RiskTalk: What is DORA and why is digital resilience important?

In the first episode of the podcast RiskTalk (in Dutch), the Digital Operational Resilience Act (DORA) is discussed. DORA is a European regulation designed to enhance the digital resilience of the financial sector by requiring companies to manage IT risks carefully. As digital operations within the financial sector grow, IT infrastructures become increasingly complex and vulnerable. DORA mandates that financial organisations, including their third parties, adhere to strict security standards. The implementation deadline is set for 17 January 2025, underscoring the urgency of timely preparation.

More than just compliance: DORA as a foundation for continuity

According to Sean Weggelaar, Senior Supervisor at the Dutch Authority for the Financial Markets (AFM), DORA is not merely a mandatory regulation but also a means of strengthening societal resilience. "DORA ensures that when a supplier is impacted, critical services in society can continue to function. It’s about more than compliance; it’s about a higher level of protection and continuity," Sean explains.

Beyond this broader impact, DORA offers a clear framework for organisations struggling with fragmented IT regulations. The regulation unifies existing rules within the financial sector, providing clarity for companies in the industry. However, Wilco Pieterse of Protiviti notes that smaller organisations are looking for practical ways to meet DORA’s requirements. "How do you find the balance between minimal compliance and available resources? For smaller organisations, this is a challenge that calls for a smart approach," says Wilco.

Practical steps for successful DORA implementation

During the podcast, experts discuss strategic steps for an effective implementation of DORA. Wilco advises companies to start with the basics and gradually add more complex measures. This approach allows organisations to build up their risk management without overburdening resources. Jelle, co-founder of 3rd Risk, echoes this sentiment, emphasising the importance of a step-by-step approach and mapping out critical suppliers: "First, create an overview of your suppliers and categorise them into risk profiles, so you know which relationships need to be assessed first. This way, you systematically work towards full compliance," says Jelle.

Wilco also highlights the importance of aligning people, processes, and technology. He suggests that organisations invest in suitable technologies and maintain a balance between staff and operational policy structures. Sean adds, "We are increasingly seeing incidents arising from poor IT management. DORA provides a framework that mitigates these risks by bringing uniformity to standards and processes." DORA offers financial institutions the opportunity to control risks with benefits extending beyond compliance.

DORA’s long-term impact: Sector expectations

DORA is expected to contribute to a reduction in cyber incidents in the long term and better equip the sector against cybercrime. Sean predicts that DORA will help companies find consistency among overlapping regulations, such as the NIS-2 and GDPR. "The advantage of DORA is that it provides companies with more guidance. In five years, the sector will be stronger and better protected, contributing to the integrity and stability of the European financial market," Sean says.

Wilco points out that many companies are already moving towards specialised IT compliance but emphasises that a coordinated approach remains essential. "In practice, we see that organisations work best with a well-coordinated plan. This ensures that their systems not only meet the requirements but are also prepared for future threats and regulations," says Wilco.

DORA: From compliance to strategic value

The episode concludes with a call from Sean, Wilco, and Jelle for companies to get started quickly. DORA is not only a legal obligation but also an opportunity to invest in resilience and customer safety. For companies that have yet to start, the message is clear: begin now with a pragmatic approach. 3rd Risk supports these steps and helps organisations structure their processes and tools effectively so that they remain sustainably compliant and strengthen their market position.

Want to learn more about how to prepare your organisation for DORA? Listen to the full episode of the RiskTalk podcast and discover how to integrate digital resilience into the core of your business strategy.

Disclaimer: Sean Weggelaar from the AFM has been invited as a subject matter expert. The AFM does not endorse any provider, product, or service mentioned in this publication.