- This $129 pen has spoiled every other writing utensil for me (and it's on sale)
- Finally, desktop speakers that look stylish without compromising on audio quality
- The best Amazon Spring Sale deals under $25
- The 20+ best Amazon Spring Sale robot vacuum deals of 2025
- The 25 best Amazon Spring Sale laptop deals 2025
Navigating DORA: Is Your Financial Institution Ready?
The Digital Operational Resilience Act (DORA), in effect since January 17, 2025, marks a major evolution in EU financial regulation. It tackles operational resilience, especially concerning Information and Communication Technology (ICT) risks.
DORA acknowledges the financial sector’s significant reliance on third-party ICT providers and establishes rules for managing these relationships.
Financial firms depend on ICT services for key tasks, making these providers vital for DORA compliance. The firm’s efforts to align with DORA’s guidelines for risk management, incident reporting, and operational resilience testing contribute to the stability and security of the EU’s financial system.
Let’s explore DORA’s categories of ICT providers, key responsibilities, and steps that can be taken to help financial institutions comply with DORA.
Categories of ICT Providers under DORA
Understanding the role of ICT providers is important for financial institutions under DORA, as these providers play a significant role in supporting the operational functions and resilience of the organization.
DORA categorizes ICT providers into two main groups based on their significance to financial institutions:
Basic ICT Service Providers
Offer standard ICT services without supporting the financial institution’s critical functions.
Example: A local IT company providing basic software maintenance or help desk support.
Critical ICT Service Providers
Deliver services that a financial institution considers is supporting one (or several) of their “critical or important functions,” meaning those functions that the firm considers are essential to its core operations.
Example: A cloud storage provider hosting sensitive financial data or a payment processing system vendor.
Knowing these categories helps financial institutions assess and manage the risks associated with outsourcing and reliance on external technology services.
Key Responsibilities of Financial Institutions
Under DORA, financial institutions have five key pillars of responsibilities to ensure their operational resilience:
ICT Risk Management: Financial institutions are expected to implement frameworks to identify, assess, and mitigate ICT-related risks. This includes conducting regular risk assessments, identifying potential vulnerabilities, and developing strategies to address these risks. Comprehensive security measures to protect against cyber threats and data breaches are generally considered important.
Incident Reporting: Timely and accurate reporting of ICT-related incidents is crucial. Financial institutions are generally expected to have systems in place to detect, assess, and report incidents that could impact their services or clients. This includes establishing clear reporting channels and procedures for classifying incidents based on severity.
Digital Operational Resilience Testing: DORA outlines that financial institutions should conduct regular testing of their systems, including advanced threat-led penetration testing for critical systems. This testing aims to enhance their ability to withstand and recover from disruptions, supporting service continuity in challenging situations.
Third-party Risk Management: Financial institutions should actively monitor and manage risks linked to their ICT service providers, as well as those providers’ subcontractors and suppliers. By doing this, financial institutions can help ensure strong resilience and security throughout the entire delivery chain.
Information Sharing: Open communication and cooperation within the financial ecosystem are considered important under DORA. This may include sharing threat intelligence, participating in sector-wide exercises, and contributing to the overall resilience of the financial sector.
DORA may apply to US companies if the organization provides financial services on the EU territory. DORA isn’t just an EU effort; it covers any non-EU company having financial activities in the region, ensuring that all parties contribute to digital resilience.
Additionally, DORA can indirectly impact non-financial services companies, given the obligations it places on ICT providers. Since financial institutions depend on these providers for essential services, non-financial companies in the ICT sector may find themselves needing to meet certain standards and practices to maintain and support the operational resilience of their financial clients.
Preparing for DORA Compliance
As a financial entity, consider these steps to support your organization’s efforts to align with DORA guidelines:
- Conduct a Comprehensive Self-Assessment: Evaluate your current practices against DORA’s requirements, identifying potential gaps and areas for improvement.
- Update Documentation and Policies: Review and revise your internal policies, procedures, and documentation to align with DORA’s guidelines.
- Enhance Security Measures: Consider implementing or upgrading security controls, focusing on areas like access management, encryption, and network segmentation.
- Develop an Incident Response Plan: Create a detailed plan that aims to address DORA’s incident reporting and management guidelines.
- Implement Continuous Monitoring: Consider establishing systems for ongoing monitoring of your ICT infrastructure to support sustained alignment with DORA.
Cisco can assist financial institutions through a comprehensive security portfolio designed to strengthen their operational resilience and support their alignment with DORA’s framework. Our integrated approach can help address key areas, including risk management, incident reporting, and digital resilience testing. Some of Cisco’s featured solutions include:
Cisco Secure Workload: Aids in risk management by providing visibility into workload behavior and security posture.
Cisco XDR: Simplifies security operations by correlating data from multiple security layers, applying advanced analytics to prioritize and respond to threats.
Cisco Talos: Provides threat intelligence to support continuous monitoring and incident response.
Cisco ThousandEyes: Supports digital resilience testing by monitoring the digital ecosystem and ICT partners.
Cisco Security Suites: Offers comprehensive security solutions that integrate multiple technologies for holistic protection. These include Cisco User Protection Suite for securing user access and data, Cisco Cloud Protection Suite for cloud-native security, and Cisco Breach Protection Suite for advanced threat defense.
Visit our website for a comprehensive overview of Cisco’s security portfolio.
Conclusion
DORA represents a significant shift in how financial institutions approach operational resilience and risk management. By understanding and implementing DORA’s requirements, financial institutions can better manage their ICT service providers and help ensure the stability of their operations. This regulation not only mandates compliance but also offers an opportunity for financial firms to enhance their security posture and build stronger partnerships with their ICT providers. Embracing DORA’s framework helps them to navigate the complexities of their digital landscape while maintaining trust and confidence in their services. By fostering a culture of resilience and collaboration, financial institutions can contribute to the overall stability and security of the EU financial system.
For more information on how Cisco can support your DORA alignment efforts, consider these resources:
Video: Accelerate Digital Transformation with DORA (:51)
Whitepaper: Navigating DORA with Cisco Security Solutions (PDF)
Blog: DORA Checklist: 3 Key Areas to Watch
Share:
