ConnectedGRC

Drive a Connected GRC Program for Improved Agility, Performance, and Resilience

MetricStream Named Category Leader in All Seven Quadrants of the Chartis Research RiskTech Quadrant® for Integrated GRC Solutions, 2024

MetricStream Named Category Leader in All Seven Quadrants of the Chartis Research RiskTech Quadrant® for Integrated GRC Solutions, 2024

Learn More

Discover ConnectedGRC Solutions for Enterprise and Operational Resilience

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn about the EU’s Digital Operational Resilience Act (DORA) and how you can prepare for it.

Learn More

Explore What Makes MetricStream the Right Choice for Our Customers

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Robert Taylor from LSEG shares his experience on implementing an integrated GRC program with MetricStream

Learn More

Discover How Our Collaborative Partnerships Drive Innovation and Success

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Watch Lucia Roncakova from Deloitte Central Europe, speak on how the partnership with MetricStream provides collaborative GRC solutions

Learn More

Find Everything You Need to Build Your GRC Journey and Thrive on Risk

Download this report to explore why cyber risk is rising in significance as a business risk.

Download this report to explore why cyber risk is rising in significance as a business risk.

Learn More

Learn about our mission, vision, and core values

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Gurjeev Sanghera from Shell explains why they chose MetricStream to advance on the GRC journey

Learn More
+1-650-620-2955
+1-650-620-2955 Contact Us Request Demo
×
Hit enter to search or ESC to close
Blogs

DORA is Here: What’s Next for Organizations?

blog-dsk-Weekly-Blog-Upload-Feb-25th-2024
6 min read

Introduction

The Digital Operational Resilience Act (DORA) has officially arrived, marking a significant shift in how financial institutions manage their digital resilience. While organizations have spent the past two years meeting compliance deadlines, the real work is only just beginning. Much like the introduction of the General Data Protection Regulation (GDPR), achieving baseline compliance is only the first phase. The ongoing challenge will be embedding resilience into the very fabric of financial operations.

So, what’s next that the January 17 deadline has passed? And what strategic steps should organizations take to turn compliance into a competitive advantage? Let’s explore.

Compliance with DORA is Just the Beginning

As immediate next steps, the European Supervisory Authorities (ESAs) require the compilation of registers for ICT services to be submitted by national regulators before April 30, 2025. Most national regulators will request firms to submit their registers before this deadline. For example, a recent announcement by the Central Bank of Ireland has called for firms to submit their registers during the window of 1 to 4 April 2025. However, for companies that have now complied with DORA, the future presents an opportunity to strengthen their operational resilience further and enhance their risk management frameworks.

DORA’s origins track back to 2016, when ICT risk management was covered under various fragmented EU laws, such as the Network and Information Systems (NIS) Directive and the European Banking Authority (EBA) outsourcing guidelines. In 2020, the European Commission proposed DORA, recognizing the need for a unified regulation, to strengthen ICT resilience across all financial entities. After extensive discussions, the EU Parliament formally approved the DORA on November 28, 2022. This long-term evolution illustrates a global shift in the management of digital risks with a focus on cyber resilience, risk management, and regulatory oversight.

It’s also important to note that DORA will likely influence compliance standards across other industries, including healthcare, energy, and critical infrastructure. DORA’s principles are highly adaptable and with a focus on proactive risk management and accountability, it is likely to serve as a blueprint for cross-industry regulations.

We’ll be discussing more on this in our upcoming webinar Digital Operational Resilience: Practical Guidance and Insights from Implementations with experts from Advantage Reply and MetricStream. We’ll also be covering key insights on DORA’s early implementation and AI’s potential in building digital resilience.

What’s Next: Strategic Steps for Long-Term Resilience

With compliance pressures easing slightly, organizations have an opportunity to refine their frameworks, reduce inefficiencies, and embed resilience into their operations. Here are some of the key steps they should take: 

  • Conduct a Comprehensive Gap Analysis

    Now that the initial compliance rush is over, a deeper gap analysis will help identify vulnerabilities in areas such as incident reporting, third-party risk management, and operational testing.

    Key Actions:

    • Engage cross-functional teams, including IT, compliance, risk, and legal teams
    • Compare internal processes against DORA’s detailed requirements
    • Develop a clear roadmap to address identified gaps and improve resilience

  • Strengthen ICT Risk Management Frameworks

    Financial institutions must continue to strengthen ICT risk management with formal processes in place to identify, assess, mitigate, and monitor risks across all critical systems.

    Key Actions:

    • Define clear roles and responsibilities for ICT risk governance
    • Maintain an up-to-date risk register to capture evolving threats
    • Integrate third-party risk management into enterprise-wide risk frameworks
    • Implement real-time monitoring tools to detect potential vulnerabilities

  • Enhance Incident Reporting Mechanisms

    Under DORA, financial institutions will already have mechanisms in place to report ICT-related incidents in a timely and structured manner. Organizations will also need to ensure that they have well-defined escalation procedures and response frameworks.

    Key Actions:

    • Establish a centralized reporting mechanism for ICT incidents
    • Train employees on incident detection, escalation, and documentation protocols
    • Conduct periodic simulations and post-incident reviews to improve response times

  • Strengthen Third-Party Risk Management

    DORA places significant emphasis on third-party risk oversight, particularly for critical ICT service providers such as cloud vendors and cybersecurity partners. Organizations must now ensure their external vendors meet DORA’s stringent resilience requirements.

    Key Actions:

    • Update vendor contracts to include resilience and reporting obligations
    • Monitor vendor performance and conduct regular risk assessments
    • Develop contingency plans for third-party service failures
    • Ensure third-party risk management is integrated into the overall compliance strategy

  • Implement Operational Resilience Testing

    DORA requires organizations to conduct stress tests and scenario analyses to assess their ability to withstand ICT disruptions. Regular testing will help identify weaknesses before they lead to real-world incidents.

    Key Actions:

    • Simulate cyberattacks and system failures to evaluate response effectiveness
    • Identify vulnerabilities and address them through targeted improvements
    • Involve third-party providers in resilience exercises to assess their preparedness
    • Align testing protocols with DORA’s specific requirements on business continuity

  • Invest in Employee Training and Awareness

    Financial institutions must ensure employees at all levels understand DORA’s requirements and their role in maintaining digital resilience. A well-informed workforce is crucial for long-term compliance.

    Key Actions:

    • Conduct regular, role-specific training on ICT risk management
    • Share updates on regulatory expectations and industry best practices
    • Foster a culture of continuous improvement and accountability
    • Encourage collaboration across teams to enhance operational resilience

  • Leverage Technology for Compliance Efficiency

    Meeting DORA’s requirements can be time-consuming and complex, but technology can streamline compliance efforts. Organizations should invest in solutions that automate risk assessments, incident reporting, and regulatory monitoring.

    Key Actions:

    • Deploy GRC (Governance, Risk, and Compliance) platforms to centralize efforts
    • Utilize real-time monitoring tools to detect potential ICT risks
    • Invest in automated reporting solutions to improve accuracy and efficiency

  • Engage with Industry Groups and Regulators

    DORA is just the beginning, and regulatory expectations are expected to evolve. It is beneficial for financial institutions to stay informed and actively engage with regulators and industry groups will be better positioned to navigate future changes.

    Key Actions:

    • Participate in industry working groups and compliance forums
    • Stay updated on regulatory guidance and best practices
    • Collaborate with industry peers to share insights and experiences

Stay Future-Ready with MetricStream

The message is clear: Compliance is not the finish line with DORA; it’s the starting point for continuous digital resilience. MetricStream’s CyberGRC product ensures effective collation, management, and utilization of enterprise data followed by accurate measurement and reporting. With MetricStream, your organization is empowered with:

  • Built-in frameworks, strong policy management, and ongoing controls monitoring
  • Easy identification, tracking, logging, categorizing, and classifying of ICT-related incidents according to the priority, severity, and criticality of services along with automated processes for investigation and remediation 
  • Rapid disclosure with a comprehensive risk register, incident reporting, third-party management, and archiving of incidents and actions taken
  • Ability to create, maintain, and execute BCP & DR plans using built-in templates and workflows
  • Automation of BCP testing to obtain real-time status updates
  • Identification and elimination/mitigation of risks with pre-configured remediation measures and actions 
  • Contract compliance and sound monitoring of risks emanating from ICT third-party providers
  • Configuration and automation of risk monitoring of third-party providers with built-in control libraries and automated risk assessments to obtain detailed status and performance reports including contract compliance 

To learn more about how MetricStream can help with digital resilience, request a personalized demo today! 

Register for our upcoming webinar: Digital Operational Resilience: Practical Guidance and Insights from Implementations

simrin

Simrin Jhangiani Associate Director, Marketing at MetricStream

Simrin Jhangiani is the Product Marketing Lead for MetricStream’s ESGRC product. As a former NYU student with a minor in Corporate Social Responsibility, Simrin is passionate about helping businesses make risk-aware business decisions around ESG. Simrin has an extensive business and marketing background having worked as a strategy consultant at KPMG and being a business owner of a sustainable fashion brand. She has lived on 3 different continents, and has travelled to over 50+ countries around the world, resulting in a comprehensive understanding of why ESG is important on a global scale. She believes that ESG is fundamental to the growth of businesses in the present day and is ardent about bringing awareness of the ever-changing regulations around Environmental, Social, and Governance.

 

Related Resources

Blog
Blog
6 mins
Simrin Jhangiani
DORA is Here: What’s Next for Organizations?