Digital Operational Resilience Act
DORA: From deadline to continuous control
HuFiCon Management Memo:
Journey with the CISO
A mountain climb to cyber security resilience. Find out how to get to the summit of cyber security resilience in Inge van der Beijl's management memo, from her presentation at the Human Firewall Conference (HuFiCon) on the 14.11.2024.
The climb will take you from the base camp of foundational security to the high-camp of a security conscious culture, all the way to the summit consisting of strategic security integration.
Inge van der Beijl
Director Innovation

DORA after the deadline
The DORA deadline has passed. But that does not mean the work is finished. Financial entities now need to prove, on an ongoing basis, that they can prevent, withstand, respond to and recover from ICT disruptions.
This requires more than a one-time compliance project. DORA asks for recurring controls, tested processes, clear ownership and evidence that can stand up to supervisory scrutiny. The stakes are real. Leaders may be held personally liable for failures to comply, and fines can be significant for both financial entities and critical ICT providers.

What should organisations keep doing for DORA compliance?
For many organisations, the main challenge is no longer understanding DORA. The challenge is keeping it working in practice. That means turning regulatory requirements into repeatable processes, regular testing, clear reporting and visible management oversight.
ICT risk management
-
Keep governance, risk assessments, asset insight, protection, detection and response, recovery, backups and improvement cycles up to date.
- How Northwave helps: Boardroom training, ICT risk assessments, internal audits, governance support and control improvement.
Incident management
-
Maintain clear incident processes, classification rules, escalation paths and reporting routines.
- How Northwave helps: Review, improve and test BCPs, IRPs and crisis management plans, including escalation, communication and reporting.
Resilience testing
-
Test systems, controls, recovery plans and, where required, advanced scenarios such as Threat-Led Penetration Testing (TLPT).
- How Northwave helps: Vulnerability assessments, security testing, penetration testing, scenario exercises, red teaming and TLPT.
ICT third-party risk
-
Keep suppliers under control through due diligence, contract requirements, monitoring and an up-to-date register of information.
- How Northwave helps: Supplier risk process implementation or improvement, supplier audits, due diligence, monitoring and register support.
Broader DORA requirements
- How Northwave helps: Awareness programme, security monitoring, vulnerability management, backup and recovery, policy updates and recurring reporting.

Stay compliant. Stay resilient.
DORA compliance is not finished after the deadline. It needs ongoing attention, clear evidence and continuous improvement. Northwave helps you keep control, meet regulatory expectations and strengthen your operational resilience. For more information on how we can support your organisation, contact our experts in EU Digital Regulation and Compliance.
Frequently Asked Questions
We can imagine that you have many questions. You can always contact us to learn more. Below are a few examples of questions that we can investigate further with you.
What is DORA compliance?
DORA compliance means meeting the requirements of the EU Digital Operational Resilience Act (DORA). Financial entities must be able to identify, manage, withstand, respond to and recover from ICT-related disruptions and cyber threats. Compliance covers ICT risk management, incident reporting, resilience testing and third-party risk management.
Is DORA compliance a one-time project?
No. DORA is designed as an ongoing operational resilience framework rather than a one-off compliance exercise. Organisations must continuously maintain controls, perform risk assessments, test resilience measures, manage suppliers and provide evidence that processes remain effective over time.
What happens if an organisation fails to comply with DORA?
Failure to comply with DORA can lead to supervisory actions, regulatory scrutiny, financial penalties and reputational damage. Management bodies are also expected to oversee operational resilience and may be held accountable for significant compliance failures.
What are the main pillars of DORA?
DORA is built around several key areas:
- ICT risk management
- ICT-related incident management and reporting
- Digital operational resilience testing
- CT third-party risk management
Together, these requirements help financial entities strengthen operational resilience and reduce the impact of disruptions.
How often should DORA controls and resilience measures be tested?
How can organisations maintain ongoing DORA compliance?
We are here for you
Need help with your cyber security or wondering how secure your business really is?
Get in touch and we will help you find the best solution.
