8 Essential Steps for DORA Compliance and Effective Reporting – Source: heimdalsecurity.com

In 2024, every major European financial service (FS) firm suffered some kind of security breach.

These shocking findings come from a study of cyber incidents in Europe last year. It found that 18% of large FS companies suffered direct breaches (where hackers broke into their systems). The rest were exposed through third- or fourth-party breaches (when their suppliers were hacked).

If those trends continue in 2025, we can expect major fines to hit the European FS sector. The EU’s new Digital Operational Resilience Act (DORA) aims to improve how European financial services companies approach security. Those that fail to comply will be penalized.

To avoid these penalties and, just as importantly, to keep your data safe, it’s essential to comply with DORA. In this article, you will learn:

• What is DORA, and who it applies to
• Five pillars of DORA compliance
• Eight steps to comply with DORA
• The importance of ‘continuous compliance’

What is DORA?

In a nutshell, DORA is a European Union Directive which aims to standardize and improve the way FS firms manage cybersecurity risks and respond to breaches.

The regulation aims to:

• Force FS businesses to report cybersecurity incidents
• Test their operational resilience
• Manage third party or supplier risk

DORA essentially requires all FS firms to follow good cyber security practices. By making every company comply with DORA, the EU is hoping to reduce the number of breaches affecting FS firms. By extension, this should protect the personal data and finances of EU citizens too.

Who does DORA apply to?

If you work in the FS sector and have operations in the EU, you need to understand DORA.

DORA is a broad regulation. It applies to any financial services firm that operates within the EU, regardless of size. It includes a very wide range of FS businesses, including:

• Banks
• Credit institutions
• Payment providers
• Investment firms
• Electronic money institutions
• Crypto asset companies
• Management companies
• Insurance businesses
• Credit rating agencies
• Crowdfunding services, etc.

5 key pillars of DORA compliance

DORA is an extensive and complex piece of regulation which affects various security procedures, controls and activities. Breaking it down into five key pillars will make it easier to understand and follow.

IT risk management

DORA requires FS firms to implement IT risk management practices. This pillar has two aspects:

1. Set up systems that can help with identifying risks (an extended detection and response solution is ideal)
2. Use any relevant security tools that support digital resilience

IT incident management planning

FS businesses will need to develop policies and procedures to identify breaches, then implement methods to close them down. As part of this, you will also need to report any breaches to the relevant authorities (major incidents should be reported within 24 hours of discovery). You’ll then need to provide intermediate updates, and a final report within one month.

Digital operational resilience tests

Financial services companies will need to regularly carry out cyber resilience and vulnerability testing. You will need to contract independent third parties to do periodic penetration tests. Based on the found vulnerabilities, you will also need to upgrade your security systems.

Assess third-party IT risks

Many FS companies use third party suppliers and contractors, particularly for IT and managed services. DORA requires FS firms to review how these suppliers manage their own security risks. If a vendor fails to use strong security practices, this could open up a backdoor into your systems. Contracts and service level agreements (SLAs) will need to be reviewed so that suppliers follow security best practices.

Related: DORA compliance for Managed Service Providers

Share information

The final pillar of DORA asks all FS businesses to share information with the authorities and the wider industry about emerging security issues. For example, if you are noticing a rise in DDoS attacks targeting your local subsidiary in an EU country, you will have to share this – even if your defences haven’t actually been breached.

8 steps to achieve DORA compliance

I always like to be proactive and not reactive because being reactive costs a lot of money

– Larisa Mihai, compliance expert

If your financial services business falls within the scope of DORA, you must develop a plan to achieve compliance. The regulation came into effect on January 17th, 2025, and the authorities will take a dim view of any firm that cannot show it is trying to meet the Act’s requirements. Complying with DORA is not very different from complying with any other cybersecurity regulation. Aiming to achieve continuous compliance will make the whole process easier for you, in the end.

To help you on your journey to DORA compliance, use the following eight steps.

1. Set up a DORA kickoff workshop with key stakeholders

If you are unsure how compliant you are with DORA, set up a compliance meeting with key stakeholders at the business. Naturally, this will include IT and compliance teams. But it will also require the participation of the senior executive (including the CEO), HR, operations teams and potentially any major IT suppliers.

As part of the meeting, you need to:

• Confirm whether or not DORA applies to you
• Get an idea of your current compliance status
• Outline responsibilities

You will also need to appoint a DORA compliance lead (or leads) who will take ownership of the project. This person needs to have the experience, skills and authority to push compliance forward, and overcome resistance.

2. Complete a DORA gap analysis

Conduct an analysis of your current DORA compliance status. Do your technologies, security systems, processes and people meet the minimum standards? Many companies overemphasise the technology part of DORA compliance. Obviously, this is key, but you also need to analyse how well your employees understand and enforce cybersecurity best practices.

3. Create a short-term plan to fix major issues

If your initial gap analysis identifies any major weaknesses (e.g. no multi-factor authentication, or employees sharing passwords), these need to be rectified immediately.

4. Identify contractors for resilience testing

DORA requires FS businesses to undergo periodic digital operational resilience testing. You should find a reliable cyber testing company with relevant experience who can conduct various kinds of penetration and social engineering tests.

5. Develop an incident response plan

If you do ever get breached, DORA requires you to have an incident response plan. Set out responsibilities for different people. Be ready to share information about breaches (including failed attacks) with the authorities. This means you need to be able to extract reports on IT activities and processes on a short notice.

6. Create DORA compliance policies

It’s super helpful to document your company’s DORA compliance policies. As above, this needs to cover technology, people and processes.

Compliance policies might include things like:

• Ensuring that all new employees receive cybersecurity training on day one at the company
• Mandating password changes every three months
• Setting dates for annual penetration tests

Policy documents are only meaningful if they actually get implemented. You need to proactively liaise with different departments and get them to build these policies into their workflows. For example, you might need to push your HR team to include a cybersecurity module into yearly continuing professional development training.

7. Assess third-party suppliers

All your third-party suppliers will need to be assessed for DORA compliance. This is especially (although not exclusively) important for ITC suppliers. There are different ways of doing this, but a good place to start is to send your suppliers a questionnaire, asking about things like:

• What methods they use to manage access to their own systems
• Whether or not they segment your company’s data out from that of their other customers
• What privileged access controls they have in place
• Whether or not they have a DORA policy
• What other security standards they conform to (such as ISO standards)
• If they have their own IT suppliers/contractors who could pose a risk if breached

8. Develop a longer-term plan for continuous DORA compliance

DORA compliance isn’t a ‘one-time thing’. Instead, it’s something you need to continuously build and improve. On the long run, here’s what I recommend:

• Periodically contract out resilience testing to suitable cybersecurity companies
• Carry out annual reviews and audits
• Review training on a regular basis and make all staff do it
• Liaise with suppliers and IT vendors to ensure they’re compliant, and review any new supplier contracts
• Gradually roll out ever more advanced security to improve digital operational resilience

Why DORA compliance should be continuous

In a recent Heimdal webinar, we spoke with compliance expert Larisa Mihai about how firms can manage regulations like DORA.

Larisa argued that firms should aim for what she calls ‘continuous compliance’. She explained:

The trick here [is] not to be compliant once per year or two times per year or whenever somebody audits you, it’s actually to be compliant all the time.

There are several reasons that this continuous approach to compliance is better:

• Respond to audits fast: If you’re always monitoring and managing your compliance, you can quickly respond to requests from auditors.
• Makes you more secure: Companies that are constantly checking their compliance with DORA are more likely to identify security gaps – and fix them.
• Avoid fines for non-compliance: You’re simply much less likely to get fined for non-compliance with DORA if you’re always monitoring for it.
• Reduces internal friction: If you only try to ‘do’ compliance last minute (i.e. when you get audited), you force IT staff to stop other projects to support the compliance request. That causes a lot of unnecessary friction.

Heimdal supports your DORA compliance project

If you are responsible for ensuring your financial services firm complies with DORA, Heimdal can help. We have developed a range of solutions that make it easier for you to comply.

DORA compliance reporting tools

Heimdal’s reporting tools can scan your company’s entire IT environment to assess controls and security gaps and identify where you might be falling short on compliance. The report can be automatically generated and shows how secure you are in multiple areas relevant to DORA.

Access control

Our cybersecurity platform lets you connect multiple security point solutions to a central dashboard. This includes several access control tools that can really help with DORA compliance:

• Privileged account and session management
• Privilege Elevation and Delegation Management
• Next gen antivirus and firewall

Digital operational resilience

We have developed a range of tools that can improve your overall operational resilience:

• Patch and asset management
• Threat hunting
• Endpoint detection and response
• Ransomware encryption protection

To learn more about how Heimdal can support your DORA compliance strategy, contact us today for a demo.

Frequently asked questions

We’ve answered your FAQs about steps to DORA compliance.

Who should be responsible for DORA compliance?

In principle, everyone at financial services businesses should feel responsible for compliance with DORA. However, it usually falls to an employee in either the IT or compliance teams.

This individual should have a good grasp of cybersecurity risks, the legal requirements that DORA imposes, and a good knowledge of how their organization actually works. This person needs to be confident to push DORA compliance forward – and be able to persuade people across the business to change processes and improve behaviors.

How to avoid DORA fines?

To avoid DORA non-compliance fines, you must be able to demonstrate that you have taken adequate steps to comply with the regulation. You need to document your policies and procedures and be able to produce reports showing all the security protocols you use, and digital operational resiliency tests you have had done.

At present, it is unclear how strict different countries will be when it comes to imposing penalties. But if you can show you have taken necessary steps, you are less likely to face severe fines.

Is there a single solution for DORA compliance?

No, there is no single ‘silver bullet’ way to become DORA compliant. The implications of the regulation will vary enormously from one FS business to the next.

For some firms, it will just require them to produce reports and conduct annual resilience tests. For others, it will require the wholesale upgrade of security systems, ending relationships with unsuitable vendors, and hiring new security staff.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.