The Digital Operational Resilience Act (DORA) is an EU financial regulation for managing IT risks and security incidents, taking effect in January 2025, leaving less than two months for organizations to prepare. DORA regulations affect banks, insurance companies, investment firms, and information & communications technology (ICT) service providers.
Yet many financial companies haven't started getting ready for DORA, risking being fined up to €22 million or 2% of yearly income (whichever is higher). Banks can also lose their right to work and face strict audits. Some organizations try to manually prepare for upcoming changes, taking an unnecessary risk with their business. These days we have many tools to automate routine tasks, such as documenting incident details, that don't cost an arm and leg.
What are the requirements?
Financial institutions need to align with the following requirements:
1. Incident Management: Major incidents demand immediate action with a 2-hour reporting window, including initial assessment and senior management notification. Significant incidents allow 4 hours for the first report. Furthermore, DORA requires complete incident documentation covering root cause analysis, business impact, and corrective actions within a month.
2. Testing Schedule: Organizations must perform basic security testing annually, including vulnerability scans and configuration reviews. Advanced testing, involving network penetration and application security checks, must happen every 3 years. Large financial institutions require threat-led penetration testing (TLPT) on critical systems in the same 3-year cycle.
3. Recovery Standards: Critical functions demand a 2-hour recovery time objective (RTO), with a maximum 15-minute data loss window (RPO) for transaction and customer data systems. Full-service restoration, including customer access and data verification, must be completed within 4 hours.
4. Third-party Risk Controls: Annual service provider assessments examine security, financial health, and operational capabilities. Contract reviews occur every 3 years. Exit strategies require yearly testing, including backup provider readiness and data portability verification.
5. Documentation Requirements: Incident records require 5-year retention, encompassing all communications and response actions. Risk assessments and test results need 3-year storage, including methodologies, findings, and follow-up actions.
Looking at these strict timelines and requirements, it's clear that complying with DORA with bare hands is nearly impossible.
How to Speed Up DORA Implementation
SOAR Platforms are the fastest and most reliable option. Modern SOAR platforms can cut the implementation times by 60–70% by partially or fully covering the aspects mentioned above.
In terms of Incident Management, SOAR platforms handle every aspect needed. They pick up and sort incidents automatically, notify management immediately, and keep track of those crucial 2-hour and 4-hour deadlines. Some modern SOAR systems can even connect directly with authorities for reporting, gather all needed documents, find root causes, and figure out business impacts – all on their own.
The Testing Schedule support is good but not complete. SOAR platforms can set up and track when tests need to happen, run basic security checks, and work with other scanning tools. They're great at documenting everything that happens during tests. But they can't do the heavy lifting of penetration testing or replace specialized security tests – that still needs human experts.
For Recovery Standards, SOAR platforms help but won't solve everything. They watch recovery happening in real-time and can get some systems back up automatically. They'll track how long recovery takes and how much data might be lost. But they can't physically fix broken systems or replace your backup setup.
Third-party Risk Controls get solid backing from SOAR platforms. They track contracts with IT providers, keep an eye on security risks using AI, schedule regular checkups, and watch how providers are doing day-to-day. They even help test backup plans automatically. The only thing they can't do is check if providers are financially healthy – that needs different tools.
Documentation Requirements? SOAR platforms have got this covered completely. Most of them create and store records automatically, keep everything in standard formats, and track how long to keep different documents. When auditors come knocking, finding records is quick and easy. Plus, they back everything up automatically and keep track of all security policies.
With January 2025 approaching fast, financial organizations must wrap up their DORA preparation, and manual preparation is definitely not the option here, as it takes too long and risks missing critical points. Modern SOAR platforms are the best value for money when it comes to meeting the upcoming regulations in the short term without unnecessary risks.
While SOAR platforms can't handle everything – like penetration testing or financial health assessments – they effectively manage most DORA requirements. The choice is clear: either start DORA preparation now using automation tools or risk facing significant consequences in the near future.
Mike Admon is the CEO of Unipath (Finsec Innovation Lab's portfolio startup)
