Don’t Let DORA Surprise You in 2025

January 8th, 2025 Loren Johnson Reading Time: 5 minutes
Dora Blog #2 Feature Image 1200x628

In the US and in regions outside the EU, multiple industries and companies assume that because the Digital Operational Resiliency Act (DORA) defines specific information security requirements for financial institutions in Europe, it doesn’t apply to them. Yet DORA is written to apply to regions and companies based outside the EU under certain circumstances, and too many of these companies are simply not ready. 

DORA requires financial entities operating in the EU to ensure their information and communications technology (ICT) systems can withstand, respond to, and recover from cyber threats and digital service disruptions. It also requires these businesses to improve their awareness of cybersecurity threats, upgrade and validate their defenses, and generate analytics and reporting to demonstrate their compliance. DORA is meant to ensure financial entities operating in the EU are therefore prepared for, can actively minimize, and have defined programs in place that allow them to quickly and predictably recover from ICT issues that disrupt the services they provide to their customers in the EU.  

None of these requirements is surprising. Financial entities are among the most targeted organizations for cyberattacks, ransomware, and other breaches that can take their digital services offline and out of reach for their customers for prolonged periods. For more than four years, the EU regulatory authorities have proposed significant changes to its financial services resiliency requirements, and DORA contains specific requirements for finance entities to construct and secure their ICT systems, test and report on performance and availability, and alert regulators of breaches, failures, or customer inaccessibility. The EU is serious about financial entities ensuring their customers can access their records and accounts with minimal disruption.  

DORA: Who, Me? 

Like other recently enacted GRC and ESG regulations, DORA includes details on how and to which businesses and entities it applies. Although DORA is an EU regulation, it applies to any financial entity operating in and servicing customers in the EU.  

This means that any banks, payment processors, investment firms, insurance companies, or crypto-asset companies must comply with DORA requirements to continue operating in the EU.  

Also, because financial entities commonly engage with third parties for technology services, DORA also applies to those third-party ICT vendors that support financial entities operating in the EU. Third-party ICT vendors subject to DORA may offer cloud services, data management, customer management, and other SaaS and FinTech solutions that service financial entities operating in the EU.  

To be clear, DORA applies to: 

  • Financial entities operating in the EU 
  • Information technology and services third-party vendors that support financial entities that operate in the EU, even if the third-party does not directly operate in the EU 

Ultimately, if your organization is a financial entity that operates in the EU or supports a financial entity that operates in the EU, DORA likely applies to your company. Alternatively, if your organization is a US financial entity with no operations in the EU— but happens to service EU citizens outside of the EU — DORA likely does not apply to your organization.  

DORA: Not Just for Financial Entities 

One of the most interesting and compelling elements of the DORA regulation is its inclusion of and focus on associated third-party ICT vendors and the risks they represent to the EU financial entities’ compliance and resiliency practices. Financial entities are responsible for ensuring that their third-party ICT vendors comply with DORA requirements, that those relationships are actively managed to reduce the likelihood of information and cybersecurity incidents, and that those third parties are aligned to the financial entity’s digital resiliency strategies DORA requires.  

In fact, TPRM program requirements are so well-defined in DORA that it sets a new bar for regulated TPRM program best practices. For example, it includes a requirement to centralize the management of TPRM programs across the entity, to use a single system and third-party registry, to conduct detailed risk assessments, due diligence, and continuous monitoring, and to regularly test, validate, and report on program performance. DORA is prescriptive and based on years of TPRM program performance analysis and the demands of EU regulators that information security incidents do not disrupt customer access to their accounts. Financial entities not able to make this promise are likely to be heavily scrutinized. Given how interconnected and interdependent technology systems tend to be in modern financial services organizations, DORA will drive significant changes in third party management best practices.  

A Best Course of Action 

As financial entities operating in the EU and their third-party vendors look to adapt their risk and resiliency management programs to the requirements in DORA, I anticipate more than just a few organizations will be caught off guard.  

One of my mantras for the GRC and the TPRM market is to not only be aware of existing and developing regulations, but to build your programs not to the letter of the law, but to the intent of the law and to the direction of the law. The best TPRM programs are built to align to the organization’s code of conduct, businesses strategies, and needs of its shareholders and customers. We find that these programs are often insulated from sudden shifts in regulations and standards that mandate new best practices because they are already in place.  

DORA is clearly designed to protect consumers from losing access to their financial records and resources, no matter where a disruption originates or occurs—including at a third party. With that focus in mind, businesses should assess their TPRM programs and ensure they can support the law’s intention. And there will surely be subsequent regulations that will reinforce that intention and direction. An active regulatory change management and horizon scanning component of a GRC program can help illuminate evolving regulatory trends and direction.  

The best TPRM solutions and the risk professionals that run them understand that the best programs align with evolving regulations but are focused on and designed to deliver business advantage and beneficial outcomes. This is why I advocate for well-designed and well-run TPRM programs from their inception; they are the most effective at identifying, mitigating, and optimizing third-party risks, and they happen to be best positioned to absorb and adopt to regulatory changes. They are more efficient and can scale and diversify as the risk landscape changes, integrate new requirements, and generate reporting that shows the strategic impact of the program.  

In today’s rapidly developing and increasingly global market, risk management expectations and best practices tend to precede regulations and standards anyway. Particularly when it comes to cybersecurity and operational resiliency, alert businesses can adapt to threats, discover advantages, and apply best practice risk management before regulations, standards, and frameworks catch up.  

In response to DORA, I know of financial entities consolidating their disparate TPRM programs into one system. I know of a financial services company that does not have operations in the EU, yet is resetting its TPRM program to align with DORA’s best practices requirements. I’ve seen a cloud services and data management company proactively redefining how they assess their own third parties based on DORA requirements and the needs of the EU financial entities they support.  

Ultimately, the best practices businesses are adopting based on DORA’s requirements will drive positive changes across companies, regions, and industries. Even for those businesses where DORA will not apply, evolving market expectations for well-designed and well-executed TPRM programs and the benefits they provide do. It’s time to get serious about TPRM.    

Are You DORA-Ready?

Join Our Webinar to Learn How to Navigate the Complexities of DORA and Set Your TPRM Team Up For Operational Resilience


Contact Aravo to see our Intelligence First Platform® in action and learn how we can help your TPRM team prepare for DORA. 

Loren Johnson

Senior Director, Product Marketing

Loren Johnson leads Aravo’s product marketing function, covering how Aravo builds, markets, and sells its market-leading third-party risk management solution. Driven by a passion for innovation and solving business challenges, Loren brings an international business perspective and desire to deliver measurable customer success. Loren is a long-term TPRM advocate with an MBA in International Management from Thunderbird, and more than 30 years working in the technology sector. With eight years in the GRC market, Loren brings enthusiasm and an informed perspective to his work with Aravo.

Senior Director, Product Marketing

Loren Johnson leads Aravo’s product marketing function, covering how Aravo builds, markets, and sells its market-leading third-party risk management solution. Driven by a passion for innovation and solving business challenges, Loren brings an international business perspective and desire to deliver measurable customer success.

Share with Your Friends:

Subscribe to Blog Updates

Tags
Our Expertise
Expertise
Who We Help
Customers

Ready to get started?

Get in touch for a better approach to third-party risk management