On January 17, 2025, the Digital Operational Resilience Act (DORA) came into force. In February 2025, the Netherlands Authority for the Financial Markets (AFM) sent a request for information to all companies that have an AFM license and fall under DORA. "Many parties are at a loss," say Ronald Plompen and Michel Steenbergen of consulting firm FLYzone, a partner of Fully In Control.
Financial institutions are increasingly becoming targets of cyberattacks. DORA is a European regulation that aims to increase the digital resilience of the financial sector. DORA focuses on ICT risk management, ICT incidents, periodic testing of digital operational resilience, risk management when outsourcing to (critical) third parties, and cooperation on the exchange of information about cyber threats. DORA also introduces a framework for European supervision of critical third-party ICT service providers.
One of the requirements under DORA is that financial institutions must maintain an information register of all contractual agreements with ICT service providers. This register includes a multitude of entries (e.g., which process uses which system and suppliers of ICT service providers) and the deadline is fast approaching. The AFM will request the information register in the near future so that it can submit the registers to the European supervisory authorities in a timely manner. This must be done by April 17, 2025, at the latest. DORA also requires a wide range of measures, including having a risk framework, continuity plans, and third-party risk management. In addition, financial institutions must prepare for stress scenarios, in which critical functions must be able to be restored within a short period of time. "This demands a lot from financial institutions, and many still have a long way to go before DORA implementation. Many institutions have already started with DORA, but they are often behind schedule. That is understandable, because these are complex issues. However, it is not optional but mandatory, so time is of the essence," Ronald emphasizes. "Moreover, you don't do it because the law requires it, but because you want to protect your organization and your customers," Michel reiterates.
To clarify the implementation of DORA, NOREA, the professional organization of IT auditors, developed a DORA Control Framework last year. This framework reduces the 400 pages of legislation to eight clear domains, 29 subdomains, and 90 underlying controls. This makes it easier for institutions to understand and apply the requirements and to perform gap assessments. It helps to translate exit plans and continuity tests into concrete actions. In addition, NOREA has taken the initiative to develop a reporting standard that organizations can use to account for their IT governance. This standard, known as the NOREA Reporting Initiative (NRI), provides management with a tool for accounting for their actions in an IT governance report and informing stakeholders about governance, risk, compliance, and essential IT topics. The descriptions for each IT topic focus on the management cycle (Plan-Do-Check-Act) that has been set up by the organization. Ronald and Michel consider the NRI to be a positive development: "With this upcoming reporting standard, there is now a solid basis for organizations of different sizes to report on their IT in a consistent manner."
Supporting software provides a clear overview of all actions that need to be performed for DORA. Fully In Control's Integral Management Platform offers a solution for managing DORA's operational and information security requirements within the ISMS solution. "This information can then be used, for example, to fill and maintain the information register. Submitting an information register is therefore not a one-off task. You must demonstrate that you are continuously improving and complying with the DORA requirements based on the Plan-Do-Check-Act cycle," explains Frank Walraven of Fully In Control. To make it easier for users, FLYzone has alsodevelopeda knowledge base andbest practices. "This makes it easier for users to compare existing controls with, for example, the DORA requirements and take targeted action to close any gaps," says Frank.
