Home / White Paper / Navigating DORA: What Should Your Business Be Doing About It?

Navigating DORA: What Should Your Business Be Doing About It?

Navigating DORA: What Should Your Business Be Doing About It?

27

June
Business IT Support

Don’t Let DORA Catch You Off Guard, a Summary.

The Digital Operational Resilience Act (DORA) is new EU legislation requiring financial institutions and their tech providers to build stronger, more resilient digital systems. You’ll need a solid risk management plan, incident response procedures, resilience testing, and oversight of third-party ICT services. Whether you’re based in the EU or serve EU clients, you’ll be expected to prove that your systems can survive cyberattacks and outages. Start planning now with proper assessments, testing, and risk controls. Labyrinth can guide you through it step by step.

DORA Is Here. Are You Ready for It?

If you’re running a business that touches the financial sector in any way, from a credit institution to an investment firm to a tech supplier supporting them, the Digital Operational Resilience Act (DORA) is something you need to take seriously. Even if your business is based in the UK, if you deal with the EU or EU-based financial institutions, you can’t ignore it.

DORA isn’t just more compliance for compliance’s sake. It’s a structured, sensible approach to something we’ve all been needing for a while: better digital resilience. In other words, making sure your tech systems can take a hit and bounce back quickly from significant cyber threats.

So let’s cut through the legal language and talk about what DORA means, what you need to do, and how you can get ahead of the curve.


What is DORA, Exactly?

The Digital Operational Resilience Act, or DORA, is a regulation passed by the European Parliament and Council. It’s part of the EU digital finance package and came into force in January 2023, with full compliance required by January 2025.

In a nutshell, DORA is about making sure financial entities can keep operating through digital disruption, cyberattacks, or tech failures. It’s not just about preventing risk, it’s about being ready when (not if) something goes wrong.

And it doesn’t just affect banks and insurers. It includes payment institutions, investment firms, asset management companies, and even third-party ICT service providers, the people who run the infrastructure in the background.

If you’re providing ICT services to a financial institution operating in the EU, this applies to you.


Why It Matters More Than Ever

On the right side, there is a man wearing a blue navy sweater and glasses looking confused at a computer screen. He appears to be trying to type something on a PC keyboard. On the left side is a textbox reading "Trouble with tech? We've got it covered! Expert IT support."

We’re all becoming increasingly dependent on information and communication technology (ICT) to run daily business operations. Financial services in particular are fully digital now. That’s great for speed, but it also means if your systems go down, so does your business. Or worse, your client’s business.

Cyber threats are getting smarter. Ransomware attacks are rising. Supply chain weaknesses are being exploited. Regulators know this, and DORA is their answer to tightening things up.

But here’s the thing: DORA isn’t about punishing businesses. It’s about creating a common standard, improving accountability, and protecting the financial system as a whole. So rather than viewing it as a tick-box exercise, smart businesses are seeing it as a blueprint for building lasting operational resilience.


What Does DORA Require You To Do?

There are five key areas you need to focus on to meet DORA’s requirements.

ICT Risk Management Framework

You need a solid, documented plan that covers how you manage digital risks. This includes everything from hardware failures to cyberattacks. Your ICT risk management framework should include roles and responsibilities, asset inventories, risk assessments, protection and prevention measures, and clear steps to recover from ICT related incidents.

The plan needs to be kept up to date and tested regularly. That means it’s not just a document you create once and forget. It becomes part of your ongoing risk management process.

Handling ICT-Related Incidents

You’ll need a process for identifying, recording, and reporting major ICT related incidents. This includes security payment related incidents, system outages, or any event that disrupts key services.

Depending on the severity, incidents must be reported to your national or EU competent authorities, such as the European Banking Authority, the European Securities and Markets Authority, or the European Insurance and Occupational Pensions Authority. They’ll assess the risks and provide guidance, or in some cases, enforce corrective action.

Digital Operational Resilience Testing

Testing isn’t just encouraged, it’s required. You need to carry out regular assessments of your systems’ ability to withstand attacks and disruptions. This could include penetration testing, vulnerability scans, or more advanced threat-led penetration testing (TLPT) scenarios.

Firms that perform critical or important functions, or support others who do, need to take this seriously. It’s not just about ticking boxes. It’s about proving that your systems can survive a severe operational disruption.

Managing ICT Third Party Risk

You can’t just assume your vendors have it sorted. If you’re relying on ICT third party providers, you’re expected to assess them thoroughly. DORA introduces an oversight framework to monitor critical third party providers, making sure they meet resilience standards too.

This includes cloud providers, data centres, or any third party ICT service handling key operations for you or your clients.

You need to assess risks before signing contracts, monitor performance, include termination clauses, and regularly review their compliance. In short: if they go down, you’re still responsible.

Information Sharing and Learning

DORA encourages a more open culture around incident reporting and threat sharing. Businesses are expected to join information-sharing arrangements with peers or industry bodies. This helps everyone stay ahead of emerging significant cyber threats.

You also need to learn from incidents. Not just your own, but others in the market. This means documenting lessons learned and folding them into your risk management approach.


What Should You Be Doing Now?

Let’s say you’ve just heard about DORA. You’ve got time, but not much. Here’s what we recommend:

Start with a comprehensive gap assessment.

You need to know where you are now before you can plan ahead. At Labyrinth, we do this with a clear scorecard, aligned with DORA regulation and implementing technical standards.

Build or review your ICT risk management tools and procedures.

Are they fit for purpose? Are they aligned with your business continuity policies? Have they been tested recently?

Check your third-party service providers.

Who’s delivering your ICT services? Are they supporting anything that would be considered a critical or important function? Do you have SLAs in place? Do they have proven resilience?

Begin your digital operational resilience testing now.

Don’t wait for a regulator to tell you to do it. This is about safeguarding your business. You’ll also want to assign people to incident response roles, create a reporting plan, and run practice exercises.

Finally,

Keep an eye on the European Commission, European Council, and relevant national competent authorities. Updates, technical specifications, and compliance guidance are still being released. Staying up to date will help you prepare smarter.


Why Work with Labyrinth?

On the left side of the image is a hand extended to engage a handshake. On the right is a texbox reading "Trust Labyrinth Technology for all your IT needs

We’re a London-based outsourced IT support company, but we work far beyond basic fixes. When it comes to compliance, security, and resilience, we go deep.

We’ve helped businesses across sectors build robust, future-proofed ICT risk management frameworks. We’re experienced with financial services institutions and their regulatory needs, especially around third party risk management, incident reporting, and technical standards.

What makes us different? We don’t bury you in confusing terms and legislation. We translate DORA’s technical demands into practical steps you can take now, providing real-life testing, and make sure your people are trained and your systems are actually doing what they’re supposed to do.

Whether you’re an SME supporting a credit institution, or a vendor building software for investment firms, we can help you maintain resilient ICT systems and stay ahead of the curve.


Wrapping Up

The Digital Operational Resilience Act isn’t just another regulatory hoop. It’s a call to action. A chance to look at your systems and processes and ask: are we ready? Can we recover from a major ICT failure? Are we protecting our clients and our own future?

With threats evolving and regulation tightening, now’s the time to act. Use DORA as a framework to build a stronger, safer business, one that’s not only compliant, but confident.

If you’re not sure where to start, or you’d like a second opinion on how resilient your systems really are, let’s talk.

Get in touch with Labyrinth today, and let’s walk through your setup together. We’ll help you understand your risk exposure, assess your third parties, and put you on the right path to full compliance, and real digital resilience.

Irfan Dulloo
About the author

Empowering London Businesses with Efficient IT Solutions to Save Time and Stay Ahead of the Competition.

Contact Info

Free Consultation