Getting ready for DORA: download our practical guide

Your ultimate DORA Guide - All you need to get started

As the DORA deadline approaches, our customers are asking us more questions about this regulation. Maybe you're facing this too. Our ultimate guide to DORA is full of practical tips from our cybersecurity experts, to help you get started.

Questions our customers ask about DORA

• Does DORA apply to my organization?
• Which cybersecurity measures does DORA request for my company and what does that mean in practice?
• What are penalties for non-compliance?
• My organization is ISO 27001 certified: does that mean we are ready for DORA?
• Where do I start to reach DORA compliance?

Read all about it in our in-depth DORA guide.

What is DORA?

The Digital Operational Resilience Act, or DORA, is a European directive focused on digital resilience within the financial sector. DORA places obligations on financial organizations. The directive goes into effect on January 17, 2025.

What are the most important requirements of DORA?

DORA’s obligations can be roughly divided into five groups, says Jelmer Noordam of CC Security: ‘The first is risk management. In an ongoing cycle, risks, vulnerabilities and threats must be identified in order to implement targeted policies and measures.’

In addition, DORA has requirements around testing and auditing, for example, annual pen testing and triennial Threat Led Penetration Testing. DORA also requires monitoring of ICT service providers and up-to-date ICT incident management. Finally, there are new expectations around information sharing.

The aspect of information exchange will involve new processes, says Noordam: ‘For example, the mandatory reporting of serious ICT incidents. But the law also opens up the possibility of communication exchange within the sector. This can include knowledge about incidents, hacking attempts, information about the threat picture and tips and advice to improve cybersecurity policies.’