DORA digital resilience

Compliance6 min read·
K

Kees van der Vlies

Partner | IT Auditor

Also available in:Nederlands

DORA, the Digital Operational Resilience Act, is a European regulation aimed at strengthening the digital resilience of financial institutions. For banks, insurers and other actors in the financial sector, the requirements of DORA are not optional but mandatory.

DORA sets requirements across four pillars: governance and organisation, incident reporting, testing of cyber resilience, and third-party risk management. Together, these pillars form a comprehensive framework for digital resilience in the financial sector.

DORA's governance requirements are extensive. Organisations must appoint a Chief Information Security Officer (CISO) or equivalent staff member who reports directly to the management board. This ensures that cybersecurity and operational resilience are addressed at the highest governance level, just as with NIS2.

Incident reporting under DORA is stringent. Organisations must report all cyber incidents with "major consequences" to competent authorities and regulators. This concerns incidents that disrupt operational continuity, damage trust in organisations, or affect the protection of data.

A unique element of DORA is the obligation to conduct advanced threat-led penetration testing (TLPT). Financial institutions must regularly have independent experts simulate targeted attacks to test their resilience. This goes beyond traditional penetration testing and places realistic scenarios at the centre.

Third-party risk management is also a core pillar. DORA recognises that many financial institutions depend on external suppliers and cloud providers. The regulation sets requirements for due diligence, contracting, monitoring and escalation of risks that arise from external relationships.

DORA makes digital resilience a core component of operational risk management in the financial sector. Implementation requires investment in technology, human capital and governance.

As a financial organisation, are you working on DORA compliance? We have extensive experience navigating this complex regulation. Let us strengthen your digital resilience together. Get in touch for advice.

About the author

K
Kees van der Vlies

Partner | IT Auditor

Back to knowledge base

Have a question?

Get in touch for advice on IT audit, compliance and information security.

Contact us