5 common mistakes to avoid when preparing for DORA

EU DORA common-mistakes

What is DORA?

The Digital Operational Resilience Act (DORA) is a European Union (EU) regulation that entered into force on 16 January 2023. DORA will apply as of 17 January 2025.

DORA addresses the increasing reliance of organizations on digital systems and technologies within financial entities such as banks, insurance companies, and investment firms and the potential risks associated with cyber threats and operational disruptions. One unique aspect of DORA is that it applies not only to financial entities but also to the IT providers that service the financial sector.

It aims at strengthening the IT security of financial entities, making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption.

DORA harmonizes the requirements relating to operational resilience for the financial sector, applying to 20 different types of financial entities and their IT third-party service providers.

DORA covers the following areas

  • IT Risk Management and Governance
  • IT-related incident management, classification and reporting
  • Digital operational resilience testing
  • IT third-party risk management
  • Information-sharing arrangements

 

What common mistakes to avoid?

1. Lack of a holistic approach and efficient collaboration

DORA covers various aspects of organizational operational resilience, including risk management, incident management, resilience testing, third-party oversight, and information-sharing arrangements. Failure to understand the full extent of DORA requirements across organizational operations can lead to inefficient and ineffective compliance efforts.

Some organizations take a fragmented approach to DORA compliance, addressing individual requirements in isolation and silos, rather than adopting a holistic approach to operational resilience. This can result in gaps in the organization’s overall resilience strategy and leave it vulnerable to unforeseen risks and threats.

DORA compliancy is not something that only impacts an isolated part of the organization, such as IT security, it needs a holistic approach with a clear strategy including vision, roles, and responsibilities.

My advice: Conduct a thorough analysis of DORA’s requirements and how they apply to your organization’s operations. Establish a cross-functional team to oversee compliance activities, ensuring collaboration between departments such as IT, information security, procurement, risk management, legal, business continuity management, and compliance. Develop a unified strategy that aligns with the organization’s overall objectives and risk tolerance, including a roadmap for compliance that addresses all relevant aspects of the regulation.

 

2. Lack of board and executive buy-in and support

DORA focuses on Digital Operational Resilience, like the Network and Information Security Directive (NIS2) it applies to the whole organization. The reliance of financial entities on digital systems and technologies has become so big that digital disruption has become synonymous to organizational disruption. You cannot have an effective operational resilience program, without board and executive buy-in and support. Don’t make the mistake of thinking that DORA is an IT requirement.

My advice: Get buy-in from the board of directors and executive management. Ensure that they understand the organizational impact and ensure that compliance activities are aligned with the organization’s strategic objectives and risk appetite. Ensure regular reporting on findings, compliance effectiveness, and remediation efforts.

 

3. Not using the opportunity that DORA provides to improve governance

DORA, NIS2, among other EU regulations are ways to improve the digital resilience of organizations within the EU and to help address the risks that come with the increasing reliance of organizations on digital systems and technologies. A common mistake I see, is organizations not utilizing the opportunity to redesign and optimize their governance. They continue using outdated organizational structures without a clear, transparent, and consistent lines of responsibilities and accountabilities. Structures where digital resilience is often seen as a local IT or information security risk, rather than an organizational risk.

My advice: Use this opportunity to break down silos and optimize internal governance, including an organizational structure with clear, transparent, and consistent lines of roles, responsibilities, and accountability rules enable effective risk management and digital resilliance.

 

4. Trying to reinvent the wheel

DORA is an attempt to harmonize digital resilience requirements within the EU. The requirements from DORA are challenging if your organization has a low level of digital resilience maturity. The requirements are not challenging for organizations with a high level of maturity, as the requirements are generally not totally new. The mistake I often see, is organizations trying to reinvent the wheel when it comes to their digital operational resilience, control frame work and control tracking. Yet they already have most of the ingredients in place to be DORA compliant.

My advice: Analyze your current maturity and create a gap analysis so that you can optimize areas that need optimization without having to reinvent the wheel to be DORA compliant. Don’t only look at technology, but also focus on people, processes, and culture. Often, organizations have most of the ingredients in place to be DORA compliant, what is needed is collaboration and guidance in utilizing the ingredients.

 

5. Outsourcing all aspects of DORA compliancy

DORA compliancy is not a quick fix, it is a continuous process. A mistake I often see organizations make is trying to outsource compliancy. Outsourcing DORA compliancy tasks as a whole, may increase the exposure of sensitive data to third parties, decrease internal knowledge, increase dependency on third parties, introduce communication and coordination challenges, and decrease control over the process.

My advice: It can be valuable to hire external consultants to advice, provide guidance, and help in organizing the processes needed to ensure DORA compliancy by 17 January 2025 and help educate your teams in becoming DORA compliant. Parts of the digital operational resilience testing are a part of DORA that often provide better quality when outsourced. AI control tracking and compliance tools can help reduce the time on repetitive tasks. But don’t outsource DORA compliance tasks as a whole. Digital operational resilience needs internal focus, knowledge, and support. It is a continuous process and not something you buy from a third party as a whole.