SolutionOut Logo

Operational Resilience Evolution to DORA (Digital Operational Resilience Act)

In European Union, with Digital Operational Resilience Act (DORA) effective for Finance Sector and for Credit Unions from January 2028, building on the current Operational Resilience Framework toward compliance is imperative.

Approaching this legislative requirement in a methodical manner is important for successful delivery.

1.

Perform a Risk and Gap Assessment

Identify critical ICT systems and assess their vulnerabilities. Evaluate third-party dependencies and potential cyber threats. Compare current practices against DORA requirements to identify gaps. Use frameworks like NIST or ISO 27001 to guide your assessment.

2.

Develop a DORA Compliance Strategy

Create a roadmap with short- and long-term goals. Define key performance indicators (KPIs) for tracking progress. Establish a governance structure with clear roles and responsibilities.

3.

Strengthen ICT Risk Management and Incident Response

Implement or update your ICT risk management framework. Develop incident response and business continuity plans. Ensure these plans are tested and updated regularly. Solutions like CUE Ecosystem will help align natively.

4.

Manage Third-Party Risks

Identify all ICT third-party service providers. Ensure contracts include resilience and security obligations. Monitor and assess third-party performance and risks continuously. Ensure practicalities of these deliverables especially when it comes to monitoring. Do not commit to something that you cannot practically deliver.

5.

Reporting and Documentation

Incident Reporting: Report major ICT incidents within: - 4 hours of classification, or - 24 hours of initial detection. Maintain detailed logs of incidents, responses, and recovery actions. Use automated tools like CUE for generating reports and audit trails. Ensure documentation is accessible for regulators and internal audits.

6.

Conduct Testing and Ensure Continuous Improvement

Perform regular digital operational resilience testing, including: - Threat-Led Penetration testing - Scenario-based testing Use test results to refine your resilience strategy. Maintain ongoing training and awareness for staff.

Schedule a free 30-minute consultation

Frequently Asked Questions (FAQs)

01

If we are aligned to the Central Bank of Ireland Operational Resilience Guidelines of December 2021, how closer are we to DORA compliance?

If your credit union is already aligned with the Central Bank of Ireland’s (CBI) Operational Resilience Guidelines from December 2021, you're substantially on the path to DORA compliance, but not fully there yet. Here's a clear breakdown:

✅ Where You’re Already Strong (CBI & DORA Alignment)

The CBI guidelines are built around three pillars:

  1. Identify and Prepare

  2. Respond and Adapt

  3. Recover and Learn

These pillars align well with DORA’s core principles, especially in:

  • Governance and accountability

  • Critical business service mapping

  • Incident response and recovery planning

  • Board-level oversight

The CBI has explicitly stated that its guidance is “compatible with and complementary to DORA” and that there are “no contradictions” between the two

⚠️ Where Gaps May Exist (DORA-Specific Requirements)

Despite the strong alignment, DORA introduces more detailed and binding obligations, particularly in:

Legal Status

  • CBI Guidance: Non-binding recommendations issued by the Central Bank of Ireland.

  • DORA: A mandatory EU regulation that all financial entities must comply with.

2. ICT Incident Reporting

  • CBI Guidance: Offers general expectations around incident reporting.

  • DORA: Specifies strict timelines for reporting incidents (e.g., within 4 hours, 24 hours).

3. Third-Party Risk Management

  • CBI Guidance: Provides high-level expectations for managing third-party risks.

  • DORA: Requires detailed oversight and governance of ICT third-party service providers.

4. Resilience Testing

  • CBI Guidance: Encourages resilience testing as a best practice.

  • DORA: Makes resilience testing mandatory, including advanced methods like threat-led penetration testing (TLPT) for certain entities.

5. ICT Risk Management

  • CBI Guidance: Covers a broad range of operational risks.

  • DORA: Focuses specifically on digital operational resilience and ICT-related risks.

6. Supervisory Oversight

  • CBI Guidance: Supervised at the national level by the Central Bank of Ireland.

  • DORA: Enforced through coordinated EU-wide supervision and oversight.

🛠️ How Close Are You?

If you’ve implemented the CBI guidelines thoroughly:

  • You’re likely 60–75% aligned with DORA.

  • The remaining 25–40% involves:

    • Formalizing ICT-specific controls

    • Implementing structured reporting

    • Enhancing third-party oversight

    • Conducting DORA-level resilience testing

02

Does aligning to DORA help an organisation to align to Central Bank of Ireland guidelines of December 2021?

Yes, aligning with DORA (Digital Operational Resilience Act) can significantly help your organization meet the Central Bank of Ireland’s (CBI) Operational Resilience Guidelines of December 2021, but with a few important nuances:

✅ Strong Compatibility

  • The CBI explicitly stated that its 2021 guidelines are “compatible with and complementary to DORA”.

  • There are no contradictions between the two frameworks.

  • The CBI committed to aligning its supervisory approach with international developments like DORA.

So, if you're implementing DORA, you're already covering many of the core principles of the CBI guidelines, especially in:

  • Governance and accountability

  • Critical service identification

  • Incident response and recovery

  • ICT risk management

⚠️ Key Differences to Be Aware Of

While DORA focuses specifically on digital operational resilience, the CBI guidelines cover all types of operational disruptions, not just digital. For example:

  • CBI’s scope includes physical disruptions, human error, and non-ICT-related risks.

  • DORA is more prescriptive in areas like:

    • ICT incident reporting timelines

    • Third-party ICT risk oversight

    • Threat-led penetration testing (TLPT)

So, while DORA alignment gives you a strong foundation, you may still need to broaden your scope slightly to fully meet the CBI’s expectations.

CBI Guidance vs. DORA: Key Differences

The Central Bank of Ireland (CBI) provides non-binding guidance, while the Digital Operational Resilience Act (DORA) is a mandatory EU regulation. DORA introduces stricter and more detailed requirements across several areas:

  • Incident Reporting: DORA mandates specific timelines (e.g., 4 and 24 hours), unlike CBI’s general expectations.

  • Third-Party Risk: DORA enforces detailed oversight of ICT third-party providers, whereas CBI offers high-level guidance.

  • Resilience Testing: Under DORA, testing is mandatory and includes advanced methods like threat-led penetration testing (TLPT); CBI only encourages such practices.

  • ICT Risk Management: DORA focuses specifically on digital operational resilience, while CBI covers broader operational risks.

  • Supervision: DORA is enforced at the EU level, promoting coordinated oversight, compared to CBI’s national-level supervision.

03

Will buying software solutions help me align to DORA? Is that a good starting point?

If your organization is aligned with the Central Bank of Ireland’s (CBI) Operational Resilience Guidelines of December 2021, you're already on a strong path toward DORA compliance. However, it's important to understand that DORA is not a software purchase—it’s a strategic transformation.

🛑 DORA Compliance Doesn’t Start with Buying Tools

Many organizations mistakenly begin by investing in software. But DORA compliance starts with:

  • Identifying operational and ICT resilience gaps

  • Mapping existing controls to DORA requirements

  • Building a tailored, risk-based strategy

Only after this foundation is in place should you consider tools or platforms to support implementation.

✅ How DORA Alignment Supports CBI Guidelines

DORA’s structured, legally binding framework complements the CBI’s principles-based guidance. By aligning with DORA, you’re also addressing many of the CBI’s expectations—especially in governance, risk management, and incident response.

However, DORA focuses specifically on digital resilience, while the CBI’s guidelines cover all operational disruptions, including physical and human factors. So, a DORA-aligned strategy should be expanded slightly to fully meet CBI expectations.

04

What is the “Register of Information” and why is it important for DORA compliance?

The Register of Information is a mandatory documentation requirement under DORA. It must include:

  • All critical ICT services and systems

  • Details of third-party ICT providers

  • Your ICT risk management framework

  • Incident response procedures

  • Governance and oversight structures

This register must be maintained at the entity, sub-consolidated, and consolidated levels, and it serves as a central reference point for regulators to assess your digital operational resilience

05

What happens if we don’t comply with DORA by the deadline?

Non-compliance with DORA can lead to significant regulatory consequences, including:

  • Fines of up to 1% of daily worldwide turnover

  • Increased supervisory scrutiny

  • Reputational damage The compliance deadline is January 17, 2025 (and January 2028 for Credit Unions in Ireland), so organizations should act now to ensure readiness

Schedule a free 30-minute consultation

Got questions? Talk to our consultants by booking a chat with us on our calendar.

Book a free consultation now
Book in meeting with our consultants
Evolution to DORA | SolutionOut