, limit the impact of cyber incidents and prepare for the requirements that DORA imposes on them.”

She added that DORA marks a significant step in aligning cyber security requirements applied to critical national infrastructures across the EU and strengthening operational resilience of the financial sector and critical ICT providers that support it. 

European companies must prioritise third-party risk management and leverage rating systems to safeguard their ecosystems”

As such, it represents both a challenge and an opportunity for the organisations that will be brought within its scope, including those companies headquartered in the UK with service offerings in the EU.

“Proactive cyber risk management involves more than simply deploying the latest security technologies,” said West. “It requires a holistic approach that includes continuous monitoring, regular testing, and an in-depth understanding of the shifting threat landscape. For many financial entities, achieving this level of preparedness will mean balancing security solutions with cyber insurance.

“A top down risk management approach [should] include vendor risk [analysis], quantified understanding of plausible material loss, prioritised cyber action plans, and the ability effectively respond to incidents. By doing so, firms can bolster their overall resilience and reap the benefits of DORA.”