The European Union’s Digital Operational Resilience Act (DORA) is reshaping cybersecurity in the financial sector by introducing a regulatory framework aimed at strengthening the resilience of financial entities and their service providers against evolving cyber threats. As organizations accelerate cloud migration projects, priorities have shifted toward maintaining an optimal cloud security posture and ensuring accurate reporting on the expanding attack surface and compliance status of cloud assets. This article covers:
Who DORA Affects and Why It Matters
Key Components of DORA
Common Challenges of Implementing DORA Compliance
Addressing the Challenges of DORA Compliance with Wiz and Deloitte
Enforced from January of 2023 and applicable from January 17th 2025, DORA mandates that financial entities implement comprehensive cybersecurity measures to address potential risks. Not implementing DORA can lead to operational restrictions, reputational damage and penalties for non-compliance.
By proactively addressing the regulation's requirements, financial entities can not only achieve compliance but also fortify their operations against digital disruptions. DORA applies broadly to various entities within the financial sector, including banks, investment firms, payment service providers, insurance companies, cryptocurrency providers, and third-party Information and Communication Technology (ICT) providers (such as cloud service vendors). This comprehensive scope ensures that all stakeholders in the financial ecosystem adhere to high standards of resilience.
DORA's focus is on enhancing cyber resilience through several key components, including:
Governance: Senior management and boards are directly accountable for ensuring compliance with DORA, highlighting the importance of leadership in fostering a culture of resilience.
ICT Risk Management: Entities are required to establish robust frameworks to identify, mitigate, and report ICT risks effectively. A yearly internal audit has to be performed on the ICT risk management framework.
Incident Reporting: Entities must promptly report major ICT-related incidents to national authorities to maintain transparency and accountability.
Third-Party Risk Management: Entities must assess and manage risks associated with third-party ICT providers, ensuring comprehensive oversight of their supply chains.
Testing and Audit: Regular digital resilience testing, including penetration tests, is mandated to ensure preparedness against cyber threats.
Key Challenges of Implementing DORA Compliance
Deloitte conducted a comprehensive survey in 2025 to assess the readiness of financial entities in complying with DORA. The survey engaged 36 entities across 28 countries, primarily targeting Chief Information Security Officers (CISOs), Chief Risk Officers (CROs), and DORA Programme Managers within these entities. The objective was to gain insights into the challenges faced by these entities in their journey towards DORA compliance, as well as to evaluate their overall readiness in enhancing operational resilience against cyber threats.
DORA Budget: Around 64% will spend 2-5 million EUR on the DORA program, with an average of 5-8 FTE persons involved.
Key Challenges: The most pressing challenge identified by 46% of respondents is completing the DORA Register of Information, underscoring the complexities involved in documentation and compliance processes. 42% highlighted the segregation and segmentation of ICT systems as a major hurdle, emphasising the need for robust network security measures.
Identification of Critical or Important Functions (CIF): A considerable 64% identified between 20 to 30 Critical or Important Functions (CIF), showcasing the varied approaches to assessing and prioritising key operational areas.
Importance of Security Testing: Notably, 50% conduct weekly automated testing on systems supporting CIF, while 70% engage in annual penetration testing, highlighting a proactive approach to maintaining operational resilience.
Remaining Gaps: While 48% reported full compliance with DORA's Incident Management requirements, only 8% felt fully compliant with Digital Operational Resilience Testing and ICT Third-Party Risk Management. This indicates a significant gap that needs to be addressed.
Leveraging Partnerships: The survey reveals a strong inclination towards leveraging partnerships, with financial entities increasingly recognising the need for collaboration with experienced firms like Deloitte and Wiz. This partnership focuses on integrating advanced cybersecurity solutions and compliance strategies to navigate the regulatory landscape effectively.
Wiz is a cloud security solution helping organizations secure and ensure continuous compliance across their environment with Cloud Native Application Protection Platform (CNAPP) capabilities, also extending to on-premises environments. Wiz can help address DORA compliance challenges by increasing your resiliency and helping you demonstrate DORA compliance through the automatic security scan for cloud based, as well as on premise assets for various types of workloads. Providing this automated and real-time insight removes the need for manual evidence gathering, significantly speeding up the audit processes. The ability for Wiz to ingest metadata from a multi-cloud and on-premise infrastructure to analyse adherence to DORA requirements supports financial entities with creating clarity by providing a central overview of their complex, segregated and segmented ICT systems. Besides this central overview and the decreased need for manual evidence gathering, Wiz also scans new code changes as part of the building processes to ensure secure and efficient development. This allows you to adhere to the DORA compliance monitoring perspectives as stated in article 5 lid 2 letters A-C.
Early detection of risks due to the central overview of the entire IT environment
Automated and real time monitoring
Easy to install and use system
Continuous internal DORA compliance validations and the ability to report to regulators
The compliance posture dashboard (see Figure 1) in Wiz presents the compliance score to multiple security and compliance standards. The baseline as shown in Figure 1 is created to monitor your compliance based on the DORA requirements, in case an issue is detected by Wiz, the relevant DORA component is flagged within the issue. This highlights how risks may be mitigated for the affected assets. The DORA compliance dashboard is built into Wiz’s offering, making the governance of compliance available immediately from Wiz installation. This is a 5-minute process and allows you to scale it proportionally with your organization and IT environment.
The continual DORA posture management that Wiz performs and pushes out into any one of the 180 integration partners’ platforms as well as within detailed or executive level reports supports adherence to the ICT risk management and testing and auditing components of DORA. Prompt reporting of ICT-related incidents to national authorities is made possible by the detailed analysis that Wiz offers for the whole cloud digital estate. This may be tailored to surface only DORA compliance posture of specific areas of the estate including, Cloud Service Provider, Project, or Business Impact Status.
Figure 2 shows the technical analysis of the DORA Article ‘Bucket versioning should be enabled’. This overview shows that this organisation has 5 incidents of buckets without versioning enabled. It also shows the required details of the buckets to follow up on the observation and keeps an audit trail of the actions performed. This permits organisations to always comply with the DORA requirement of incident reporting.
Wiz provides a great tool for helping with DORA compliance. However there are non-technical competencies that need to be implemented to achieve compliance to all DORA requirements. This relates to, for instance, the required organization and governance setup, policies and processes, and performing follow up in case needed.
While many financial entities and ICT providers have existing compliance frameworks in place, implementing DORA will still require a bit of an uplift. While it shares common ground with established frameworks like SOC 2 and ISO 27001, DORA introduces specific requirements reflecting its targeted focus. Understanding these overlaps and distinctions is crucial for financial entities navigating their compliance landscape.
| Area/Domain | DORA | Overlap With SOC 2 and ISO | Gaps / Emphasis Introduced by DORA |
|---|---|---|---|
| Primary Focus & Scope | EU Financial Sector specific; mandates for ICT risk management, incident reporting, resilience testing, third-party risk, and information sharing. Legally binding. | All address information security and risk management. | DORA is legally mandatory for a wide range of EU financial entities and ICT service providers to these entities, with less room for scoping flexibility compared to the voluntary and often customer-driven SOC 2 or the adaptable framework of ISO 27001. DORA often details what needs to be done and sometimes how, whereas ISO 27001 is more of a framework and SOC 2 reports on existing controls. |
| ICT Risk Management Framework | Mandates a comprehensive ICT risk management framework, including strategy, policies, procedures, and detection/response mechanisms. Specific governance requirements. | All require a structured approach to identifying, assessing, and mitigating risks. | DORA places explicit responsibility on the management body for ICT risk. It prescribes roles and governance structures. DORA requires more explicit and detailed Business Impact Analysis (BIA) focused on ICT disruptions. |
| ICT-Related Incident Management & Reporting | Detailed and harmonised incident classification, management process, and mandatory reporting to competent authorities within strict timelines. Requires root cause analysis. | All include processes for managing and responding to security incidents. | DORA imposes strict, harmonised timelines, and thresholds for reporting significant ICT incidents to regulators, which is not a direct component of SOC 2 or ISO 27001. Additionally, DORA introduces a specific classification methodology for ICT-related incidents. |
| Digital Operational Resilience Testing | Mandates a proportional and risk-based digital operational resilience testing program, including advanced TLPT for significant financial entities. | All frameworks advocate for testing the effectiveness of security controls. | DORA makes TLPT a requirement for designated significant financial entities, a more rigorous and specific testing requirement than typically found by default in SOC 2 or ISO 27001. DORA requires a broader, ongoing testing program beyond just penetration testing, covering a range of tools and techniques. |
| ICT Third-Party Risk Management (TPRM) | Extensive and prescriptive requirements for managing risks from ICT third-party service providers throughout the entire lifecycle of contractual arrangements. | All recognise the risks associated with third-party suppliers and require some form of management. | DORA introduces a unique EU-level oversight framework for designated Critical ICT Third-Party Providers. DORA specifies mandatory contractual clauses for arrangements with ICT third-party providers. DORA requires financial entities to assess and manage ICT concentration risk arising from third-party dependencies. |
| Information Sharing | Encourages voluntary information and intelligence sharing among financial entities regarding cyber threats and vulnerabilities. | All frameworks indirectly support the value of threat intelligence. | DORA actively promotes and provides a framework for the voluntary exchange of cyber threat information and intelligence among financial entities to enhance collective resilience. |
| Business Continuity & Disaster Recovery (BCDR) | Strong emphasis on ICT business continuity and disaster recovery plans, linked to business impact analyses and resilience testing. Requires restoration time objectives (RTOs) and recovery point objectives (RPOs). | All emphasise the need for BCDR planning and testing to ensure operational continuity. | While BCDR is common, DORA places a very strong and specific emphasis on ICT service continuity and recovery from cyber incidents as a core component of operational resilience, potentially requiring more granular and frequently tested ICT recovery plans. |
| Continuous Improvement | Implies continuous improvement through ongoing monitoring, review, and adaptation of the ICT risk management framework and resilience measures. | All frameworks promote the idea of learning and evolving security and resilience practices. | DORA's requirements for ongoing monitoring, learning, and adapting are tightly coupled with the evolving nature of cyber threats and the need to maintain operational resilience in a dynamic environment, often with regulatory scrutiny. |
Figure 3 shows the Wiz Compliance Heatmap that facilitates the prioritization of non-compliant assets within an organisation’s infrastructure to the specific DORA articles.
DORA represents a significant step towards enhancing cybersecurity within the financial sector. While DORA poses challenges in terms of compliance and risk management, it also offers opportunities for entities to strengthen their operational resilience through proactive measures. By adopting tools like Wiz and engaging with Deloitte's expertise and experience, financial entities can effectively navigate the regulatory landscape, address current and future cybersecurity challenges, and ensure their readiness against potential disruptions.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。