Elementrica
03Case Studies04References05Company06News07Contact
PLENDE

Stronger cybersecurity in financial services: a complete guide to the Digital Operational Resilience Act (DORA)

ElementricaElementrica7 min
Stronger cybersecurity in financial services: a complete guide to the Digital Operational Resilience Act (DORA)

DORA is not one more form to tick off. It is an EU regulation that puts hard obligations on financial institutions: ICT risk management, incident reporting, vendor oversight, and regular resilience testing, including threat-led penetration testing (TLPT). Compliance is the board's responsibility, and it reaches well beyond the IT department. Here is what DORA actually changes, who it applies to, and how to get your company ready without a last-minute scramble.

What DORA is and who it covers

The Digital Operational Resilience Act (DORA) is part of the EU's digital finance package. It sets one standard for operational resilience across the entire EU financial sector and applies directly, with no separate national law needed.

It covers a wide group: banks, insurers, investment firms, payment service providers, and the critical ICT vendors behind them, cloud companies included. If you work in finance or serve firms that do, DORA most likely applies to you.

The date is set: the rules apply as of January 17, 2025. This is a current obligation, and a gap here can block a contract or drag down an audit result.

Why DORA exists

Finance runs on technology top to bottom: cloud, online payments, vendors wired into each other. Every one of those links widens the attack surface.

One cloud provider going down, or one payment system breached, reaches far past IT. It means frozen transfers, customer accounts no one can reach, and real risk to market stability. DORA forces a firm to withstand that kind of scenario and recover fast.

The five pillars of DORA

  • ICT risk management. A technology risk framework built into the company's strategy. The board owns risk appetite and oversight.
  • Incident reporting. A duty to classify major ICT incidents and report them to the relevant authorities under one common set of rules.
  • Resilience testing, including TLPT. Regular vulnerability assessments and penetration tests. Significant entities must run threat-led penetration testing (TLPT) at least once every three years.
  • ICT third-party oversight. Map the supply chain and keep vendors in check. Critical third-party providers can fall under direct EU-level supervision.
  • Information sharing. Exchange threat intelligence across the sector so one firm's weakness does not become everyone's problem.

TLPT: testing against real attacker behavior

TLPT (threat-led penetration testing) runs a pentest along the scenarios real attackers use. Instead of a generic scan, the team recreates the tactics, techniques, and procedures (TTPs) of the groups that actually target financial firms.

Significant entities have to run TLPT at least once every three years. A good test goes past the technology and takes on people and process too: social engineering, an insider-threat simulation, and a check on how your defense team reacts to an attack in real time.

A TLPT answers the question the board actually cares about: would we survive a targeted attack, and where does our defense break. That is more useful than a raw list of holes, and it is the closest read on readiness you can buy short of a real incident.

Red team, blue team, purple team

TLPT often brings two perspectives together. The red team plays the attacker. The blue team defends: monitoring the network, detecting, and responding. The purple team is a way of working where both sides collaborate, so every gap the attackers find turns straight into better detection rules and a faster response.

For you that comes down to one thing: the test should do more than prove someone can get in. It should measurably improve your team's ability to spot an attack and stop it.

How to get your company ready for DORA

  • Map your ICT vendors. Find out who touches your data and processes, and write the DORA compliance requirement and a right to audit into the contracts.
  • Get incident reporting in order. A clear response plan, incident classification, and a reporting procedure, all rehearsed rather than just written down.
  • Plan your testing. A schedule for vulnerability assessments and penetration tests, plus a TLPT cycle if you are a significant entity.
  • Bring in the board. DORA puts ICT risk on the management body. The board signs off on the budget and the security policy.
  • Train your people, not only IT. Management and front-line staff are the most common attack vector.

From obligation to advantage

DORA lines up with NIS2 and GDPR into one picture of digital resilience. Companies that treat it as a list of don'ts will pay the cost and get nothing back. The ones that use it to genuinely raise their security maturity gain an argument they can use with clients and with the regulator.

Not sure whether your company counts as a significant entity, or whether you need TLPT? Book a free consultation. In 30 minutes, on a call with a consultant, we will pin down which DORA requirements apply to your organization and the next steps toward an audit.

Getting your company ready for DORA?

Book a free consultation and we will map out which DORA requirements apply and a TLPT plan for your organization.

Previous
Penetration testing vs. vulnerability assessment: a clear guide to the difference
Next
Why CVSS scores often miss the real threat