Navigating DORA: Understanding the Digital Operational Resilience Act

In a recent webinar hosted by HANDD Business Solutions, data security experts delved into the intricacies of the Digital Operational Resilience Act (DORA) and its implications for regulated organisations. The comprehensive discussion covered key aspects, ranging from the basics of DORA to its impact on third-party engagements and practical steps for compliance.

January 2024 marked the release of the Regulatory Technical Standards (RTS) by the European supervisory authorities – the European Banking Authority, Insurance and Occupational Pensions Authority, and the Securities and Markets Authority. January 2025 is when DORA, a European Union (EU) regulation comes into force, meaning organisations had one year to achieve compliance.

Opening the webinar HANDD asked the audience to rate their confidence in understanding DORA. The results… only 10% were confident that they understood the changes, 50% felt somewhat confident, and 40% stated had low confidence and needed more learning.

You can watch the full webinar here : DORA, One Year To Go – and read the key insights from the webinar below:

Part 1: Introduction to DORA

The webinar kicked off with a comprehensive introduction to DORA, a legislative framework aimed at ensuring the operational resilience of digital services. The speakers highlighted the critical pillars of DORA, focusing on cyber resilience, operational risk management, and the oversight of third-party service providers.

Part 2: Unpacking DORA’s Pillars

Here, we delved deeper into the pillars that constitute the foundation of DORA – cyber resilience, operational risk management, and third-party engagement. These were dissected to provide a clearer understanding of the regulatory landscape. A strong emphasis was put on the importance of aligning current cybersecurity practices with DORA requirements.

Part 3: The Role of Third-Party Service Providers

A significant portion of the discussion revolved around the role of third-party service providers in the DORA compliance journey. Outlining the obligations of organisations to evaluate and manage the risks associated with their third-party engagements. As the deadline for compliance approaches, understanding the nuances of dealing with external partners becomes paramount.

Part 4: What’s Next and Practical Considerations

In conclusion, we looked ahead to the next steps and practical considerations for organisations preparing for DORA compliance. Highlighting key dates on the horizon and stressing the importance of proactive measures. Suggestions included identifying existing practices, conducting gap analyses, and initiating dialogue with third-party suppliers.

Key Takeaways:

  1. DORA’s Complexity:

    DORA EU is a multifaceted regulation, requiring organisations to address various components of their operational resilience. From cyber resilience to third-party engagement, a holistic approach is essential.

  2. Navigating the Grey Areas:

    DORA and the UK – who needs to comply? The geographical intricacies can leave one’s head spinning. With the UK no longer an EU member state, questions arise about DORA’s applicability. If you’re based in the UK but conduct business with EU entities, connect to European markets, or have European operations, brace yourselves – you’re in the DORA spotlight. Whether the UK adopts, creates its own, or ignores the regulation is a grey area, but compliance might just be a wise choice regardless.
    DORA applies to regulated industries such as Finance and Insurance. In the ever-connected financial world, deliberately marking yourself as out of scope might not be a strategic move. It’s not just about meeting legal obligations; it’s about staying competitive, demonstrating due diligence, and aligning with best practices you might already have in place.

  3. Third-Party Engagement:

    The significance of evaluating and managing third-party service providers cannot be overstated. Organisations must be proactive in understanding the risks associated with external collaborations to ensure compliance.

  4. Practical Steps:

    With the enforcement deadline looming, the speakers advocated for proactive measures. Identifying existing practices, conducting gap analyses, and initiating communication with third-party suppliers were highlighted as crucial steps.

  5. Beware of Silver Bullets:

    While changing landscape may see the emergence of tools and services catering to DORA compliance, caution is advised. A one-size-fits-all solution may not exist, and organisations should carefully assess their unique needs.

In conclusion:

As organisations navigate the complexities of DORA, proactive measures, collaboration, and understanding the nuances of the regulation are key. The webinar was valuable in that it brought together peers, organisations and data experts seeking clarity, insights and solutions for DORA compliance. You can watch the full webinar here : DORA, One Year To Go.

What’s next for DORA?

The consultation period for other products and articles is ongoing until March 4, with another release date slated for July 17 2024 – a date to mark on your calendars – and look out for more HANDD webinars and resources! The journey to DORA compliance requires a strategic and informed approach. Stay tuned for more insights and discussions as the regulatory landscape evolves, and organisations continue to adapt to the changing cybersecurity and operational resilience requirements.

Need support to achieve DORA compliance?

HANDD is experienced in helping banks and financial institutions navigate the complexities of new cyber regulation, and DORA is no exception. Our experienced team of cyber-risk specialists can help you find and identify non-compliant areas of your business in preparation for the full launch of DORA in 2025.

Book a call with our DORA Consultant: Call +44 (0)845 643 4063 or email

Need more? View all our DORA resources here.