Best Practices for DORA Preparation

4 minute read

August 2024

by Julia Winer

The enforcement deadline for the EU Digital Operations Resilience Act (DORA) is approaching fast—as of January 27th 2025, European financial organisations and their information and communications technology (ICT) providers will be liable to penalties if their cybersecurity and third-party risk management practices do not meet to new requirements featured in the bill.  

This bill marks a major step forward in the EU’s efforts to regulate cybersecurity policies, both due to the newfound cyber burden it places on financial organisations and because of its emphasis on operational resilience or the ability to recover in the face of a cybersecurity incident. Furthermore, this bill doesn’t simply regulate organisations’ internal cybersecurity practices— the key to achieving compliance is mitigating risk in the ICT supplier ecosystem. After all, it doesn’t matter who owns a given system—if an incident significantly disrupts your operations, your organisation lacks the resiliency needed for today’s business environment. 

This blog walks you through best practices for preparing for DORA enforcement and achieving compliance. By taking account of the risks currently present in your ICT supplier ecosystem and planning actions to mitigate them, you can meet the enforcement deadline confident in your compliance status. 

Best Practices Under DORA 

Take an Intelligence-Driven Approach to TPRM 

Under DORA, financial entities are encouraged to share cyber threat information and intelligence, including indicators of compromise, cybersecurity alerts, and configuration tools. After all, cyber resilience cannot exist in a vacuum—if organisations hide valuable cybersecurity information from each other, they run the risk of an avoidable incident wreaking havoc on their supplier ecosystem. Still, information sharing must take place in a secure, cyber-minded way, through arrangements governed by the rules of conduct. 

One tool that makes intelligence sharing easier and more effective is a risk management platform with configurable reporting and incident tracking capabilities. With configurable reporting, risk managers can quickly and efficiently gather the information needed to inform interested parties of changes in their risk ecosystem. Incident tracking, by contrast, ensures that no cybersecurity event goes unidentified and unreported. Additionally, a “DORA-ready” risk management platform should help users share information about known threats with the suppliers, third parties and partners that enable them to function. 

Developing a Third-Party Risk Management Governance Model  

DORA compliance requires consistent, systematic third-party risk management (TPRM). By developing a plan for third-party risk governance, you prepare your organisation to make stronger TPRM decisions and to defend its program to the appropriate regulatory authorities. Once your program is running, the governance model will continue to reap dividends: each new incident will have a mitigation procedure to match, and you will be able to scale your operations without risking management difficulties. TPRM should enable business growth, not inhibit it, and a governance model is a great step toward both achieving DORA compliance and preparing to grow your business. 

Automate Assessments  

Under DORA, financial entities need to subject their suppliers to an increased degree of scrutiny. This puts the onus on time-strapped TPRM teams to find ways to do more, faster—one way to achieve that is automation. By implementing software to automate the scoping, distribution, and gathering of supplier risk assessments, a DORA-ready risk management solution should reduce the tedious, time-consuming labour necessary to obtain risk data and get teams the information they need faster. Once risk managers don’t need to sink time into these repetitive tasks, they are free to direct their expertise toward goals that can really make a difference. 

Focus on Critical or Important Function (CIF) Supplier Relationships 

The amount of DORA-related risk a given supplier poses will vary based on their cybersecurity practices, data access, and firmographic indicators. One way to prioritize high-risk relationships is to use externally sourced data and analytics from groups like Interos, RiskRecon, BitSight, and SecurityScorecard to identify the suppliers most likely to carry a high degree of risk. Once you identify high-risk suppliers, you can use that data to choose who demands the most detailed and frequent audits. This approach to assessment processing ensures that the team puts its efforts into the organisations and actions most likely to impact your risk and compliance posture significantly. 

Another helpful tool for identifying critical suppliers is a risk assessment exchange. By analysing assessment data from tens of thousands of suppliers, a risk exchange enables AI-driven predictions of the policies, controls, and vulnerabilities likely to appear at suppliers whose assessments are not yet stored in the exchange. These analytics compare suppliers by industry, size, and geography to determine the practices and weaknesses endemic to different organisations, helping your team prioritise suppliers by risk. From that point forward, teams can choose which organisations they would like to assess more deeply and fill in the gaps in the predictive data. 

Compare Risk Across the Supplier Ecosystem 

By gathering insights from data providers and placing them alongside assessment and exchange data, a DORA-ready risk management solution simplifies the decisive identification of high-risk vendors. A solution that collects data from varied sources within a single “pane of glass” enables immediate, effective comparison across vendors. This is why managing DORA compliance with a risk management solution that gathers all risk data into a single repository is helpful. Risk teams rely on various sources, so the technology they use to identify, track, and mitigate risk should accommodate all the sources they use. 

Conclusion

DORA enforcement is coming, and if your organisation is within its scope, you have a responsibility to achieve compliance. Luckily, the information is out there to help your team stay on top of this challenge. Read our white paper, “DORA: Key Provisions and Best Practices,” for a more comprehensive overview of the upcoming enforcement deadline and the actions you can take to prepare for the new legislation. 

ProcessUnity 

While it can be seriously taxing to attempt compliance using only spreadsheets and emails, ProcessUnity DORA risk management solution helps your team quickly identify control gaps and work to remediate them. Click here to request a demo today. 

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit www.processunity.com.