The DORA ACT
Digital Operational Resilience Act

The Digital Operational Resilience Act (DORA) is a European regulation aimed at the financial sector. The purpose of DORA is to reduce IT threats, improve resilience and increase the companies’ ability to prevent and manage incidents in connection with information and communication technologies (ICT).

DORA applies as off 17 January 2025 to all financial institutions within the EU. For some companies, the regulation means additional IT security measures, even if they already follow for instance ISO 27001 or COBIT (Control Objectives for Information and Related Technology).

Understand dora: what business whould know

DORA applies to financial institutions, including (but not limited to) credit and payment institutions, investment companies, insurance companies and brokers, pension funds and trading platforms. The regulation stipulates a regulatory framework for digital resilience including IT risk management, mandatory incident reporting, documentation of test plans, third-party risk management, and training and governance. Compliance ensures that companies have the right systems in place to withstand, respond and re-establish themselves after ICT-related disruptions and threats – also through third parties. 

The obligations can be broadly divided into five groups:

  • Risk management in ICT
  • Testing, preparedness and audits
  • Managing the security at IT service providers (third-party risk management)
  • Incident management and reporting
  • Knowledge sharing

The importance of dora compliance

Although DORA is an EU regulation, it also affects third-party ICT service providers. DORA only allows companies to sign contracts with suppliers who meet the information security requirements stipulated in the regulation. This includes cloud services, network services, hardware services and ICT consulting. DORA is a complex regulation that increases the obligations of many companies. A hasty or uninformed approach can not only make your business vulnerable but also expose you to legal and financial penalties. Any violation of the requirements can lead to a fine of up to 2% of the total annual turnover globally or up to 1% of the company's average daily turnover globally.

Dora compliance solutions

Our experts are ready to help your company with the transition to DORA and, not least, make your company more resilient anywhere on its cybersecurity journey.

DORA training of CEOs: DORA requires CEOs to undergo training to demonstrate effective management of cybersecurity issues. We have developed DORA training for CEOs in collaboration with De Clercq Lawyers. Through the training, insight is gained into which risk management measures companies must take regarding DORA as a minimum. This one-day course can be carried out at a location of your choice.

DORA GAP Analysis: Our experts can perform a DORA GAP assessment providing a detailed overview of your current security readiness level and the steps that need to be taken to comply with DORA. This service is based on our thoroughly tested Security Maturity Assessment.

DORA Implementation Solutions: We also offer a range of solutions to help implement DORA in your organisation. The scope depends on the outcome of your DORA GAP analysis, but may include incident reporting, awareness and behaviour support.

how to proceed

If your company is subject to the rules in DORA, you should start preparing now. Feel free to reach out to our cybersecurity experts to learn more about the DORA regulation and how to implement the strategies and solutions you need to manage risk and stay compliant.

What are the benefits of complying with DORA?

Compliance is mandatory for some businesses, but compliance with DORA also offers other benefits, including:

  • Improved resilience to cyber attacks and better management of ICT threats
  • Increased understanding of ICT risks across the organisation
  • Better supervision of ICT supply chains
  • Improved incident reporting and knowledge sharing

Why choose Bureau Veritas to help with DORA compliance?

  • You get access to a team with many years’ experience in governance, risk and compliance
  • We have a range of solutions specifically designed to assist you to comply with the requirements of DORA
  • We are experts in the fields: People, processes and technology
  • You get a dedicated contact person
  • We present a clear roadmap to become and remain DORA compliant
  • You get an experienced partner who is one of the largest in inspection, testing and certification

FAQ

  • How does DORA relate to standards such as ISO 27001?

    Existing standards, such as NIST and ISO 27001, explain how to comply with various laws through processes such as staff training, conducting audits and tests, using incident management, and risk management in the supply chain. These types of standards are a good complement to DORA, but compliance with them does not automatically mean that the company complies with DORA, which is a regulation in its own right.

  • How does DORA change the requirements for incident management?

    Incident management is a critical aspect of ensuring the security and continuity of services. Under DORA, companies must have plans in place to communicate with staff, external stakeholders, the media, and customers in the event of an incident. Internal escalation procedures must also be established. Additionally, major incidents must be reported to management with an explanation of the impact, response, and further controls to be implemented as a result of the incident.

  • What is the timeline in connection with DORA?

    DORA was adopted on November 28, 2022, and came into effect on December 27, 2022. DORA will apply starting January 17, 2025.

Do you need our help?

Feel free to contact us if you’re facing an issue we should look into together.

Contact us