After DORA – Improving the Efficiency of Digital Operational Resilience
By Matthias Döring, Senior Manager at d-fine
Financial institutions in the EU are required to comply with the DORA regulation. Many implementation projects were limited in terms of time and budget, often resulting in solutions that are audit-proof but not always operationally efficient, leading to a high workload. This article answers the question of how digital operational resilience can be made more efficient.
Since 17th January 2025, financial institutions in the European Union are expected to have implemented the European Digital Operational Resilience Regulation (DORA).
While some are still struggling with major challenges such as comprehensive encryption of their systems or security requirements along supply chains, others are now entering calmer waters. However, the DORA projects, limited in time and budget, have left their mark on financial institutions. Typically, such projects create solutions that claim to withstand audits but often lack operational efficiency. The high additional workload, combined with the sheer number of newly introduced policies and facilities place excessive strain on employees and systems. This even poses a risk that DORA’s ambitious goals will be missed for the moment.
With the DORA projects gradually coming to an end, the fog is now clearing, allowing us to look ahead. This article highlights a typical constellation that can be encountered in a financial institution and are intended to provide some ideas for a possible solution.
Opportunities for Improving Security Along Supply Chains
Initially it was planned that authorities would provide DORA standard contractual clauses for specific cases (DORA, Art. 30, para. 4). However, these have not yet materialized. Strictly speaking, this is not surprising, because just as companies struggle with third-party agreements, it is also a considerable challenge for authorities to draft suitable and DORA-compliant standard contracts covering all conceivable cases.
The current situation is therefore such that contracts are highly individualized. Financial institutions have drafted their own DORA contract annexes, but must also partially accept the contracts and terms and conditions of large IT service providers and software firms. In the latter case, one challenge is that many IT firms are often unfamiliar with DORA and instead rely on standards such as ISO 27001 as their reference points.
The links between the contract content and the text sections of the DORA or internal information security controls are not always easy to establish. This is because, on the one hand, DORA has not yet reached all IT service providers in its entirety, and, on the other hand, existing contractual wording from the pre-DORA era has been carried over unless there was an obvious need for change. Discrepancies between the wording of the legal text, common information security standards, and individual creations of information security controls not only complicate classification but often lead to a discussion about whether a contract actually meets the company’s own information security requirements.
What are possible solutions to this dilemma? Since the solution hasn’t been provided by the authorities, it makes sense to set own standards. Where possible, companies are recommended to join corporate associations (as the public banks do in the Association of public banks in Germany, for example) and develop common standards. This increases the quality of contract templates and also improves the companies‘ position vis-à-vis IT service providers. The latter find it easier when they receive contract drafts from a customer that they are already familiar with from other customers.
Regardless, a financial institution can also create the conditions within its own ISMS that facilitate the transfer to service providers. A first step is to compare the DORA requirements with internationally recognized information security controls, such as those found in the ISO 27001 standard. This already results in a large overlap of requirements that are the same in DORA and ISO 27001, or at least fall under the same subject areas. With a set of controls that is as closely aligned as possible with ISO 27001 and expanded to include the DORA-specific requirements, standard contracts that are understandable and acceptable to service providers can be formulated much more easily than with other methods.
Another challenge frequently encountered in service provider relationships is verifying and demonstrating the appropriate and effective implementation of agreed information security controls by the service provider. In the worst-case scenario, the financial institution receives a multitude of differently formatted reports on the service provider’s operational stability, such as audit reports according to ISAE 3402 Type 2, whose statements and contents must be transferred by the financial institution’s employees to the controls of its own ISMS. Better and much easier for the financial institution to manage are self-created questionnaires tailored to its own ISMS. These questionnaires can be distributed to the service providers, the answers collected, and processed semi-automatically. The consistency of the service provider’s answers with the audit reports then only needs to be checked randomly.
To further operationalize the whole process, the financial institution can also provide centralized reporting platforms for service providers, who can then use these platforms to submit their self-assessments or reports. This eliminates the need for financial institution employees to engage in one-on-one communication. Of course, such platforms require a certain number of service providers.
General Approach for Improvement
Opportunities for improvement in the various DORA topics can be identified by assessing all DORA-relevant processes using a set of standard questions, such as the following:
- Are there interfaces between different management systems (e.g., information security, service provider, emergency management systems) and how can the management systems be aligned?
- Can information security requirements be standardized?
- Can information sources be consolidated?
- Can reports be synchronized to different recipients?
- Can third-party information security requirements be scaled down to meet only the minimum standards set by DORA?
Based on the evaluation of the possibilities, implementation plans for improvement can be drawn up and implemented.
Following this idea, companies are in a good starting position to be able to efficiently maintain operational stability in the future.
This insight was published in the DLA Quarterly Briefing 3/25 on October 17, 2025.
Photo Credit:
- Matthias Döring: Matthias Döring