The Digital Operational Resilience Act (DORA) came into force on 16 January 2023. Following a two-year implementation period, from 17 January 2025, financial organisations must fully comply with the new regulation, which aims to ensure they remain resilient to severe operational digital disruption.
The act covers a number of aspects of cyber resiliency, auditability, and the responsibilities shared between financial institutes and third-party software and IT service providers when these products and services are used to power business operations.
While it is a European regulation, affecting companies that operate in the European Union (EU), other regions are also putting in place cyber resiliency. These include Australia’s Prudential Regulation Authority and the Bank of England in the UK. In the US, the Securities and Exchange Commission (SEC) is also considering cyber resiliency.
Resilience across the IT supply chain
Resilience to flaws and vulnerabilities in third-party products and services has been gaining attention worldwide. One example is the CrowdStrike flaw, which caused major disruption on systems running Windows. As Juniper Research noted at the time, banks were among the victims of the worldwide technology outage, which resulted in some customers not being able to access their online banking. Cash machines and card payment systems were also affected.
The goal of DORA is to limit the potential disruption to banking systems caused by IT issues, but there is a direct correlation between its effectiveness and organisations’ maturity in terms of cyber security.
Between August 2023 and August 2024, SecurityScorecard evaluated the cyber security performance of Europe’s top 100 companies, looking at factors such as network security, malware infections, endpoint security, patching cadence, application security and domain name system (DNS).
With regulations like DORA set to reshape cyber security standards, European companies must prioritise third-party risk management and leverage rating systems to safeguard their ecosystems
Ryan Sherstobitoff, SecurityScorecard
The research found that 98% of the top 100 European companies had experienced a breach involving third-party suppliers during that 12-month period. DORA requires financial institutions to identify and assess the criticality of the third-party service providers they use based on business impact and the level of risk they pose.
Third-party IT and communications products and services are covered in Article 28 of DORA, which stipulates that financial entities must manage ICT third-party risk as an integral component of ICT risk within their own ICT risk management framework. Financial institutes that use third-party services as an integral part of their operations are held accountable for the overall cyber security of the business and must also conduct a full risk-assessment of suppliers.
Looking at cyber risk exposure arising from vulnerabilities and security weaknesses in products and services supplied by third parties, Ryan Sherstobitoff, senior vice-president of threat research and intelligence at SecurityScorecard, says: “Supply chain vulnerabilities remain a critical threat, as adversaries exploit these weak links to infiltrate global networks. With regulations like DORA set to reshape cyber security standards, European companies must prioritise third-party risk management and leverage rating systems to safeguard their ecosystems.”
US Treasury incident a clear warning on supply chain security in 2025: A cyber incident at the US Department of the Treasury – blamed on a Chinese state actor – raises fresh warnings about supply chain risk after it was found to have originated via vulnerabilities in BeyondTrust’s IAM product.
SecurityScorecard’s Global third-party cybersecurity breach report reveals that 75% of third-party breaches target the software and technology supply chain – a trend reinforced by recent high-profile breaches involving SolarWinds, Log4j and MOVEit.
“DORA makes information security management a legal mandate,” says Romain Deslorieux, director of strategic partnerships for cloud protection at Thales. “To ensure compliance, organisations will need to work to simplify and automate their cyber security services to be sure that their applications, data and identities are adequately protected. This includes everything from API [application programming interface] security; classifying, monitoring and protecting sensitive data; through to providing secure trusted access for customers, employees and partners.”
IT auditing
Martin Thompson, analyst and founder of the ITAM Forum, recommends that organisations run a discovery process to help them classify the risks associated with the IT products and services they use.
In a September 2024 blog, Shane O’Neill, a partner in Grant Thornton’s Dublin office, suggested that financial institutions invest in platforms that can centralise their ICT asset catalogues. This, he said, should offer a holistic view of third-party providers, which enables firms to understand the potential risks they pose to the business, enabling them to take action to mitigate such risks.
O’Neill pointed out that most IT asset management platforms provide automation features, which can be used to simplify the review process. “At a minimum, DORA requires an annual review of ICT assets and accompanying documentation, and for third parties deemed high risk, the review cycle occurs more frequently,” he wrote.
“Automation lessens the administrative burden of coordinating a review and decreases the number of manual components within a review cycle, thereby reducing the potential for human error or the potential of a review cycle being missed.”
As O’Neill noted, IT asset management platforms can automatically trigger a review process by generating an email that reminds stakeholders to review their asset inventories, and because the stakeholder performs the review within the system, the platform automatically logs their activity, thereby ensuring all aspects of the process are easily auditable from a regulatory perspective.
While affected organisations should already be well advanced in implementing compliance programmes, Forrester senior analyst Madelein van der Hout says that as late as November 2024, she was still taking calls from Forrester clients, enquiring about what they need to do. “If you started in November, there is not enough time,” she says.
While most financial organisations already have a good security posture, according to van der Hout, all financial institutes will still need to consider third parties, the diversification of their IT infrastructure and the interdependencies.
According to Alain Traill, counsel at global law firm Latham & Watkins, many are struggling to achieve compliance. He urges those organisations still coming to terms with DORA to conduct a gap analysis to identify where they are non-compliant.
“For in-scope financial entities, which includes e-money institutions and crypto asset providers, in addition to traditionally regulated firms such as credit institutions, compliance involves a gap analysis of existing resilience measures against DORA’s stringent requirements, updating governance chains, policies and procedures – paying particular attention to core DORA focus areas such as incident response and resilience testing – and completing an in-depth contract inventory and remediation exercise,” he says.
The IT impact
Since DORA stipulates that organisations need to assess the resiliency of their IT supply chain, third parties – which include IT providers – also need to understand their responsibilities under DORA. Traill says IT firms should update contract terms and potentially establish an EU entity.
“All providers of ICT services that are not designated as ‘critical’ but that have customers that are in-scope financial entities – including a vast range of providers of software and related products, often based outside the EU – need to take steps to enable such customers to comply, including by reviewing and updating processes and policies and updating contract terms,” he says.
“Proactive measures are crucial to align with DORA’s requirements and avoid significant consequences, including – for financial entities and ‘critical’ ICT providers – substantial fines.”
Proactive measures are crucial to align with DORA’s requirements and avoid significant consequences, including substantial fines
Alain Traill, Latham & Watkins
Forrester’s van der Hout recommends IT leaders in financial organisations that need to comply with DORA contractually look at what IT they implement.
“There are implications if those IT vendors you use do not comply enough with DORA,” she says. While IT leaders have the option to terminate such non-compliant contracts, van der Hout warns that “untangling their IT from your IT infrastructure is hard”.
Beyond the work needed to ensure the cyber resiliency of third-party IT providers, Thales’ Deslorieux notes that DORA explicitly mandates organisations to define and enforce policies to encrypt data at rest, in transit and in use, and thoroughly manage the cryptographic keys this encryption relies on. “Financial services must also provision for updating or changing the cryptographic technology on the basis of developments in cryptanalysis,” he says.
The experts Computer Weekly has spoken to recognise that work is needed to implement DORA compliance and to ensure ongoing maintenance for continued compliance. These are additional costs.
Implementation, according to Forrester, will depend purely on the cyber security maturity of the business, but DORA builds on existing IT security frameworks, which means many have probably done most of the work needed to achieve compliance with the new regulation.
Van der Hout points out that it is the ongoing costs that will have a more long-term impact on IT budgets. She estimates that maintaining DORA compliance could add 10% to an organisation’s cyber security costs.
