The Digital Operational Resilience Act (DORA) is a significant regulation by the European Union that entered into force on January 16, 2023, and will apply from January 17, 2025.

This regulation mandates financial entities to have comprehensive measures to ensure operational resilience in the face of technological disruptions. Financial services should implement a robust plan for compliance with DORA to maintain operational stability, protect consumer interests, and avoid potential penalties.

What is DORA?

DORA aims to strengthen the IT security of financial entities such as banks, insurance companies, investment firms, and payment service providers. The regulation requires firms to ensure that they can withstand, respond to, and recover from all types of ICT-related disruptions and threats. A structured implementation plan is essential for achieving DORA compliance.

Step-by-Step Guide to Implementing DORA

To successfully prepare for complying with the DORA regulations, a structured implementation plan should be your first step. Your implementation plan should include 6 steps to become fully compliant with the DORA regulations:

1. Raise Awareness

   The first step is to raise awareness among key stakeholders and teams within the company. They need to understand the importance of DORA compliance and its impact on operations, technology, and business processes.

   • Activities: Conduct awareness sessions, workshops, and meetings to inform staff, management, and third parties about DORA requirements.
   • Goal: Establish a foundational understanding of DORA across the business.

2. Engage Stakeholders

   Engaging stakeholders early in the process is crucial for a successful implementation. This includes internal departments, such as IT, compliance, risk management, legal, and external vendors or partners.

   • Activities: Develop a governance structure, identify roles and responsibilities, and set up steering committees to oversee the DORA implementation.
   • Goal: Ensure all relevant parties are aligned and committed to the DORA implementation strategy.

3.  Gap Analysis

   Conduct a comprehensive gap analysis to identify areas where the organisation does not meet DORA requirements. This will help in prioritising areas for improvement.

   • Activities: Assess existing policies, processes, systems, and controls against DORA requirements. Identify gaps in ICT risk management, incident reporting, business continuity, and outsourcing.
   • Goal: Create a clear roadmap to bridge gaps and achieve full compliance.

4. Implementation

   The core phase of DORA compliance is the implementation of changes necessary to meet the requirements. This may involve significant changes to IT systems, policies, and business processes.

   • Activities: Develop and implement new policies, enhance existing ones, upgrade technology, perform stress testing, and establish an ICT risk management framework.
   • Goal: Ensure all controls, processes, and systems align with DORA requirements to manage and mitigate ICT risks effectively.

5. Operations Compliant

   Before moving into the final phase of compliance, ensure that all implemented measures are operational and compliant with DORA. This involves conducting audits and reviews.

   • Activities: Perform internal audits, third-party assessments, and compliance checks to validate the effectiveness of implemented controls and processes.
   • Goal: Achieve an operational state that is compliant with DORA requirements.

6. Compliant / Business-As-Usual

   By January 2025, companies must be compliant with DORA and transition into a business-as-usual (BAU) mode. If not, organisations are at risk of administrative, financial or criminal penalties for failing to comply with the DORA regulations (Source: IBM). This phase focuses on maintaining compliance through continuous monitoring and improvement.

   • Activities: Set up ongoing monitoring, periodic reviews, training, and continuous improvement activities. Establish a governance framework for sustained compliance.
   • Goal: Maintain a robust state of operational resilience and be prepared for future regulatory updates or changes.

Implementing DORA is not just about meeting regulatory requirements. It focuses on building a stronger, more resilient financial ecosystem that can withstand technological disruptions and cyber threats. By following a structured implementation plan, the financial services sector can achieve compliance, enhance its operational resilience, and protect its clients’ interests effectively.

Stay ahead of the curve and ensure seamless compliance with the Digital Operational Resilience Act (DORA) using Brooklyn’s Governance, Risk & Compliance (GRC) platform.

Our GRC solution offers an adaptive policy compliance engine that dynamically manages compliance across multiple regulatory environments, ensuring your business remains resilient with evolving regulations.

• Identify ICT Critical Vendors: Effortlessly identify critical ICT suppliers and manage contracts with our fully automated digital assessments. Instantly send compliance questionnaires across your supply chain and receive prepopulated responses, saving time and eliminating manual follow-ups.
• Automated Digital Assessments & AI Contract Analysis: Create supplier tiering to identify your critical ICT suppliers. Digitise and review contracts in bulk with ‘Ask Brooklyn,’ our GenAI Assistant, and automate alerts for non-compliance, reducing the manual workload and keeping you ahead of regulatory deadlines.
• Automated Audits & Risk Management: Trigger monthly or yearly audits and capture risks in real-time with our multi-step audit processes and risk register. Get a high-level snapshot of third-party risk profiles, active risks, ratings, and a comprehensive audit log ready to share with regulators.

Don’t leave your DORA compliance to chance. Leverage Brooklyn’s GTC solution to automate, simplify, and stay compliant. Schedule a demo with our transformational experts to put you two steps ahead of the deadline.

Become DORA compliant today

About the Author

Nick Francis, Chief Technology and Marketing Officer at Brooklyn Solutions

Nick Francis is a well-established and experienced CxO delivering Digital & Security-focused Transformation through the design, build, and deployment of cost-effective, highly automated industry-leading solutions. Nick has experience working across the private and public sectors in industries such as Financial Services, Insurance, Legal, Utilities, Retail, Public Sector and Government.

Specialised in compliance, risk & control activities in highly regulated industries, standardisation of technologies, streamlining of internal processes and continuous improvement driving consistency and efficiency across an organisation whilst holding Customer, Colleague and Partner experience at a premium.