How can boards prepare for the Digital Operational Resilience Act (DORA)?

Our growing reliance on technology in the way businesses operate  has created untold opportunity — but it’s also introduced significant risks. 

Financial institutions are grappling with an increasingly complex digital environment, where disruptions to Information and Communication Technology (ICT) systems can have wide-ranging consequences.

In response to the shifting fiscal landscape, the European Union has introduced the Digital Operational Resilience Act (DORA). This regulation aims to create a unified approach to digital resilience across EU financial entities, ensuring they can withstand, recover from, and adapt to ICT disruptions effectively.

DORA isn’t just about technical adjustments; it’s a transformative step that reshapes governance practices, operational frameworks, and risk management strategies. Boards and committees, as stewards of organisational strategy, are central to this transformation. By fully understanding and implementing DORA, they can lead their organisations toward enhanced resilience, compliance, and long-term stakeholder confidence.

This article outlines DORA’s scope, its impact on governance, and how boards can prepare to navigate DORA requirements effectively.

What is the Digital Operational Resilience Act (DORA)?

The Digital Operational Resilience Act (DORA) is the European Union’s answer to the growing digital reliance in the financial sector. By creating a harmonised framework for resilience, DORA ensures financial institutions can identify, manage, and mitigate ICT risks comprehensively.

What does DORA cover — and why does it matter?

DORA sets out clear requirements to strengthen operational resilience. Financial entities must manage ICT risks effectively, ensure third-party service resilience, report incidents promptly, and conduct rigorous cybersecurity testing to address vulnerabilities. These measures establish a robust foundation for safeguarding operations.

DORA is a safety net for the financial sector. By addressing gaps in ICT risk management, it helps prevent disruptions that could ripple across the industry, impacting institutions and stakeholders alike.

As the European Banking Authority (EBA) puts it: "The Digital Operational Resilience Act is a cornerstone in our efforts to enhance the EU financial sector's ability to mitigate ICT risks and ensure continuity under any circumstances." In short, DORA is preparing organisations to thrive in an unpredictable digital world.

What are the core requirements of DORA?

DORA sets out clear requirements to help financial institutions manage and mitigate ICT risks effectively. These pillars form the backbone of the regulation, creating a secure and resilient financial ecosystem.

1. Operational resilience frameworks

Institutions need robust frameworks to withstand, respond to, and recover from ICT disruptions. These frameworks should align with organisational goals and evolve regularly to stay ahead of emerging risks.

2. ICT risk management integration

ICT risk management must be woven into broader governance frameworks. Identifying, evaluating, and addressing ICT risks is essential for maintaining operational stability and supporting strategic priorities.

3. Incident reporting protocols

Reporting significant ICT incidents promptly is a cornerstone of DORA. Organisations must establish processes to escalate issues efficiently, ensuring transparency and enabling a coordinated response.

4. Third-party risk management

Financial institutions are responsible for overseeing the ICT risks tied to third-party providers. This means conducting thorough evaluations and maintaining strict oversight of critical services to minimise vulnerabilities.

5. Regular cybersecurity testing

DORA mandates rigorous cybersecurity testing, including advanced techniques like threat-led penetration testing (TLPT). These assessments reveal vulnerabilities and guide resilience investments. 
 

How will DORA impact governance?

DORA elevates the importance of ICT risks, placing them firmly on the boardroom agenda. Boards and committees must now adopt a proactive, strategic approach to ensure compliance and resilience.

As PwC highlights, "DORA introduces very specific and prescriptive requirements that are homogenous across EU member states. Organisations need to be able to withstand, respond and recover from the impact of ICT incidents, thereby continuing to deliver critical and important functions and minimising disruption for customers and for the financial system." 

Here’s how DORA transforms governance practices:

• Proactivity: Governance under DORA requires forward-thinking. Boards must embed ICT resilience into organisational priorities, shifting from reactive problem-solving to a mindset that anticipates and addresses risks before they escalate.
• Holistic risk management: DORA makes ICT risks part of the bigger picture. Boards are tasked with integrating these risks into overarching risk management frameworks, ensuring alignment with other critical governance areas.
• Accountability: Accountability isn’t optional under DORA - it’s a mandate. Boards and committees are directly responsible for overseeing the effectiveness of resilience strategies, from development to implementation, and ensuring compliance at every step.
• Evolving committee roles: DORA may reshape the structure of governance itself. Risk committees might need to expand their focus to include ICT risks in detail, or new, dedicated committees for digital resilience may be formed to meet the regulation’s demands.

Boards have an opportunity to turn DORA compliance into a strategic advantage, ensuring their organisations are resilient, compliant, and positioned as leaders in operational governance.

Localised oversight: DORA compliance across Europe

While the Digital Operational Resilience Act (DORA) creates a unified framework for operational resilience, its implementation is overseen by national regulatory authorities in each EU member state. Understanding these regulators' specific expectations is crucial for effective compliance.

Germany

The Federal Financial Supervisory Authority (BaFin) is responsible for DORA compliance in Germany. Known for its strict regulatory approach, BaFin will integrate DORA’s requirements into its supervisory framework. German financial institutions should prepare for detailed guidance on ICT risk management, operational resilience, and incident reporting.

Italy

In Italy, the Bank of Italy (Banca d’Italia) and the Italian Companies and Exchange Commission (CONSOB) share oversight of DORA implementation. Italian regulators will likely align DORA with the nation’s existing cybersecurity and operational resilience regulations, focusing on rigorous assessments of ICT risk frameworks and incident protocols.

France

The French Prudential Supervision and Resolution Authority (ACPR), part of the Banque de France, will lead DORA implementation in France. ACPR’s proactive stance on digital resilience will likely result in specific guidelines to ensure organisations integrate ICT risks into governance. French institutions should anticipate detailed assessments of their resilience strategies and cybersecurity protocols.

United Kingdom

Although the UK is no longer part of the EU, DORA’s influence is relevant for UK-based institutions operating within the EU. The Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) already enforce ICT resilience standards aligned with DORA’s objectives. UK firms must harmonise compliance efforts across jurisdictions to meet regulatory requirements.
 

When does DORA come into effect?

The Digital Operational Resilience Act (DORA) will come into force on 17 January 2025, giving financial institutions a limited window to achieve compliance. Preparing for DORA is not a one-off task; it requires ongoing assessments, updates to frameworks, and proactive implementation of measures. Boards play a crucial role in this process, ensuring timely allocation of resources and overseeing progress to avoid last-minute inefficiencies. By acting decisively, organisations can meet regulatory demands while enhancing their operational resilience.

How can boards align DORA compliance with broader governance?

This is an opportunity for boards to use DORA compliance to strengthen governance frameworks and build organisational resilience. So, how can boards turn this challenge into a strategic advantage? By embedding DORA’s principles into governance practices, they can lead their organisations toward stronger, more future-proof outcomes.

Holistic governance

ICT risks are critical components of overall governance, not just technical issues. By integrating these risks into broader strategies, boards ensure digital resilience is embedded in organisational priorities. This approach doesn’t just achieve compliance; it positions the organisation for long-term success.

Collaboration

Governance thrives on collaboration. DORA actively encourages financial institutions to share insights and work together. Partnering with regulators and industry peers, boards can be proactive leaders in the financial ecosystem, showcasing their organisation in driving collective strength.

Stakeholder confidence

Trust is an invaluable asset, and DORA provides boards with a chance to strengthen it. Taking a proactive approach to compliance sends a clear message to investors, customers, and regulators: this organisation is committed to transparency and stability. That confidence pays dividends, solidifying relationships and reinforcing the organisation’s leadership in operational resilience.

DORA compliance isn’t just about meeting the rules — it’s about staying ahead of the game. According to KPMG, "DORA challenges boards and committees to think beyond compliance and leverage operational resilience as a strategic advantage in an increasingly digitalised economy." 

What are the next steps for ensuring DORA compliance?

DORA compliance is a journey that requires thoughtful planning and decisive action. From understanding your status quo when it comes to digital resilience, to establishing the processes and plans that will ensure compliance, it’s necessary to break this journey down into its component parts.

So, what practical steps can boards take to guide their organisations toward full compliance?

Step 1: Conduct a readiness assessment

To get started with DORA compliance, it’s important to understand where your organisation stands when it comes to digital resilience. Start with a deep dive into your current situation. Where are the gaps? What needs to be stronger? And how are things documented? An initial audit will help identify what needs to be prioritised to align with DORA’s requirements.

Step 2: Establish governance structures

Accountability is at the heart of DORA. Boards need to clearly define roles and responsibilities for ICT resilience and ensure these are embedded within governance structures. Whether through expanding existing committees or creating new ones, boards need to take ownership of compliance efforts.

Step 3: Create and implement an ICT risk management plan

As a new addition, ICT risk management might not have been a deliberate area of focus for your board in the past. Creating a plan will give you a roadmap for identifying, planning for, and addressing ICT risks. From detecting and responding to incidents to testing systems for resilience, it ensures your organisation is prepared for any disruption.

Step 4: Evaluate and monitor third-party risks

One of the critical aspects of DORA is ensuring that financial institutions rigorously assess and manage the ICT risks associated with third-party providers. The regulation makes it clear: financial institutions are directly accountable for monitoring and mitigating risks tied to these external relationships.

Evaluating your current tools 

Boards should begin by critically evaluating whether the tools and processes in place for managing third-party risks align with DORA’s stringent requirements. Consider the following key areas:

• Transparency, security, and auditability: Do the tools provide the necessary transparency to monitor third-party activities? Can they securely handle sensitive data and ensure an auditable trail of interactions
• Contractual clarity: Are agreements with third-party providers fully documented and verifiable? This includes clearly defined responsibilities, contingency measures, and termination clauses.
• Regular risk assessments and contingency planning: Are there structured processes for periodic risk evaluations and the development of actionable contingency plans? These measures are essential to identify vulnerabilities and reduce exposure to unforeseen disruptions.
• Resilience testing: Are your critical third-party providers tested regularly for resilience? Stress testing and penetration testing should be integral to your oversight strategy, ensuring service providers can withstand and recover from ICT incidents.

Enhancing oversight mechanisms

Institutions must maintain robust evaluation systems to oversee the resilience of critical services provided by third parties. Boards should ensure these systems address:

• Ongoing monitoring: Effective tools and frameworks must track third-party performance and compliance in real time, identifying vulnerabilities as they arise.
• Mitigation of single points of failure: Avoid dependency on individual providers by implementing diversification strategies and redundancy measures.
• Contingency preparedness: Establish protocols for rapid response in the event of third-party failures, including transitioning to alternative providers if necessary.

Step 5: Invest in the right technology

Successful compliance demands the right tools. Boards should approve investments in secure communication platforms, real-time monitoring systems, and data management tools. These resources streamline compliance efforts and enhance governance effectiveness.

How does Sherpany support boards and committees to prepare for DORA compliance?

Boards face unique challenges in navigating DORA’s requirements, and Sherpany is here to help. With its board management software, Sherpany provides practical solutions that empower boards and committees to excel in governance and compliance.

Agenda management

Simplify the process of adding and tracking ICT resilience discussions in board meetings. With Sherpany, important DORA-related topics stay front and centre.

Centralised documentation

Store and manage critical reports, assessments, and decisions securely. Sherpany’s platform provides a single source of truth for documentation, making audits and compliance checks seamless.

Real-time updates

Responding to ICT incidents promptly is vital. Sherpany facilitates real-time communication, keeping boards informed and enabling faster decision-making during crises.

Regulatory compliance

Sherpany helps boards maintain comprehensive records of decisions and actions related to DORA compliance, ensuring that governance processes are transparent and auditable.

Training support

Sherpany empowers leaders to fulfil their responsibilities with confidence. With tailored resources, equip boards with the knowledge and tools they need to stay informed about DORA. 

Take your next step toward DORA compliance

By embedding DORA’s principles into their strategies and taking proactive steps, boards can lay the groundwork for sustained success. DORA compliance is an opportunity for boards to redefine governance and lead their organisations into a digitally resilient future. 

This isn’t about ticking boxes or meeting minimum standards. DORA offers a chance to future-proof financial operations and build trust with stakeholders. Boards that embrace this opportunity will go beyond compliance, positioning their organisations as leaders in resilience and innovation.

Sherpany is ready to support you on this journey. With tools designed to streamline compliance and enhance governance, Sherpany helps boards focus on what truly matters: building resilient, forward-thinking organisations that thrive in a digital-first world. Book a demo to find out more today .