Information Assurance
What is DORA?
Businesses in the financial sector face a growing range of digital threats, including cyberattacks, system failures, and disruptions to critical services. The Digital Operational Resilience Act (DORA) is a regulation introduced by the European Union to strengthen the resilience of financial institutions in the face of increasing digital risks.
It aims to ensure that financial institutions including banks, insurance companies, and investment firms, are resilient against, and can recover from, cyber incidents, operational disruptions, and other technological challenges.
DORA sets out a comprehensive framework for managing your digital operational risks and lays down specific requirements for risk management, testing, incident reporting, and third-party service provider oversight.
Compliance with DORA is now mandatory for financial entities operating within the EU.
How does DORA work?
DORA works by mandating financial entities to implement robust operational resilience frameworks to reduce risks and strengthen security.
Historically, these areas are often handled in a fragmented, siloed manner. However, DORA demands significant and measurable progress in resilience, which requires a more coherent and integrated approach.
DORA can be broken down into the following four key areas:
Risk management
Identifying and managing digital risks, including those from third-party providers.
We will work closely with you to develop a tailored ICT risk management framework to identify, assess and mitigate risks to your organisation.
We will conduct regular risk assessments, provide you with detailed reports, and implement security measures to safeguard your ICT environment.
Incident reporting
Establishing protocols for reporting and handling significant disruptions or cyber incidents within strict timeframes.
We will support you with the implementation of formal processes for promptly reporting ICT incidents, ensuring compliance with DORA.
Our support includes a dedicated incident response team to develop a tailored business continuity plan, manage and respond to incidents effectively and provide support throughout.
We also provide training programmes, designed around your individual business needs, to educate and prepare your staff.
Operational resilience
Conducting regular stress tests and resilience exercises to ensure that systems can withstand and recover from adverse scenarios.
We conduct regular stress tests and resilience exercises to ensure your systems can withstand and recover from disruptions.
We develop plans for efficiently recovering from major incidents, ensuring their effectiveness through regular reviews and testing.
We promote a culture of continuous learning and improvement in operational resilience through training and capacity building.
Third-party risk management
Ensuring that your third-party suppliers, especially critical ones, are compliant with DORA standards.
We conduct thorough assessments of your third-party service providers to ensure operational resilience and compliance with DORA standards.
We conduct regular risk assessments and ensure that contracts with your suppliers include resilience requirements.
We also provide due diligence reporting and information assurance services to ensure confidence in the security of your organisation and your suppliers.
We know that the weight and scope of these new regulations can be overwhelming, even for more experienced risk managers. That’s why PGI are here to manage all areas of the DORA framework to help you successfully achieve and maintain compliance.
One supplier for all your DORA requirements
Whether you need support with identifying gaps in compliance, assessing your third-party vendors or implementing new policies or processes, PGI has a team of specialists with extensive experience across cybersecurity and digital resilience, so you can confidently achieve and maintain compliance through one trusted partner.
If you’re not sure where to start, PGI can support you with a thorough gap analysis which will provide you with actionable insights into areas that need improvement so that you can prioritise and address any identified gaps and achieve compliance.
Here's how we can help:
Scoping your requirements
Consultation: Our experts will meet with you to discuss support areas and gain an understanding of your business operations and requirements.
Gap analysis: We will conduct a thorough initial assessment to identify all areas needing improvement.
Prioritisation
Detailed report: We provide a detailed report highlighting gaps and offering actionable recommendations.
Prioritisation: Gaps are prioritised based on their impact on compliance and operational resilience.
Strategic planning
Customised strategy: We create a tailored implementation plan that aligns with your business requirements and operational goals.
Timeline: We will establish a clear timeline with milestones to track your progress towards DORA compliance.
Implementation
Framework creation: We help you to implement new policies and procedures that meet DORA requirements. We ensure these are approved and communicated clearly within your organisation.
Regular updates: Policies are continuously reviewed and updated.
Continuous improvement
Staff training: We will conduct comprehensive training for your staff to ensure they are fully equipped and understand the new policies and procedures.
Simulations and drills: We implement regular simulations and drills to test incident response and operational resilience plans.
Continuous learning: We promote a culture of continuous learning and improvement.
Ongoing support and consultancy
Expert guidance: At PGI, we believe in a human-led approach. We will provide close support and guidance throughout the process to address any challenges or changes to requirements.
Regular check-ins: We schedule regular check-ins to review progress towards DORA compliance and any adjustments needed.
Audit preparation: We help you to prepare for internal and external audits.
Review: We continuously refine and improve policies, procedures, and practices.
Measuring success
Performance metrics: It’s important that you’re able to measure and monitor the effectiveness of your new processes. We will help you to establish key performance indicators (KPIs) to monitor performance.
Reporting: We provide regular updates on compliance status and ensure timely, accurate incident reporting.
Feedback: We create a feedback loop to gather insights from your staff and stakeholders.
Completion
Final evaluation: We hold a final meeting to confirm with you that the work has been completed to a high standard and completed effectively.
Why choose PGI to support you with DORA?
- Expertise in digital resilience: Our team of specialists have extensive experience in digital resilience, incident response, information assurance and cybersecurity, ensuring your organisation meets all DORA requirements effectively.
- One supplier for all your business needs: At PGI, our experts boast a wide range of expertise across cybersecurity and digital investigations, making us your trusted partner for all your security needs.
- Tailored implementation plans: We understand that every organisation is unique. We offer customised digital resilience frameworks that align with your business needs, ensuring a seamless integration of DORA requirements.
- End-to-end support: We believe in a human-led approach. From initial assessment to final certification, PGI provides close and continuous support, including consultancy, policy development, training, and audit preparation.
- Ongoing compliance management: We help our clients to maintain DORA compliance through regular testing, audits, risk management, and continuous improvement processes.
- Incident response expertise: We help organisations to develop tailored incident response plans, ensuring you can quickly and effectively respond to digital disruptions in line with your specific requirements.
- Regulatory knowledge: Our consultants are passionate about what they do. We stay up to date with the latest regulatory changes, ensuring you are always aligned with current DORA standards.
- Proven track record: We have successfully guided organisations through complex compliance processes, making us a trusted partner for achieving DORA compliance.
Benefits of DORA
DORA has the potential to create a virtuous cycle by strengthening risk management, business alignment, and operational resilience within the sector. It encourages entities to go beyond compliance and integrate these priorities into their overall strategy. This connection between operational teams and leadership aligns strategic and operational priorities, fostering a culture of continuous improvement. It also empowers IT risk teams and supports the transformation of organisations toward greater digital resilience.
DORA Frequently Asked Questions
Who does DORA apply to?
DORA applies to financial entities, including banks, insurance companies, investment firms, and ICT service providers that support these financial institutions.
Businesses in the financial sector face a growing range of digital threats, including cyberattacks, system failures, and disruptions to critical services.
DORA helps mitigate these risks by establishing clear, harmonised rules across the EU. Compliance with DORA is essential for maintaining business continuity, protecting sensitive data, and safeguarding customer trust.
Without it, businesses risk facing regulatory penalties, reputational damage, and operational failures that could severely impact their bottom line.
How do I know whether I’m compliant with DORA or not?
If you’re not sure whether you are currently compliant, PGI can support you with a thorough gap analysis to provide you with insight into your current position and identify any gaps in compliance.
How often should we conduct resilience testing?
Organisations must conduct regular, comprehensive resilience testing and be able to provide evidence of this testing. We recommend that testing should be conducted annually as a minimum or following a significant change to processes or the organisation. This includes risk assessments, penetration testing, business continuity planning, incident preparedness and third-party vendor assessments.
How can I ensure full spectrum compliance across cyber and digital risk?
Taking a combined cyber and digital approach to security is key for achieving and maintaining compliance with DORA. This means going beyond pure infrastructural cybersecurity measures to understand wider scale digital threats. Personally Identifiable Information, for example, can be used in social engineering attacks against key principals. This can be just as dangerous as poor IT infrastructure, and full spectrum compliance means addressing both types of security risks.
What are the main challenges in implementing DORA?
Coordinating a wide range of stakeholders across the business—including cybersecurity, risk management, procurement, legal, and IT—can cause challenges when attempting to align new policies and processes.
Third-party risk management is another significant challenge posed by DORA. This is often a neglected area, with third parties often poorly managed or structured, meaning it’s difficult to get a comprehensive overview.
PGI can support organisations with the implementation of new policies and processes to mitigate risks. We also support with third-party vendor risk assessments to help clients get a clear insight of their supplier’s security position.
What are the possible fines/penalties I could face if I don’t comply with DORA?
Institutions found in breach may face fines of up to 2% of their total annual worldwide turnover or 1% of their average daily turnover worldwide. For individuals, penalties can reach up to €1,000,000, while critical third-party ICT providers face even higher fines, up to €5,000,000 or €500,000 for individuals, if they fail to meet DORA’s standards.
For a world resilient to digital threat
Have a question?
Find out how we can help you strengthen your digital security
Speak to an expertDo you have any questions?
Please provide as much detail as possible so we can route your enquiry effectively. We look forward to hearing from you.
We aim to answer all enquiries within *48 hours.