5 steps to comply with DORA: Business resilience against cyber threats

• According to Formalize, since August 2024, there has been a 57% increase in companies seeking compliance with the Digital Resilience Act. 

• Verifying the status of a company’s “critical services,” implementing cyber risk controls, and managing compliance are some of the key steps businesses must take to meet DORA requirements.

On 17 January, the Digital Operational Resilience Act (DORA) will come into effect, aiming to strengthen financial institutions’ resilience to cyber threats. By that date, all companies in the financial sector and ICT providers must comply with this regulation. According to the compliance platform Formalize, there has already been a 57% increase in companies preparing for compliance since August 2024. 

To support this transition, knowmad mood, a leading technology consultancy specializing in digital transformation, outlines five key steps to help companies meet the new requirements.

Assess the status of your company’s “critical services” 

The first step in complying with DORA is determining whether your organization provides “critical” or essential financial services, ICT platforms, or technology-dependent infrastructure. Carefully reviewing the legislation and seeking legal advice can help clarify this status. Organizations classified as “critical” will face stricter requirements, meaning they must implement higher standards for business continuity, cyber threat planning, and operational resilience measures.

Implement cyber risk controls and compliance management

DORA emphasizes the importance of managing ICT and third-party risks. To comply, companies must establish a well-structured internal compliance framework and documented cybersecurity controls at all organizational levels. A best practice is to create or adapt policies based on recognized cybersecurity standards, such as ISO 27001. Once these controls are in place, conducting audits against these standards will be crucial, as DORA regulations will likely follow a similar approach.

Strengthen third-party risk management

DORA introduces explicit requirements for financial institutions to regularly monitor and assess key third-party providers. If your company lacks a policy for managing these risks, now is the perfect time to implement one using DORA’s guidelines. If risk management software is already in use, ensure system reports are comprehensive and up to date, as they will serve as strong evidence during a DORA audit.

Enhance incident management

DORA requires financial institutions and ICT service providers to report cyber incidents with detailed information, including causes, impact, response actions, and downtime. Compliance with this requirement will likely increase the frequency of reporting. Organizations that implement automation tools for incident reporting will gain significant advantages, saving time while ensuring accuracy and traceability. Companies that adopt these tools before the regulation takes effect will be better positioned for compliance.

Choosing platforms that support business continuity

One of DORA’s core objectives is to improve businesses’ ability to withstand cyberattacks. To recover quickly while remaining compliant, organizations should consider cloud-based “as-a-service” platforms, which provide detailed business continuity plans and uptime guarantees. 

“Complying with DORA regulations not only ensures alignment with EU cybersecurity and data protection standards but also strengthens business resilience. However, achieving this requires expert support. At knowmad mood, we provide the tools to facilitate proactive risk management and minimize downtime caused by cybersecurity incidents. With the right support and technology, companies will be well-equipped to tackle any challenge,” says  Roberto Liesa, Head of Cloud at knowmad mood.