The Implications of DORA Starting Today: Opportunities for Integrated Risk Management to Drive Resilience

DORAOperational Risk ManagementTechnology Risk Management
Written By Ori Wellington

Today, January 17, 2025, marks a turning point for the European financial sector as the Digital Operational Resilience Act (DORA) officially takes effect. This comprehensive EU regulation introduces a harmonized framework for managing ICT risks, requiring financial institutions and their ICT third-party service providers (TPSPs) to meet stringent requirements for governance, incident reporting, and resilience.

While much of 2024 was spent preparing for this moment, DORA’s implementation is not the end of the journey. Organizations must now sustain compliance while addressing broader business objectives. Integrated Risk Management (IRM) offers a pathway to achieve not only DORA compliance but also enhanced performance, resilience, and assurance.

This article explores the implications of DORA, highlights the four key objectives of IRM, and provides guidance for financial institutions as they navigate this new regulatory environment. For further insights, visit wheelhouseadvisors.com.

Why January 17 Matters

DORA’s entry into force transforms how financial institutions approach digital risk management. Its emphasis on a unified regulatory framework, third-party oversight, and board accountability represents a significant shift for the industry.

  1. A Unified Framework for Resilience

    DORA harmonizes ICT risk management across the EU, replacing fragmented national regulations. While this creates consistency, the centralization of supervisory oversight by the European Supervisory Authorities (ESAs) introduces challenges, especially for organizations operating across borders.

  2. Strengthened Third-Party Risk Management

    DORA requires rigorous oversight of ICT TPSPs, recognizing their critical role in financial ecosystems. Institutions must ensure their TPSPs comply with DORA’s due diligence, subcontractor oversight, and threat-led penetration testing (TLPT) requirements, addressing a key vulnerability in cybersecurity.

  3. Governance and Accountability at the Top

    The regulation places ultimate responsibility for ICT risk management on boards of directors. This calls for active engagement in approving and overseeing risk frameworks, supported by cross-functional collaboration among compliance, IT, and legal teams.

  4. Immediate Regulatory Deadlines

    The ESAs’ first major milestone, the submission of the Register of Information (RoI), is due by April 30, 2025. Financial institutions must act now to prepare accurate and comprehensive data submissions.

For detailed guidance on these obligations, consult Regulation (EU) 2022/2554 and the accompanying Regulatory Technical Standards (RTS).

How IRM Supports DORA Compliance and Business Objectives

Integrated Risk Management (IRM) frameworks are essential for addressing DORA’s requirements while aligning with broader organizational goals. IRM enables financial institutions to manage risk through four key objectives: performance, resilience, assurance, and compliance.

  1. Performance: Aligning Risk with Business Goals

    DORA compliance should not exist in isolation—it must support overall business objectives. IRM frameworks ensure that ICT risk management is integrated into strategic planning, enabling organizations to identify and mitigate risks that could impact operations, customer experience, or profitability. For example:

    • IRM platforms enable real-time visibility into risk exposure, helping institutions prioritize resources and investments effectively.

    • Metrics from IRM tools can demonstrate how risk management initiatives contribute to improved operational performance.

  2. Resilience: Ensuring Business Continuity

    DORA’s ultimate goal is to enhance the financial sector’s resilience against digital threats. IRM supports this by providing a holistic view of risks and interdependencies across ICT systems, enabling proactive mitigation strategies. Key features include:

    • Scenario analysis and stress testing to prepare for potential disruptions.

    • Integration of incident response protocols with broader business continuity plans to minimize downtime and maintain customer trust.

  3. Assurance: Building Stakeholder Confidence

    Under DORA, boards of directors are directly accountable for ICT risk management. IRM frameworks provide the transparency and accountability needed to assure stakeholders—regulators, investors, and customers—that risks are being managed effectively.

    • IRM platforms automate reporting and documentation, simplifying the preparation of regulatory submissions like the RoI.

    • Enhanced visibility into risk management activities demonstrates a commitment to governance and resilience, building trust with stakeholders.

  4. Compliance: Meeting Regulatory Obligations

    DORA’s requirements for ICT risk management, TPSP oversight, and incident reporting demand a comprehensive compliance approach. IRM ensures institutions meet these obligations while avoiding duplication of effort across regulatory frameworks. Examples include:

    • Automating compliance tracking and monitoring to stay ahead of evolving regulatory requirements.

    • Aligning contractual arrangements with TPSPs to meet DORA’s proportionality and subcontractor flow-down obligations.

Immediate Priorities for Financial Institutions

As DORA enforcement begins, financial institutions should focus on the following:

  1. Engage the Board of Directors

    Boards must actively oversee ICT risk management, supported by targeted training on DORA’s requirements and digital resilience strategies. Establishing dedicated resilience committees can enhance accountability.

  2. Prepare for RoI Submission

    With the first RoI submissions due in April, institutions must establish robust data collection and validation processes. IRM tools can streamline these efforts, ensuring timely and accurate reporting.

  3. Strengthen Incident Response Protocols

    DORA’s incident reporting requirements demand swift action and coordination. Regular drills, scenario testing, and clearly defined communication protocols are essential to responding effectively to cyber incidents.

  4. Collaborate with ICT TPSPs

    Engage TPSPs to align contracts with DORA’s requirements, including TLPT support and subcontractor oversight. Collaboration is critical to managing these relationships effectively.

January 17: A New Era of Risk Management

Today marks the start of a transformative journey for the European financial sector. By embedding DORA’s principles into their operations, financial institutions can achieve more than compliance—they can enhance performance, build resilience, and assure stakeholders of their commitment to risk management.

Integrated Risk Management offers the tools and strategies to make this possible, aligning regulatory obligations with business objectives. For tailored guidance on leveraging IRM to navigate DORA, visit wheelhouseadvisors.com.

The clock has started. How will your organization respond?

Ori Wellington

Orion "Ori" Wellington is an integral part of the Wheelhouse Advisors team, bringing extensive expertise in risk management and technology. With a background that includes roles such as Risk Analyst, Information Security Specialist, and IT Project Manager, Ori contributes to helping organizations navigate complex risk and technology challenges.

At Wheelhouse Advisors, Ori focuses on supporting clients in the ever-changing landscape of risk management. This well-rounded experience enhances the success of both clients and the company. Committed to continuous learning, Ori is a valued member of the Wheelhouse Advisors team.

https://wheelhouseadvisors.com
Previous

Integrated Risk Management in Healthcare: Managing AI's Rapid Evolution with a Responsible Approach
Next

Discover Wheelhouse Advisors’ 2025 Integrated Risk Roadmap for Research and Insights