DORA compliance

DORA in control

As the EU's Digital Operational Resilience Act (DORA) gears up for enforcement in January 2025, we find ourselves at a critical point. The impact on European financial institutions and their ICT service providers is far-reaching. DORA isn't just another box to check for compliance; it requires a thorough rethinking of our approach to digital resilience and security.

The challenge

DORA is about equipping leaders to build institutions resilient enough to handle complex threats such as sophisticated ransomware attacks, espionage, and rapid geopolitical changes that could force a switch in IT service providers. This means making strategic choices, like selecting the right technology, revisiting how we access IT assets, redesigning our networks, re-evaluating longstanding IT partnerships, and embracing regular testing in real-world scenarios. 

Central to these shifts is our DORA Control Framework, crafted from the extensive 400-page DORA legislation. This framework isn't just a checklist; it's a detailed strategy to help organizations effectively implement and manage DORA's wide-ranging security requirements.

What makes DORA a challenge? It's a complex mix of factors: 

  • New accountability. DORA places significant responsibility for organizational resilience, risk management, and regulatory adherence on management teams.
  • Mandated exit strategy. There's now a requirement for organizations to have a planned cloud exit strategy, inclusive of contractual terms and exit testing. 
  • Advanced testing. DORA requires various tests for resilience, continuity, and security, even extending to third-party environments. 
  • Asset and supply chain management. Maintaining an overview of all critical assets, an ICT service provider registry, and protective measures for assets and risk reduction is essential, to the last link in the chain, including the supervision. 
  • Detailed requirements. DORA specifies extensive requirements across backups, network design, operational control, incident management, and more. 
Our DORA Control Framework

Our approach with the DORA Control Framework is both strategic and practical. We've transformed DORA's detailed and legalistic content into 8 (recognizable) domains and 87 underlying controls, each tied to specific legislation.   

We've created a dashboard based on a five-level maturity model to identify key risk areas and compliance gaps. We're also providing guidance for quarterly reports to keep management updated and ready for new emerging requirements. 

In summary, DORA is more than a regulatory hurdle; it's an opportunity to strengthen our digital resilience and security. Let's tackle this with the dedication and resolve it requires, using the DORA Control Framework as our guide to a safer and more resilient future. 

Visual DORA

Our three-steps

Schuberg Philis plays a pivotal role in supporting its clients with the proper approach to DORA, treating it as a technological transformation. We have developed a specific three-step approach to effectively assist our clients in meeting the DORA requirements:

  1. Identification and visualization: We begin by mapping and visualizing key business processes and the underlying IT infrastructure. For this, we use our well-known canvases and Layer 3 and Layer 7 diagrams. If these documents are not available or insufficient, we provide support in creating them. 
  2. Unique DORA gap assessment: Next, we conduct an initial DORA gap analysis to determine where the organization exactly stands. For this purpose, we have developed a unique and market-leading DORA Control Framework. This framework is based on a careful analysis of all 400+ pages of the DORA legislation levels 1 and 2, which we have summarized and translated into 87 understandable and executable controls. 
  3. Roadmap development and implementation: Based on the clear insights from the gap analysis, we develop a clear and pragmatic roadmap together with the organization. As a technology partner, we can actively support organizations in implementing the necessary adjustments to bridge the identified gaps.

With this structured approach, Schuberg Philis ensures that clients not only comply with the regulations but also build a stronger and more resilient IT landscape, in line with the demands of DORA. 

SBP Sandeep Gangaram Panday

Want to know more?

Contact Sandeep Gangaram Panday.