teissTalk: DORA - A new law for a new dawn

On 24 April 2025, teissTalk host Thom Langford was joined by Benoit Heynderickx, Principal Analyst, Information Security Forum (ISF); Tim Parker, Chair, South West Cyber Security Cluste; and Lewis Henderson, Director - Product Marketing, Team Cymru.

 

Views on news

 

The Digital Operational Resilience Act (DORA), represents a significant step forward in enhancing the digital resilience of the financial sector within the European Union. Adopted by the European Parliament and the Council on 14 December 2022, DORA aims to establish a comprehensive framework to ensure that financial entities can withstand, respond to, and recover from all types of ICT-related disruptions and threats. The regulation entered into force on 17 January 2025 and applies directly across all EU member states. Although implementation guidelines have already been published, many businesses are still uncertain about how they should comply. Companies, however, would do better to follow the spirit, rather than the letters, of the regulation. There is still not consensus regarding how far these technical standards should go. On the upside, the regulation allows a bit of latitude about how businesses are going to implement it and how they tailor compliance to their organisation. 

The devil is in the details

 

If you put Dora in the context of other security frameworks, it doesn’t come across as a massive leap. While, generally speaking, DORA is about how cyber security should be done, it becomes much more prescriptive when mandating what must be done once a cyber incident occurs. Similarly to cyber security, compliance with DORA is also a teamwork. Incidents must be reported in much more detail than previously, as well as within a much tighter timeframe (one month). Within a bit more than four weeks, the victim must get a full breakdown from details of how the incident happened to threat actor attribution. Some third parties, for example cloud providers, have already embraced DORA, so financial institutions don’t need to worry about their compliance as third parties. Smaller suppliers, on the other hand, should start conversations with financial institutions to establish whether they should be in scope for the legislation or not. 

NIS2, which has also come into effect recently, has also got some strict reporting guidelines – reporting of an incident is now mandated within 24 hours instead of the 72 hours in effect earlier. The two pieces of legislation, however, aren’t aligned. So, the best policy is to write a report in as much detail as the financial institution can and then “broadcast” it to all the authorities that you need to report to. Although not the only cyber security regulation in force, DORA is the one that puts the “thumb screws” on through elevated fines and stringent rules.  Compliance will have implications regarding workflows, processes, people policy. If DORA will have enough teeth will depend on whether fines will be followed through – a lot of the GDPR fines are still the subject of court appeals; British Airways, for example, is still fighting its pre-Covid fine.

The three most important steps that financial institutions should take first to get compliant are supply chain compliance, which is also the most laborious one; getting business continuity and crisis management plans in place; and a gap analysis in the context of DORA. There seems to be no consensus yet as to who should own DORA – GRC, risk or cyber teams – financial institutions will probably make their choices in line with their size. 

The panel’s advice

• Currently, around 20,000 organisations are impacted by DORA. This number is expected to grow, as the circle of critical suppliers is expanding.
• While the financial institution is responsible under DORA, compliance is a collaborative effort together with its suppliers.
• With ISO and other regulatory standards, your institution will be close to DORA compliance, but there are also some further traps that need to be navigated.
• Implementing DORA is more about culture than compliance.