The Digital Operational Resilience Act (DORA) is a European regulation designed to enhance the resilience of financial entities against IT and cybersecurity risks. Its ambitious objective is to improve organizations’ ability to anticipate and manage crises while optimizing their operational resilience.
To learn more about the regulation’s details, you can refer to this article: What does DORA mean for Resilience of financial organisations?
The key deadline of January 17, 2025, marks the theoretical compliance date for financial entities. It also signals the beginning of supervisory operations by regulatory authorities.
In this context, Damien LACHIVER and Etienne BOUET, Senior Managers at Wavestone and experts in DORA compliance, with extensive experience supporting CAC40 entities, share their insights into the practical challenges and opportunities brought by this regulation, as well as the regulators’ expectations and essential actions for effective preparation.
How does DORA go beyond mere regulatory compliance?
E.BOUET: DORA should not be seen merely as a compliance exercise. Yes, there are regulatory requirements to meet, but the real challenge lies in building resilience. The question to ask is: how can compliance with DORA effectively enhance operational resilience? This connection is not always straightforward. For instance, gap analyses or cybersecurity audits often reveal vulnerabilities, and compliance alone is insufficient if it doesn’t come with genuine improvements in resilience.
D.LACHIVER: Many entities are still focused on compliance since DORA addresses areas already well established, such as cybersecurity, business continuity, and IT risk management. Large organizations, in particular, already benefit from high compliance levels due to decades of experience.
However, beyond this compliance phase, it is crucial to shift towards remediation and anticipation, implementing initiatives that will not be fundamentally different from the historical programs already initiated. The real focus should be on identifying new scenarios or solutions that can strengthen resilience.
What are the critical scenarios to consider for improving resilience?
D.LACHIVER: Two major scenarios require significant attention and investment:
- Total loss of internal IT systems: how can information systems be restored and fully rebuilt after a large scale cyberattack?
- The sudden loss of a critical third party: what happens if I lose a partner or service provider whose operational disruption has a significant structural impact on my business?
E.BOUET: The growing dependence on third parties has noy yet been fully recognized as a major risk. The associated scenarios are not sufficiently integrated into strategic priorities, leading to a lack of investment in preparedness.
Will financial entities be ready by January 17, 2025?
E.BOUET: It is unlikely that all companies will be fully ready by January. The market as a whole faces delays, although significant progress has been made. For instance, most of the normative documents required for compliance have been finalized, and priorities have been aligned with risk management needs.
D.LACHIVER: Indeed, January 17, 2025, will mark more of a milestone than a conclusion. Most operational projects, such as third-party management, remain to be addressed and will require ongoing effort.
What are the main challenges in implementing DORA?
E.BOUET: Initially, the main challenge was mobilizing a wide range of stakeholders: cybersecurity, risk management, procurement, legal, business, IT… While the topics addressed by DORA were already familiar to these teams, the regulation raises expectations and introduces additional requirements to roles thar are already well-defined.
D.LACHIVER: Historically, these areas have often been handled in a fragmented, siloed manner. However, DORA demands significant and measurable progress in resilience, which requires a more coherent and integrated approach. Today, two key priorities stand out:
- Third-party management, which represents a massive challenge.
- Threat-Led Penetration Testing (TLPT), an ambitious but complex novelty.
Why is third-party management such a significant challenge?
E.BOUET: Third-party management (TPRM) is one of the key challenges posed by DORA. Third parties are everywhere, but they are often poorly managed. It’s not always clear whether they are critical or not, and relationships often lack proper structure. Managing reliance on critical third parties is common sense, but it goes far beyond contractualization: organizations need to identify their third parties, assess their criticality, and manage this dependency operationally, a challenge for many.
D.LACHIVER: Historically, this has been a neglected area, often handled in silos by procurement, cybersecurity, business continuity, and other functions. There is a lack of a comprehensive view of third-party risks. DORA’s aims is precisely to move beyond this fragmented approach and build a cohesive end-to-end management framework throughout the contract lifecycle.
What does “testing exit strategies” with critical third parties mean?
D.LACHIVER: Testing exit strategies means anticipating how an organization would respond if a third party’s services were interrupted, whether voluntarily or involuntarily. For example, in the case of a cyberattack on a service provider, it may be necessary to sever the relationship to protect the organization’s own information systems.
E.BOUET: Tabletop exercises help assess reliance on third parties and theoretically simulate the procedures to follow in different scenarios. They also encourage organizations to rethink their relationships with certain providers, particularly those unable to align with DORA’s requirements.
What makes TLPT (Threat-Led Penetration Testing) a specific challenge?
D.LACHIVER: TLPT is one of the key innovations introduced by DORA. It involves threat-led penetration tests guided by the DORA regulation, the theoretical TIBER framework and adapted by national authorities. While the theoretical framework is well-defined, practical implementation remains challenging, as these tests are not yet common in the financial sector. Their limited frequency (one test every three years) and the regulator’s resources reduce the immediate urgency, but they are crucial for strengthening resilience.
E.BOUET: These tests still raise many questions, as they require a new approach for some players, especially those less experienced with this type of exercise. Currently, we are in a waiting phase, with a few dry-run initiatives underway. The actual implementation will depend on the regulator’s planning and the lessons learned from the first fully executed TLPTs in the coming months.
How can DORA transform IT risk governance?
D.LACHIVER: DORA promotes a unified approach to IT risk management by breaking down silos between various functions, such as cybersecurity, business continuity, and procurement. This involves:
- Harmonizing key terminologies and concepts (for example, ensuring that the concept of criticality is understood consistently across all functions) to streamline and improve interactions with business units.
- Implementing structural changes (such as adopting a CSO model – Chief Security Officer) to establish unified governance across functions, enabling more effective and coherent decision-making.
What are the concrete requirements to comply with DORA by January 17, 2025, and beyond?
E.BOUET: The first major expectation for January 17 is the ability to identify a major incident according to DORA’s criteria and notify the regulator. This requires well-defined operational processes to ensure rapid detection and reporting. This requirement is justified, given the history of IT and security teams in a sector accustomed to managing critical incidents.
D.LACHIVER: Then, by April 30, 2025, financial entities will need to produce a register of information on their third parties. I believe organizations will be able to provide such a register by this date. However, additional work will likely be needed to improve its quality and completeness.
E.BOUET: Finally, throughout 2025, what matters is demonstrating that entities are making progress. Regulators expect projects to be initiated, identified gaps to be gradually addressed, and tangible advancements to be made. The key is to have a clear and structured roadmap to meet DORA’s expectations.
What are the long-term benefits expected from DORA?
D.LACHIVER: DORA has the potential to create a virtuous cycle by strengthening risk management, business alignment, and operational resilience within the sector. It encourages entities to go beyond compliance and integrate these priorities into their overall strategy.
E.BOUET: One key aspect is the reaffirmed responsibility of executive leadership. Their involvement, particularly through regular risk validation, enhances overall awareness and drives the investments necessary to improve resilience.
D.LACHIVER: This connection between operational teams and leadership aligns strategic and operational priorities, fostering a culture of continuous improvement. It also empowers IT risk teams and supports the transformation of organizations toward greater digital resilience.
For any support in achieving DORA compliance, you can contact:
