The countdown for the Digital Operational Resilience Act (DORA) is underway. With the regulation set to come into effect on 17 January 2025, many organisations are scrambling to ensure they are prepared. They don’t have to face this challenge alone though, as firms like Vanta can help ensure compliance.
In a recent webinar, Countdown to DORA: Preparing for Compliance, Faisal Khan, GRC solutions specialist at Vanta, and Lazar Lazarov, head of information security at BVNK—a stablecoin payments infrastructure provider—discuss the DORA frameworks. They cover what it is, how to prepare for it, who it applies to, as well as how BVNK has managed their DORA journey.
Discover more insights from the Vanta DORA compliance webinar.
What is DORA?
Khan kicked off the conversation by saying, “At its core, DORA is an EU regulation aimed at strengthening digital operation resilience of the financial sector. Summatively, it’s a framework that ensures financial institutions have stability in their operations and can withstand all types of tech disruptions and cyber threats.”
He went on to outline the five pillars of DORA: “When talking to a customer, I frame the regulation as mandating a very balanced security programme for in-scope organisations. Ultimately, DORA is promoting the resilience of organisations.”
While financial institutions like banks and insurance companies are most often considered when it comes to getting DORA compliant, ICT third-party service providers that provide services to them are also subject to the regulation.
Reflecting on his experience at BVNK, Lazarov notes that one of the challenges the organisation has faced in its application process has been understanding which third-party partners fall into the category of needing to be regulated.
Due to the interconnectivity of tools and processes, Lazarov said: “My advice is to caution on the side of adding more vendors than less: we want them to deliver what we need and DORA is the perfect way to get those additional assurances.”
Khan then highlighted the importance of complying with DORA. Firms who fail to comply could be fined millions of euros.
How can Vanta help?
The journey to becoming compliant with DORA can be tricky. Vanta provides tools that aim to streamline this process for organisations. Its service includes an automated compliance solution featuring a prebuilt framework, which maps out the DORA requirements as necessary controls for organisations to implement. This ensures that companies properly adhere to the current regulations and are well-prepared for any future amendments or updates to it.
How Vanta helped BVNK get compliant
Lazarov described Vanta as “instrumental” in connecting all the systems that were started and left unfinished at different points in BVNK’s lifecycle due to movement within the company.
Lazarov also said, “I’m happy I was able to convince my manager on our board to go for the expanded risk management and vendor management package with Vanta, because now we’re compliant with ISO 27001 with our risk register in addition to our vendor register.
“As such, we were already 40 per cent of the way to being DORA compliant! Sixty per cent may sound like a long way to go, but that was mainly related to documentation. We had to adjust our policies and train the board of directors—that’s the easy part. The tough part is chasing your vendors but that was already done.”
As a result of the partnership with Vanta, Lazarov added he can wake up happy, knowing that he can check his emails and see exactly which individual controls need to be fixed. “It is helping a lot with prioritisation.”
Evolving from ISO 27001 to DORA
ISO 27001 has been a crucial standard, holding organisations accountable for their security. For BVNK, it has been fundamental in shaping its policies and processes, says Lazarov. As such when asked how BVNK has found the transition to DORA, Lazarov said: “We don’t need to rewrite our policies from the bottom up—we can see where we need to upgrade our current ones to be compliant.”
Exemplifying this, he added: “For us to become ISO compliant, it took us around six to seven months. Then to upgrade from ISO to DORA, it only took us two months.”
The conversation then turned towards challenges faced by firms looking to become DORA compliant, with Lazarov reflecting on BVNK’s obstacles. “Vendor management is the biggest challenge to achieve compliance. We need to understand which are ICT vendors, while simultaneously checking which need to be more compliant. We can’t expect that they’re all ISO 27001 certified—so we need to bug them and chase them and ensure they’re going to be DORA compliant, and as a smaller company, getting them to sign these contracts is very tough.”
DORA and beyond
In addition to DORA’s foundational requirements for operational resilience, there’s also emphasis on the need to align with National Competent Authorities (NCAs). NCAs play a critical role in supervising and enforcing compliance for their respective EU member states, requiring firms to provide clear evidence of their risk management, incident reporting, ICT third-party oversight, and resilience testing measures. Tailoring strategies to the relevant NCA’s interpretation of DORA can ensure consistent compliance across jurisdictions.
Khan suggests that firms review DORA’s requirements prescriptively, in tandem with what the NCA’s require, to account for the different ways they may apply across their business so that they are fully prepared in the event of any regulatory inquiries of their compliance.
Discover more insights from the Vanta DORA compliance webinar.
