DORA: Five actions you must take

Globally, regulators are placing increasing focus on operational resilience and cyber risk, and we expect to see a tidal wave of new regulation across the EU, UK, US, and APAC in the next few years. DORA is the first of these major regulations, and while it could be seen as a regulatory box-ticking exercise, how you approach DORA could define a long-lasting approach that can significantly accelerate your response to other upcoming regulations.  

A narrow view will inevitably lead to unnecessary restarts, increased costs, and a lack of cohesion with other transformation initiatives. You need to think beyond DORA and embrace solutions that not only meet the immediate regulatory requirements but set you up to adapt to what comes next. In our view, that means embedding operational resilience and digital risk management into your organisation’s fabric and ensuring your processes, controls, and frameworks are fit for the future.  

So, where do you start? We’ve spoken to hundreds of industry leaders, and combined with our deep digital risk and resilience expertise, these are the five priority actions you should take: 

1. Stop looking sideways and focus on your firm 

When it comes to risk and regulation, every firm is different; what works for one, might not work for another. It’s tempting to look at your competitors and think what are they doing, and should we do the same?  But cookie-cutter approaches to regulation don’t work. You risk focusing on areas that aren’t as important for your firm’s operations, processes, and policies—leading to bloated or delayed programmes that don’t address the risks the regulation is designed to mitigate.

You need a proportional approach that looks at regulatory requirements and applies them in a way that reflects the size, complexity, and risk profile of your firm. For example, in the context of DORA, a smaller firm might adopt less complex, less resource-intensive measures due to a smaller number of third-party ICT providers. But a larger firm with more layered operations and geographic reach will need a comprehensive approach that takes a global view of operations and service supply chains to comply with DORA’s third-party risk provisions. If your approach to DORA is not right sized, then you could end up over-time and over-budget in your compliance efforts. 

So, whether it’s DORA or another risk regulation, you need to tailor your compliance efforts to fit your unique needs and priorities.  

2. Get to grips with what you need for DORA and beyond  

There’s a big difference between what you need to achieve for day one (January 2025) versus how your ongoing compliance may look beyond the deadline. Embedding and enhancing resilience isn’t a one and done activity; yes, there are changes that you will need to make to meet DORA’s compliance deadline. But if you really want to transform how you manage and monitor digital risks, you need to think beyond day one.  

At a minimum, you should undertake a comprehensive gap assessment to see what you need to do to get compliant by January 2025. But if you want to make a lasting impact on your digital operational resilience, you need to embed a robust monitoring framework to detect, analyse, and respond to incidents in real-time, report resilience metrics to senior management and regulators, and maintain transparency and accountability. Compliance activities such as conducting regular resilience testing like threat-led penetration and red-teaming exercises as well as continuous engagement with third-party providers should become baked-in processes. Developing a deep understanding of what resilience means in your role and how you can support ongoing capability-building and hold accountability to business-wide resilience goals is crucial to affect long-lasting change.  

In our view, embedding these ongoing activities is the secret to enhancing your long-term resilience. They allow you to develop the agility needed to adapt to emerging global regulatory challenges—looking at DORA and beyond. 

3. Get critical or important functions (CIFs) right 

ICT disruption is becoming more commonplace—and cyber threats are increasing in both severity and frequency.  

If ICT disruption happens, what areas of your firm will be hit hardest? Identifying your critical or important functions (CIFs) is about mapping the areas where disruption would materially impair the soundness or continuity of your business and/or your compliance with key legal and regulatory requirements. Getting this right is fundamental to building a more digitally resilient firm. Identifying CIFs is a foundational step, and they’ll inform a lot of the work you need to do to meet DORA requirements. Knowing where your key vulnerabilities are allows you to better control the risks to your ICT infrastructure. You need to spend significant time ensuring that there aren’t any gaps in this understanding. If your CIFs aren’t mapped correctly, or new services aren’t built into the same control framework, then you risk having blind spots in your response to ICT disruption.  

DORA’s focus on CIFs ensures financial entities are better prepared to withstand and recover from ICT-related disruptions—enhancing the overall stability and resilience of the European financial system. You need to identify and assess CIFs meaningfully—so they’re not too high level and intangible, but also not too detailed that they are unworkable as a prioritisation tool—with consistent principles underpinning their scope and specificity.  

4. Get your inventory in order 

Digital risk management is all about understanding your exposure. You need a clear view of your ICT estate, and you need to understand where weaknesses lie, where systems are outdated, and how your third parties interact with your systems. Moving beyond DORA, this level of visibility is pivotal—especially as information architecture becomes increasingly complex and technology ever-more sophisticated. 

You should start by creating a comprehensive list of all your ICT assets and then classifying them based on their importance to CIFs and their vulnerability to operational disruptions. You also need to assess the risks associated with your legacy systems, including potential security vulnerabilities and operational inefficiencies. And you should prioritise modernising and replacing high-risk legacy systems.  

When it comes to your third parties, you need to undertake thorough risk assessments, focusing on their cybersecurity practices, resilience measures, and compliance with DORA requirements. You should also co-ordinate with your third parties to align on incident response plans and resilience testing. You need your ecosystem to extend your risk management policies.  

We won’t deny that this is often a time-consuming exercise, but if you do it right, it’ll set you up for long-term success. 

5. Build a scalable operating model 

DORA is one regulation in a wave of digital reform. You need to think about how you can build an operating model that’s scalable and adaptable to meet compliance needs today and tomorrow.  

Transforming your operating model might feel like an unnecessary step but trust us, you don’t want to have to retrofit every new piece of regulation into rigid operating structures. Embedding flexibility at the core of your operations will make it easier to adapt— saving you time and resources in the long run. 

Incoming digital resilience regulations will undoubtedly create challenges for your compliance teams. DORA’s added emphasis on digital resilience, for example, creates challenges for review processes, puts increasing onus on the governance of technology processes and providers, and creates demand for new skillsets that can effectivity identify and manage ICT risks. 

In response, you should implement methodologies and structures that allow you to quickly adapt to new requirements and ensure resilience processes are robust but flexible enough to scale with organisational growth, technology advancements, and new threats. You need to review your current operating model and think about what an optimal model looks likes. You should assess changes to technology, people, processes, compliance frameworks, data and governance to support your firm’s resilience goals and ensure they remain relevant. 

This enables you to create a gameplan on how DORA aligns with your other organisational transformational initiatives. These may not be regulatory driven but helps you understand which other teams and objectives you need to work alongside to avoid silos, inefficiencies and confusion in the long-term. 

Make compliance your competitive differentiator  

At Baringa, we see regulation as an opportunity; a chance to master your digital risk management. We help you define the proper scope and priorities for your DORA execution to get you fit for January and lay the foundation for beyond. 

We don’t believe in one-size-fits-all solutions.  We help you focus on the right details—whether that’s simplifying your network of third-party dependencies, fine-tuning your ICT risk frameworks, or developing your testing capability. We act as an extension to your team embedding resilience at the core of your organisation to protect your biggest assets. And when we leave our capabilities stay because we upskill your people to build sustainable solutions faster, keeping you ready for the next wave of risk and regulation. 

Get in touch to see how we can help you use to compliance for long-term advantage