Five areas firms must recalibrate IT policy to meet DORA requirements

The EU’s Digital Operational Resilience Act mandates that financial institutions across the EU must ensure their IT systems are robust enough to withstand severe disruptions. Marija Devic, a consultant at Capco, explains the progress made so far on DORA implementation, and what firms can do to ensure ongoing compliance throughout their European operations.
The EU’s Digital Operational Resilience Act (DORA) regulation is now in effect. With a focus on information and communication technology risks, it has already “raised a bar and imposed prescriptive requirements for a broad range of financial entities and third-party service providers”, according to Marija Devic.
According to the Capco consultant, the regulation aims to enhance “operational resilience and ensure robust measures are in place to prevent, detect, respond to, and recover from ICT-related incidents and disruptions” – helping safeguard the increasingly digital economy from sudden shocks resulting from breaches.
Capco – a company now part of Wipro – is a global management and technology consultancy specialising in driving digital transformation in the financial services industry. With a growing client portfolio comprising of over 100 global organisations, it is also well-placed to see how firms are shaping up with their DORA preparedness.
“While firms have made progress for Day 1 go-live,” Devic continues, “there is a substantive book of work to complete in 2025 and beyond (Day 2) to ensure compliance with the regulation and build strategic operational resilience capability.”
Now, firms must “plan their Day 2 remediation activities”, something which Devic contends must ensure companies can “demonstrate to their customers, regulators and other stakeholders their commitment to maintaining a high level of digital operational resilience”. In order to help firms do that, Devic spells out five common areas where Capco expect firms to focus in 2025 to achieve DORA compliance effectively and efficiently and drive broader transformational change.
1. Third-party risk management.
Devic notes, “Augmentation of ICT third-party risk management practices, including completion of registers of information and negotiation and amendments to contracts for all remaining ICT third-party service providers, enhancements of concentration risk frameworks, and development of exit plans and testing for all ICT third-party service providers supporting Critical or Important Functions (CIFs).
2. ICT Risk management framework and tools.0
“Enhancement of internal governance and control frameworks, processes, systems, tools and measures / key performance indicators (KPIs) and key risk indicators (KRIs)” can help enable effective management of all ICT risks, Devic adds. The addressing of gaps related to technology and cyber provisions, such as network segmentation, encryption and cryptographic controls, anomalous activity detection and logging protocols and tools is also important.
3. Testing
This will require an expansion of scope, alignment and level of sophistication of existing practices and tests. This comes under the overarching “digital operational resilience testing” program, “for example, scenario testing, TLPT”.
4. Incident management and reporting
Firms will still need to retool how they report attacks or incidents on their security. This includes “alignment of incident management processes, classification and reporting format and process to DORA’s requirements”.
5. “Integration and efficiency
Finally, firms need to focus on the integration of global operational resilience and risk capabilities. In response to DORA, they will need to rework a definition of “a sustainable framework and operating model and streamlining and realising efficiency gains through use of technology and GenAI.”