Part 1 of this two-part series provides an overview of DORA and makes the case for why everyone should care about it, even if you’re not legally subject to the law. Part 2 dives into some of the specifics of DORA compliance.
Complying with DORA isn’t a matter of just buying one tool or making a simple process change—the threat landscape is sophisticated and varied, and your protections need to be as well. Even if your organization isn’t legally subject to DORA, it is an excellent framework help you fortify the digital resilience of your business.
This is not a comprehensive list of everything you need to do to comply with DORA, but rather an overview to help guide you through the types of activities, processes, technologies, etc. you’ll need to ensure compliance, including:
ICT risk management
Operational resilience testing
Third-party risk management
Technology to facilitate compliance
Checklist for putting it all together
ICT risk management
DORA mandates that financial entities build and maintain robust information and communication technology (ICT) risk management systems to protect against disruption. ICT risk management involves three core activities:
Risk identification: Know your vulnerabilities. Conduct a thorough audit of your systems, networks, and processes. Tools like vulnerability scanners and penetration testing can help uncover weaknesses.
Assessment and mitigation: Not all risks are created equal. Prioritize them based on their potential impact and likelihood. Then implement mitigation measures like firewalls, encryption, and employee training.
Continuous monitoring: Risks evolve, so regular monitoring is essential. Real-time threat detection tools and continuous auditing ensure your protections and controls remain effective.
For practitioners working in networking, security, or IT operations, DORA’s ICT risk management mandates can feel like one more thing to add to an already overwhelming agenda. But effective risk management doesn’t have to be a massive overhaul or a distraction from your daily work. Here are some practical steps you can take:
Start with what you already know. You probably already track vulnerabilities or incidents in some way. Use this data as a baseline to prioritize what needs the most attention. For example, focus on high-risk systems with known issues first.
Pro tip: Create a “top risks” list and tackle one each quarter. You don’t need to boil the ocean—just make incremental progress.
Automate where you can. Use tools like vulnerability scanners or SIEM platforms to automate routine risk assessments. These tools can save hours of manual work while helping you stay ahead of potential threats.
Pro tip: Schedule automated scans monthly and review the results in your team’s weekly meetings.
Involve your team. Risk management isn’t a solo act; share the load by assigning small tasks, like reviewing backup systems or running disaster recovery drills, to team members.
Pro tip: Set up a rotating “risk captain” role, where each month, one person is responsible for leading a specific risk-related task.
Build relationships with compliance teams. They’re not your enemy—they’re your allies. Regularly check in with them to align your activities with what auditors will be looking for.
Pro tip: Set up a 30-minute biweekly sync with compliance leads to stay on the same page.
Document as you go. Don’t wait for audits to start documenting processes and fixes. Use lightweight tools to log activities as you complete them.
Pro tip: Block 15 minutes at the end of the week to write down what got done. It adds up.
Operational resilience testing
Just like you need fire drills to test your fire safety processes, you need testing to validate your resilience plans. If there’s a piece of the process that doesn’t work, you want to find and fix it before a real problem strikes. The more you test, the better you understand your systems’ strengths and weaknesses.
But testing isn’t just about finding flaws; it’s also about building confidence. And there are other long-term benefits to resilience testing beyond compliance. You’ll respond faster and more effectively to a broader range of incidents. You’ll build strong customer trust. And because identifying vulnerabilities earlier is far cheaper than recovering from a breach, you’ll save money.
There are different kinds of resilience tests:
Penetration testing: Simulating cyberattacks to identify vulnerabilities.
Scenario analysis: Running through hypothetical scenarios like a power outage or a phishing campaign.
Stress testing: Pushing systems to their limits to see how they perform under high demand.
Under DORA, operational resilience testing isn’t optional. Financial entities are required to conduct regular tests, including threat-led penetration testing, to ensure systems are prepared for potential disruptions.
Here are some resilience testing best practices:
Plan your tests. Identify key systems and potential risks. For example, critical payment systems may need more rigorous testing.
Simulate real-world conditions. Use threat-led penetration testing and realistic scenarios to mimic actual attacks.
Document and learn. Record test results and use them to improve systems and processes.
Involve third parties. Ensure your partners and vendors participate in testing to evaluate their resilience.
Third-party risk management
A digital ecosystem is like a chain—it’s only as strong (or secure) as its weakest link. Financial institutions increasingly rely on third-party ICT providers for cloud services, data analytics, and more. While these partnerships are vital, they can also introduce risks. A breach in a third-party provider’s system could compromise the operations, customer data, and reputation of the primary organization.
Under DORA, financial entities must:
Assess providers: Evaluate third-party ICT providers before and during the relationship. You’ll need to conduct detailed assessments of third-party providers’ security practices, financial stability, and compliance with regulations like DORA.
Establish contracts with providers: Clearly define roles, responsibilities, and security requirements. Use contracts to set expectations for security measures, reporting, and responsibilities in the event of a breach or service disruption.
Monitor providers continuously: Regularly assess performance and compliance. Consider using tools for real-time tracking.
Include partners in testing: Ensure third-party systems are part of operational resilience testing to identify vulnerabilities.
Technology to facilitate compliance
With the sheer volume of data, processes, and third-party interactions involved, manual compliance methods simply won’t cut it. Enter technology: a toolkit of automation and AI-driven solutions, compliance platforms, and real-time monitoring systems. According to a 2022 Gartner report, organizations that leverage automation for compliance see 30% faster implementation times and 40% fewer compliance gaps.
Technology doesn’t just make compliance easier—it makes it smarter. Following is a sampling of the types of tools and technologies that could facilitate DORA compliance; however, it’s neither comprehensive nor definitive—what works for one company may not work for another. When making decisions about DORA compliance, you need to talk to your own consultants, auditors, and legal teams to figure out what’s right for your business.
Risk assessment platforms: Solutions that can help you streamline ICT risk assessments and identify vulnerabilities quickly and accurately.
AI-driven monitoring systems: Real-time monitoring tools that use artificial intelligence to detect anomalies in network traffic, enabling proactive responses to potential threats.
Compliance management platforms: Solutions that centralize compliance tasks, from documentation to audit trails, ensuring you stay organized.
Thread-led testing tools: Platforms that simulate real-world attacks, helping you meet DORA’s operational resilience testing mandates.
Secure networking solutions: Networking is a critical component of DORA compliance, particularly for managing ICT risks and ensuring operational resilience. Shameless plug: Aviatrix Cloud Native Security Fabric (CNSF) is designed to provide enhanced visibility, network-level encryption, and operational resilience.
Of course, implementing technology—whether that’s for compliance or other purposes—requires you to address:
Cost concerns: Many organizations worry about up-front costs. However, the ROI often comes in the form of reduced penalties, improved efficiency, and enhanced customer trust, so take a longer-term view of value and consider how:
Automation will reduce manual workloads that free up your team for strategic tasks.
AI and real-time monitoring will identify threats before they escalate.
Centralized platforms simplify regulatory audits by ensuring documentation is always up to date.
Integration issues: Legacy systems can complicate tech adoption. Start small by integrating tools that address your most immediate compliance needs.
Employee training: Ensure your team understands how to use new tools effectively. Partner with vendors offering robust training programs.
Checklist for putting it all together
Assess your current state.
Perform thorough assessments of your:
Current ICT risk management practices
Operational resilience testing
Third-party oversight
Identify gaps that need immediate attention.
Prioritize quick wins.
Ensure your systems can log and report incidents promptly, as required by DORA.
Verify that your third-party contracts include clear expectations for security and resilience testing.
Train your team via workshops or e-learning platforms to familiarize them with DORA requirements.
Develop long-term strategies.
Create detailed project plans with clear timelines and responsibilities for more complex requirements such as:
Operational resilience testing
Third-party risk management
Monitor progress continuously.
Establish regular monitoring and updates to maintain resilience over time.
Use AI-driven monitoring to detect and address potential issues in real time.
Regularly update executives on compliance progress and potential risks.
Achieving DORA compliance isn’t just about avoiding penalties. It’s an opportunity to demonstrate to customers and other external partners your commitment to protecting their data, to strengthen operations, and to leverage compliance as a differentiator to stay ahead of the competition.
Aviatrix can help you meet DORA requirements
Aviatrix’s Cloud Native Security Fabric (CNSF) can help financial services organizations and others meet DORA’s stringent requirements by delivering:
Enhanced security: Aviatrix provides robust security features that help protect against cyber threats, aligning with DORA's ICT risk management mandates.
Operational visibility: Our solutions offer comprehensive visibility into network operations, facilitating effective monitoring and incident response as required by DORA.
Resilience testing support: Aviatrix's platform can aid in conducting operational resilience testing, ensuring that systems can withstand and recover from disruptions.
Third-party integration: Our solutions seamlessly integrate with various third-party services, assisting in the management of ICT third-party risks.
Experience Aviatrix CNSF for yourself: Schedule a demo.
