Article   March 29 2023

DORA – an opportunity for increased security in the finance sector

By January 17th 2025 all financial operators need to be compliant with DORA (Digital Operational Resilience Act). With the intention of reducing systemic risk, DORA has implications for all financial operators – but also offers the opportunity for the whole financial sector to improve its digital resilience. Starting the work now, is key.

Information security
man sitting in front of computer screens showing stock market statistics

Image: piqsel.com (license free)

With a massive 55 percent increase in overall threat detections in 2022, the need for a more proactive and harmonized EU-regulation becomes urgent. In that respect, DORA is a key component for a continuous digital innovation of all financial services. 

Security resilience in focus

With the vast number of attacks, protection alone is simply not enough. Instead, security resilience with the ability to be prepared for an event, knowing what and where to report an incident and get your services back up and running again after an event occurs, is crucial. And also to document these routines and processes. 

For most actors within the financial sector, most things needed are already in place. The challenge now is to allocate and make all functions work together. For many actors, it’s about avoiding the risk of not being compliant, by going from a best practice to a more systematic, documented cybersecurity management. 

Five pillars

In order to be DORA compliant, financial actors need to have the operational routines for five core pillars in place:

  1. ICT Risk Management
    DORA require resilient ICT systems and tools, along with the ability to identify, classify and document protection, detection, and prevention measures. Actors also need to be able to respond and recover, learn, and evolve, with communication plans in place.  

  2. ICT Incident Management
    By following the information security lifecycle actors need to have an incident management process in place. With routines for classification of incidents and threats, with high attention on post-incident review and analysis of root causes, and also with a required reporting of major ICT-related incidents to the right authorities. 

  3. Operational resilience testing
    Actors need to test capabilities and functions, with a risk-based approach. They also need to execute a full range of appropriate tests, including advanced threat-led penetration testing and requirements on third party testers. 

  4. Third party risk management
    Monitoring ICT third-party risks, by registering information of the use of third-party providers, become mandatory. Always with an assessment before contractual arrangement and with content requirements for contracts. 

  5. Monitoring and reporting 
    All actors need routines for reporting incidents, both internal and in exchange with other financial entities, and also for external reporting of major ICT-related incidents. 

In order for these pillars to function properly, a good cybersecurity governance model need to be in place, securing roles and responsibilities, safeguarding the digital operational strategy and policies, and oversee and review risk control and monitoring. 

Start planning the work now

January 2025 might seem far away but the key in being DORA-compliant is to start planning the work now. Make use of operations already in place, prioritize the work, and ask for assistance when needed. 

Through our NanoLearning platform, Junglemap offers awareness as a service, which can be helpful when learning and awareness programs become mandatory, alongside with management participation in security.

With our standard courses in information security for all employees, for managers, and role-based courses targeting product and development teams, we hope to contribute with an important tool for any organization working to become digitally resilient. 

Article   March 29 2023