Report | Beyond Security: Analyzing the Wider Implications of DORA
This report explores the challenges financial services organizations face in preparing for the DORA Regulation, highlighting key concerns like supply chain security, cultural shifts, and reporting obligations. Download it now for expert insights on achieving DORA compliance.

1 https://www.bankingsupervision.europa.eu/press/interviews/date/2024/html/ssm.in240328~e66e047ea7.en.html
Over the past few years, there’s been no shortage of articles, blogs, talks, events, and webinars about DORA, the Digital Operational Resilience Act. It’s hard to imagine that anyone in the financial services industry is unaware of the upcoming European Union regulations. And it’s harder still to believe that there’s anyone out there who hasn’t at least thought about how it might impact their work.
Yet, just a few short months before DORA is due to be applied, few organizations seem entirely settled on how to approach this groundbreaking regulation.
Everyone recognizes that new regulations are needed due to the industry’s accelerated reliance on IT, increased digital attack surfaces, and greater exposure to cyber
security threats. After all, the fact that cyber incidents in the EU banking sector doubled in 2023 compared to 20221 is hard to avoid. All the same, the seriousness of the condition doesn’t make the medicine any easier to swallow.
Beyond security: Analyzing the wider implications of DORA
1
Naturally, we’ve had a number of conversations with our own customers on DORA over the past couple of years. And, even though they’re confident with their own cyber security posture, concerns about the sweeping implications of DORA remain. After all, the breadth of the regulations means that there’s much more to think about here than pure defense.
With that in mind—and with just over 150 days to go before DORA comes into effect—let’s explore seven of the most common DORA-related challenges that are on the minds of Chief Information Security Officers (CISOs) today.
1. Supply chain DORA emphasizes the need to manage third-party risks to enhance operational excellence. Arguably the most daunting part of the new regulations is that financial services providers will be responsible for the security of their entire supply chain.
The reality here is that DORA will require financial services organizations to start being incredibly demanding on their supplier base. In many instances, that will require the use of “knock out” criteria, where any supplier that can’t demonstrate the appropriate standard of protection is removed from the picture.
Despite the disruption that might cause, the risks will simply be seen to be too extreme to follow any other course of action.
2. Culture DORA also points to the need for profound cultural change within the financial services industry. Typically— and understandably—organizations in the sector rarely disclose cyber security incidents with any real degree of willingness. After all, to do so is usually to risk reputational harm, and provide other cybercriminals with a sign of vulnerability.
That will change under the new regulation, which mandates that any serious incidents must be made public. That kind of openness runs contrary to some highly ingrained behaviors within the industry, and may prove harder to overcome than any other challenge on this list.
3. Reporting Making successful attacks public won’t be the only communications-related change that comes about due to DORA. Under the new regulations, financial services organizations will also be duty-bound to report any such incidents to a “knowledgeable body” within their national government.
This presents challenges, too, because that process depends heavily on the technological maturity of the market in question. Not every country has a body as knowledgeable as the Information Commissioner’s Office (UK) or Federal Trade Commission (USA), for instance, and that could ultimately lead to further confusion down the line.
150 days to go before DORA
comes into effect
2
4. Red-teaming Red-teaming—which is designed to test an organization’s cyber security in the same way that it would during a genuine attack—is already commonplace at many financial services organizations. The problem is, these exercises don’t always mimic a genuine attack, focusing more on “capture the flag” activities on different servers than testing the interconnected chain of services that a business depends on.
What’s more, with DORA mandating that financial entities conduct advanced testing using threat-led penetration testing (TLPT) every three years, demand for skilled testers is only going to increase. Already in short supply, that’s likely to have a knock-on effect on cost for those in pursuit of their services.
5. Cyber security drills DORA also includes provisions related to cyber security drills as part of its penetration testing requirements. As with the note on red teaming above, though, the current focus of many of these drills is on specific departments rather than the organization as a whole.
Once again, then, this is an issue of cultural change— with perceptions needing to shift away from protecting areas of individual responsibility and towards the organizational entity as a whole.
6. Documentation Documentation requirements are a key part of DORA. The idea is that financial services providers have solid plans to fall back on should a major IT incident occur. As such, organizations need to demonstrate they are prepared by creating documents that outline incident management processes and relationships with third party IT service providers.
This can be challenging for any organisation that doesn’t have prior experience of a cyber security incident. After all, you don’t know what you don’t know— and so identifying who you’ll contact in the instance of a breach can be difficult if you’re not already aware.
7. Personal liability Greater personal accountability has always been an essential aim of DORA. It directs Member States to establish individual civil liability for board members so board members could be held personally liable for failing to meet their obligations under DORA.
The regulations also go a step further. They don’t explicitly discuss potential criminal liability, but the option for individual criminal liability for board members is retained. While not explicitly stated in DORA, member states must decide whether to impose criminal penalties.
Regardless of their decision, this condition is likely to push DORA up the C-suite agenda—and pose Chief Information Security Officers with some potentially uncomfortable questions from their colleagues.
Clearly, DORA represents a major step up on previous requirements around cyber security within the financial services industry. And tempting though it may be to assume that—as was the case with the GDPR—there will be a lag before fines are issued, no one can say for sure when an actionable breach will take place.
All the same, as the implementation deadline draws closer, it’s worth remembering that —if you’re still squaring up to some of the more significant challenges presented by DORA—then you’re very much not alone.
© 2024 Check Point Software Technologies Ltd. All Rights Reserved. 3