The Digital Operational Resilience Act (DORA) went into effect January 17, 2025, and many Information and Communication Technology (ICT) providers are finding it difficult to navigate the path to compliance. BDO is working with ICT providers to guide them through their DORA compliance journey, and we've identified some best practices that can make a significant difference.
Compliance by Committee
DORA requires collaboration from a wide range of internal stakeholders. In the absence of a dedicated compliance leader, establishing a cross-functional committee can ensure alignment and reduce redundancies. Key roles to consider include:
- Executive Leadership
Set the strategic direction and integrate DORA compliance into broader cybersecurity, risk management, and resilience initiatives. - Compliance
Perform gap analyses, evaluate compliance levels, and communicate with regulatory authorities. - Information Security
Oversee the cyber risk program, implement security measures, conduct technical testing, and maintain incident detection and response capabilities. - Incident Response
Develop escalation and reporting procedures in line with DORA and coordinate with Legal on incident timelines. - IT Infrastructure
Ensure high availability and fault tolerance, implement disaster recovery and backup strategies, conduct failover tests, and support third-party risk oversight. - Legal and Contracts
Assess DORA's applicability to ICT products and services, update service agreements with compliant clauses, and define reportable incidents. - Risk Management
Align the risk framework with DORA, monitor resilience metrics, and evaluate third-party risks in ICT service delivery. - Resilience
Identify critical ICT functions, lead resilience testing, and maintain DORA-compliant business continuity and disaster recovery plans. - Vendor Management
Conduct supplier due diligence, negotiate DORA-compliant agreements, and monitor third-party risks.
Common Controls
DORA aligns closely with ISO 27001, NIST’s Cybersecurity Framework, and ISO 22301, providing ICT providers the opportunity to harmonize compliance requirements and adopt a "test once, report many strategy” across multiple standards. Five areas of overlap include:
- Risk-Based Approach - Both DORA, ISO 27001, and ISO 22301 emphasize the importance of risk assessments and require a comprehensive assessment to be performed. Organizations can align these by integrating DORA’s ICT risk management requirements into their Information Security Management System (ISMS) and/or their Business Continuity Management System’s (BCMS).
- Incident Response and Reporting - DORA's stringent incident reporting requirements align with ISO 27001’s Information Security Incident Management requirements (A.16)and NIST CSF’s Respond and Recover domains. ISO also provides more specific guidance related to incident management within its ISO 27035 guide related to incident management.
- Operational Resilience Testing - ISO 27001 (A.17) and ISO 22301 provide a solid foundation for DORA's resilience testing mandates, and transparent test results can alleviate right-to-audit requests from financial customers.
- Third-Party Risk Management - DORA’s third-party risk oversight requirements align with ISO 27001 (A.15), focusing on continuous monitoring, risk assessments, and contractual security controls for external providers.
- Governance and Compliance - DORA mandates clear ICT risk governance, corresponding to ISO 27001 Clause 5 and NIST CSF’s Identify and Protect domains.
By embracing these best practices, ICT providers can effectively manage DORA compliance, enhancing their operational resilience and security. At BDO, we are committed to helping you navigate complexities with confidence and clarity. We offer Risk & Resilience services and BDO’s Third Party Attestation team can assist with ISO readiness and certification services across ISO 27001, ISO 22301, and other ISO frameworks.
Contact BDO’s Risk & Resilience team today.