For HomeFor BusinessFor Partners
IT Compliance & Regulations
7 min read

DORA: 3 Strategies for Meeting Compliance

Nicholas Jackson
Nicholas Jackson

May 15, 2025

DORA: 3 Strategies for Meeting Compliance

For financial services organizations that do business in the European Union (EU), 2025 is the year of DORA -- the Digital Operational Resilience Act.

In a previous blog, A Game-Changer in EU Financial Cybersecurity and Resilience, I provided background on DORA, why it was established, and the specific requirements organizations need to know. Today, I will provide three strategies financial organizations can use to maintain DORA compliance and harden their cyber and operational resilience.

Strategies for DORA Compliance

There are numerous ways to help your organization achieve DORA compliance. Here are three of them.

  1. Use DORA as an Opportunity to Harden Operational Resilience

In the lead-up to DORA implementation, the underground chatter was there at times. “Oh, great. Yet another cybersecurity regulation that will have to be studied, broken down into requirements, and constantly monitored for compliance. Don’t we already have enough frameworks, standards and regulations to contend with?

In today’s complex regulatory environment, that’s a worthwhile conversation. However, it’s important to note that DORA is specifically designed for the financial industry, addressing specific risks and challenges unique to the industry. Finance today is almost entirely dependent on digital transactions – more so than any other industry – and it can be helpful to address these challenges with specific guidelines and regulations aligned to unique industry use cases.

DORA is an opportunity to harden operational resilience in an extremely dynamic threat landscape. Financial organizations are big targets, and their ICT (Information and Communication Technology) infrastructures are highly distributed and complex. DORA provides a robust framework for ensuring cyber and operational resilience and provides an opportunity for financial organizations to harden their security strategies. Meeting DORA compliance requires organizations to identify risk, close security gaps and maintain good cyber hygiene. Rather than check a few boxes, security teams should use the requirements within DORA to ensure cyber and operational resilience.

  1. Document Everything in a Central Repository of ICT Information

DORA requires financial organizations to record all ICT of third parties and any critical sub-contractors in a central register of information (ROI) document – including identification information of the third parties, where they are based, contact details, contractual information, scope of service provided, risk categorization, monitoring provisions and internal ownership. This repository is a great opportunity to formalize cybersecurity and risk management information regarding the supply chain for ICT, where it can be updated, referenced, and made available to authorized stakeholders inside and outside the organization.

This ROI document can be used as a playbook during attacks or other incidents, providing responders with the context they need to make quick and decisive actions in the moment. The document can also provide step-by-step instructions that preserve knowledge and expertise even if employees leave the company.

  1. Focus on Third Parties and How They Impact Business Risk

The financial industry is inherently interconnected, allowing businesses, consumers and other entities to make digital transactions in near real time. This interconnectedness makes organizations dependent on third-party partners, vendors and even customers. If any of these access points are compromised, threat actors may have the ability to spread to other systems in search of additional targets, which Bitdefender has observed as an increasing trend.

DORA understands the dependence on third parties and requires organizations to better understand how their suppliers impact business risk. This includes ICT service providers, managed service providers, cloud service providers, vendors, Software as a Service (SaaS) platforms and other entities using unmanaged applications, services and devices.

But how do you know if a vendor is updating their software with the latest patches? Or if a cloud service provider is using the most advanced cybersecurity tools and techniques to keep threat actors away from your data?

Penetration testing and tabletop simulations allow security teams to probe unmanaged entities for potential vulnerabilities. Tests or simulations can be conducted to test preparedness and resilience, giving financial organizations insights into their security posture, ensuring they know how to respond in the event of an incident, together with their suppliers. These insights can then be used to address these gaps, reassess partnerships, and put positive pressure on suppliers to do better.

DORA Is More Than a Checklist

Meeting DORA compliance can be a great opportunity for financial organizations to harden their cyber and operational resilience.  Requirements stated by the regulation are specifically designed to address the challenges the finance industry faces and can be aligned with other standards or business objectives.

Organizations will ideally use DORA as an opportunity to assess risk appropriately, document a register of information (ROI), and take third-party partners and suppliers into account. Doing this within the DORA guidelines helps organizations meet the dynamic challenges financial entities face in today’s always-on, hyperconnected world.

tags

IT Compliance & Regulations

Author

Nicholas Jackson

Nicholas Jackson

Nicholas is an accomplished professional, currently serving as the Director of Cyber Operations at Bitdefender. In his current capacity, Nicholas is responsible for 3 services; Offensive Security, Security Advisory, and Delivery Management. With an extensive cybersecurity background gained across various globally recognized organizations, he offers a wealth of cyber security experience. His journey through diverse cybersecurity landscapes has equipped him with a nuanced understanding of the field, making him a trusted leader in shaping robust and effective cybersecurity strategies.

View all posts

Right now Top posts

Why Alert Volume Matters: Cutting Through the Noise
Endpoint Protection & Management

Why Alert Volume Matters: Cutting Through the Noise

February 27, 2025

ShrinkLocker (+Decryptor): From Friend to Foe, and Back Again
Ransomware Threat Research Threat Intelligence

ShrinkLocker (+Decryptor): From Friend to Foe, and Back Again

November 13, 2024

5 Approaches to Counter a Cybercriminal’s Growing Arsenal
Enterprise Security Threat Research

5 Approaches to Counter a Cybercriminal’s Growing Arsenal

November 06, 2024

Meow, Meow Leaks, and the Chaos of Ransomware Attribution
Enterprise Security Ransomware Threat Research Threat Intelligence

Meow, Meow Leaks, and the Chaos of Ransomware Attribution

September 29, 2024

FOLLOW US ON SOCIAL MEDIA

SUBSCRIBE TO OUR NEWSLETTER

Don’t miss out on exclusive content and exciting announcements!

You might also like

DORA: 3 Strategies for Meeting Compliance
IT Compliance & Regulations

DORA: 3 Strategies for Meeting Compliance
Nicholas Jackson
Nicholas Jackson

May 15, 2025

Bitdefender Threat Debrief | May 2025
Ransomware Bitdefender Threat Debrief

Bitdefender Threat Debrief | May 2025
Jade Brown
Jade Brown

May 13, 2025

How to Use NIST CSF 2.0 to Identify Security Gaps: Part 4
Enterprise Security

How to Use NIST CSF 2.0 to Identify Security Gaps: Part 4
Kevin Gee
Kevin Gee

May 08, 2025

Bookmarks

loader