Skip to content
arrow-alt-circle-up icon

Cyber Incident?

arrow-alt-circle-up icon

Call 00800 1744 0000

arrow-alt-circle-up icon

Digital Operational Resilience Act

DORA: From deadline to continuous control

HuFiCon Management Memo:
Journey with the CISO

A mountain climb to cyber security resilience. Find out how to get to the summit of cyber security resilience in Inge van der Beijl's management memo, from her presentation at the Human Firewall Conference (HuFiCon) on the 14.11.2024.

The climb will take you from the base camp of foundational security to the high-camp of a security conscious culture, all the way to the summit consisting of strategic security integration. 

inge_van_der_beijl
Inge van der Beijl

Director Innovation

DORA2

DORA after the deadline

The DORA deadline has passed. But that does not mean the work is finished. Financial entities now need to prove, on an ongoing basis, that they can prevent, withstand, respond to and recover from ICT disruptions.

This requires more than a one-time compliance project. DORA asks for recurring controls, tested processes, clear ownership and evidence that can stand up to supervisory scrutiny. The stakes are real. Leaders may be held personally liable for failures to comply, and fines can be significant for both financial entities and critical ICT providers.

ESG-Legal

What should organisations keep doing for DORA compliance?

For many organisations, the main challenge is no longer understanding DORA. The challenge is keeping it working in practice. That means turning regulatory requirements into repeatable processes, regular testing, clear reporting and visible management oversight.

ICT risk management

  • Keep governance, risk assessments, asset insight, protection, detection and response, recovery, backups and improvement cycles up to date.

  • How Northwave helps: Boardroom training, ICT risk assessments, internal audits, governance support and control improvement.

Incident management

  • Maintain clear incident processes, classification rules, escalation paths and reporting routines.

  • How Northwave helps: Review, improve and test BCPs, IRPs and crisis management plans, including escalation, communication and reporting.

Resilience testing

  • Test systems, controls, recovery plans and, where required, advanced scenarios such as Threat-Led Penetration Testing (TLPT).

  • How Northwave helps: Vulnerability assessments, security testing, penetration testing, scenario exercises, red teaming and TLPT.

ICT third-party risk

  • Keep suppliers under control through due diligence, contract requirements, monitoring and an up-to-date register of information.

  • How Northwave helps: Supplier risk process implementation or improvement, supplier audits, due diligence, monitoring and register support.

Broader DORA requirements

Stars-2

Stay compliant. Stay resilient.

DORA compliance is not finished after the deadline. It needs ongoing attention, clear evidence and continuous improvement. Northwave helps you keep control, meet regulatory expectations and strengthen your operational resilience. For more information on how we can support your organisation, contact our experts in EU Digital Regulation and Compliance

Frequently Asked Questions

We can imagine that you have many questions. You can always contact us to learn more. Below are a few examples of questions that we can investigate further with you.

What is DORA compliance?

DORA compliance means meeting the requirements of the EU Digital Operational Resilience Act (DORA). Financial entities must be able to identify, manage, withstand, respond to and recover from ICT-related disruptions and cyber threats. Compliance covers ICT risk management, incident reporting, resilience testing and third-party risk management.

 

Is DORA compliance a one-time project?

No. DORA is designed as an ongoing operational resilience framework rather than a one-off compliance exercise. Organisations must continuously maintain controls, perform risk assessments, test resilience measures, manage suppliers and provide evidence that processes remain effective over time.

 

What happens if an organisation fails to comply with DORA?

Failure to comply with DORA can lead to supervisory actions, regulatory scrutiny, financial penalties and reputational damage. Management bodies are also expected to oversee operational resilience and may be held accountable for significant compliance failures.

 

What are the main pillars of DORA?

DORA is built around several key areas:

  • ICT risk management
  • ICT-related incident management and reporting
  • Digital operational resilience testing
  • CT third-party risk management

Together, these requirements help financial entities strengthen operational resilience and reduce the impact of disruptions.

 

How often should DORA controls and resilience measures be tested?
DORA requires regular testing of controls, recovery capabilities and resilience processes. For several requirements, the minimum frequency is annual, although more frequent testing may be needed depending on the organisation's size, risk profile and regulatory obligations. Testing may include vulnerability assessments, penetration testing, crisis exercises, incident response simulations, disaster recovery testing and Threat-Led Penetration Testing (TLPT) where applicable.
How can organisations maintain ongoing DORA compliance?
Organisations can maintain ongoing DORA compliance by embedding operational resilience into daily business processes rather than treating DORA as a one-time project. This includes continuously managing ICT risks, maintaining incident management and reporting procedures, performing regular resilience testing, monitoring ICT third-party providers, and keeping policies, controls and documentation up to date. Organisations must also retain evidence of compliance, report to management, and demonstrate to regulators that operational resilience measures remain effective over time.

We are here for you

Need help with your cyber security or wondering how secure your business really is?
Get in touch and we will help you find the best solution.


.