Home » Navigating DORA

DIGITAL OPERATIONAL RESILIENCE ACT (DORA)

DORA represents a pivotal shift in the European Union’s approach to ensuring the operational resilience of the digital infrastructure within the financial sector. Its main objective is ultimately to prevent and minimize cyber threats in the financial services industry.

Schedule A Conversation

NAVIGATING DORA WITH EASE

DORA ensures that all businesses are strong and flexible enough to withstand, respond to and recover from any ICT related cyber threats. The regulation ultimately aims to determine cyber security responsibilities within the financial services industry and the respective entities senior management and leaders will be held responsible for the entities failure to comply.

Arguably the most compelling component equates to the penalties for non-compliance. The European Supervisory Authority (“ESA”) have issued clear and concise guidelines within this space where there is a penalty payment of 1% of the daily average daily global turnover in the previous year – the penalty is enforced daily until adherence to the DORA regulations.

DORA goes live on the 17th January 2025 and financial firms now have less than eight months for the implementation work. The ESA has issued the first batch of the draft regulatory technical standards (“RTS”) and implementing technical standards (“ITS”) in June 2023 and the second and final batch is due by 17th July 2024

KEY CHALLENGES AND REQUIREMENTS

  • ICT Risk Management: Entities are expected to develop their ICT risk management frameworks. Noteworthy, under DORA, senior management is ultimately responsible for ICT risk management, consequently, the board and executives will be expected to define risk management strategies.
  • Third-Party Risk Management: Entities are expected to take a key active role in managing third-party risk management. For instance, when outsourcing critical and/or important functions, financial firms must negotiate on key areas, including for example exit strategies.
  • Resilience Testing: Entities must be testing their ICT systems on a regular basis to identify any vulnerabilities; consequently, financial firms must undertake a series of key tests including vulnerability assessments and scenario-based testing once a year.
  • Incident Response & Reporting: Under DORA, entities are also required to set up systems for monitoring, managing, logging, classifying and reporting ICT Incidents. Depending on how severe the incident is, financial firms may need to create reports to the respective regulators, affected clients and partners.
  • Information and intelligence: Lastly there is also a final pillar called Information and intelligence sharing and under the ESA regulations, this is an optional requirement for financial entities.

SOLUTIONS

Our view at Wrangu is that DORA is a major “game changer” that will push and accelerate financial service organizations to understand how their ICT risk management, cyber, operational resilience and third part risk management practices affect the resilience of their most important and critical functions.

At Wrangu we understand the complexities and pressures that DORA presents, we also understand what the regulators are expecting. No matter where you are in your DORA & Resilience journey, Wrangu has you covered, with a risk dashboard providing comprehensive metrics and KPIs to ensure full adherence to the following:

  • Risk Management

    Leverage the cutting-edge Now™ IRM platform to automate compliance continuous monitoring, setting risk tolerances for ICT disruptions supported by KPIs and risk metrics.

  • Third-Party Risk Management

    Now™ tools simplify the process of managing third-party risks, including undertaking concentration risk assessments of all outsourcing contracts that support the delivery of critical important functions.

  • Resilience testing

    Now™ offers resilience testing services to identify vulnerabilities, mitigate risks, and ensure your digital operations are resilient against disruptions, the Now ™ platform allows financial firms to show the regulators they have undertaken an appropriate set of security and resilience tests on their critical ICT systems and applications and importantly showcasing using evidence they have fully addressed any vulnerabilities identified during the testing.

  • Comprehensive Risk Assessment Tools

    Equip your organization with the ability to conduct thorough risk assessments and resilience testing using the Now ™ IRM platform, under DORA, financial firms must undertake risk assessments on their ICT risk systems, and as part of this process, firms must also conduct business impact analysis to assess how specific scenarios and disruptions might affect the business.

  • Expert-Led Strategy and Implementation

    Benefit from our team’s extensive experience in IRM and cyber security solutions. At Wrangu we provide expert guidance and strategic planning to navigate the key requirements within DORA, ensuring not just regulatory compliance but also how DORA can act as a key driver in helping firms manage their digital risk and understand the impact of operational disruptions on their business and importantly their customers.

SCHEDULE A CONVERSATION

 

 

Read our latest resource

9 Reasons Integrated Risk Management Programmes Fall Short

9 Reasons Integrated Risk Management Programmes Fall Short

17 March 2026

Most IRM programmes fall short not because of technology, but approach. Learn how to build scalable, data-driven risk management.

Read now