Contact
Contact

DORA

Digital Operational Resiliance Act

DORA – Guidance for Non-EU Service Providers with EU Financial Institutional Clients and EU Financial Institutions with Non-EU Service Providers

Starting With DORA

For DORA, 17th January 2025 marks the start of full application, but for many organisations, 30th April 2025 is an equally critical date.

Key milestones:

  • 17th January 2025: Organisations must demonstrate compliance with DORA’s requirements.
  • 30th April 2025: EU financial institutions must report details about critical third-party ICT providers, including contractual arrangements, to European Supervisory Authorities (ESAs).

Immediate action is required to establish compliance processes. By partnering with Leysen, organisations can meet these deadlines efficiently, ensuring:

  • Seamless delivery of reporting and validation.
  • Independent, continuous evidence of compliance.
  • Reduced operational and resource burdens.

 

Beyond regulation, organisations with up-to-date Leysen DORA Reports gain a commercial edge, integrating NIS, ICO, and ISAE into comprehensive compliance reporting.

Corporate business handshake between business partners
89038

DORA Background

The Digital Operational Resilience Act (DORA) strengthens the European financial sector by addressing ICT disruptions and cyber threats. Effective from 17th January 2025, it focuses on:
  • Enhanced Resilience
  • Enabling faster recovery
  • Standardising ICT risk management across the EU and beyond.

DORA affects:

  • EU-based financial institutions (e.g., banks, insurers, IORPs).
  • Critical third-party ICT providers, including non-EU vendors.

What is DORA

DORA establishes a comprehensive and consistent framework for managing ICT risks in the financial sector. Its goals include ensuring operational continuity during ICT disruptions, standardising risk management practices across the EU – and beyond where necessary – and enhancing system resilience through regular testing and oversight. The key other goal is to create a level or regulatory oversight that is commensurate with existing financial compliance measures, something which has not existed previously.

Entities impacted by DORA include EU-based financial institutions, such as banks, insurers, and institutions for occupational retirement provision (IORPs). It also applies to critical third- party ICT providers, including non-EU vendors delivering essential services. Compliance is mandatory for any organisation working with EU financial institutions. Failing to comply could result in penalties, damaged partnerships, and reputational harm.

A UK-equivalent DORA is expected to follow and be very much aligned with EU legislation.

Key Components of DORA

There are five primary pillars of DORA – in truth and in practice, there are six; these are set – out below, the final one being the equally important sixth pillar:

  • ICT Risk Management involves establishing a comprehensive framework to identify, assess, and mitigate ICT risks. Standards such as ISO/IEC 27001 can support this effort.
  • ICT-Related Incident Management mandates creating processes for detecting, managing, and reporting major ICT incidents to EU authorities within defined timelines.
  • Digital Operational Resilience Testing requires regular testing of ICT systems, including threat-led penetration tests and disaster recovery drills, to ensure robustness against disruptions.
  • ICT Third-Party Risk Management emphasizes due diligence, compliance audits, and continuous monitoring of vendors providing critical ICT services.
  • Information Sharing fosters collaboration within the financial sector by exchanging threat intelligence and best practices to strengthen collective defences.
  • Oversight of Critical ICT Third-Party Providers applies stricter scrutiny to critical service providers, including mandatory reporting to European Supervisory Authorities (ESAs).

Achieving Compliance

Leysen supports organisations in building a resilient, DORA-compliant operation through structured planning and practical implementation. By leveraging recognised standards and creating tailored solutions, we ensure seamless compliance while minimising operational burdens. Key steps in achieving compliance include:

Gap Analysis: Identify areas needing improvement by comparing current ICT policies against DORA requirements.

Risk Management Frameworks: Develop frameworks aligned with global standards like ISO/IEC 27001 and ISAE, prioritising risks based on impact.

Testing Programmes: Conduct regular resilience tests, including penetration tests and disaster recovery drills.

Third-Party Oversight: Update vendor contracts to include compliance audits, incident reporting, and performance tracking.

Incident Reporting Systems: Implement systems aligned with DORA’s mandatory reporting requirements.

Threat Intelligence: Stay informed about emerging threats and collaborate on shared defences.

2149631022

Streamlining Compliance with Leysen

Leysen leverages existing standards such as SOC 2 and ISO/IEC 27001 to simplify DORA alignment. We offer tailored tools, including:

Incident response platforms for scalable management.

Resilience testing tools for cost-effective compliance checks.

Bespoke reporting solutions built to your organisation’s needs.

Work With Us

Get Ahead—Contact Leysen Today

Achieve DORA Compliancy With Leysen.

Contact Us

Our Accreditations and Certifications

Products & Services

Company

Working With Us

Linkedin
© 1996-2024 Leysen Associates Ltd. All Rights Reserved | Designed By Web Ninjas