Cyber Resilience Briefing — January 17, 2025
The EU Digital Operational Resilience Act (DORA) is now enforceable, requiring financial entities and critical ICT providers to evidence incident response, testing, and third-party governance.
Executive briefing: The Digital Operational Resilience Act (EU Regulation 2022/2554) applies from 17 January 2025, giving supervisors authority to audit how banks, insurers, and ICT service providers govern cyber risk. Zeph Tech is helping leadership teams translate the regulation’s ICT risk, incident reporting, and testing expectations into auditable runbooks before the first supervisory reviews.
Key industry signals
- Supervisory policy packs live. The European Supervisory Authorities (ESAs) published the first batch of regulatory technical standards and implementing standards in January 2024 to clarify DORA’s reporting templates and outsourcing registers.
- Legal obligations codified. The official DORA text mandates harmonised incident notification timelines and governance over critical ICT third parties, ending the patchwork of national guidance.
- Threat landscape pressure. ENISA’s 2023 Financial Services Threat Landscape report highlights persistent supply-chain and ransomware threats, underscoring why regulators expect repeatable resilience testing.
Control alignment
- DORA Article 6. Maintain an ICT risk management framework that inventories assets, maps critical functions, and documents risk tolerances alongside remediation owners.
- DORA Articles 20-24. Evidence advanced testing—threat-led penetration testing, scenario exercises, and follow-up remediation tracking—within board reporting cadences.
Detection and response priorities
- Align incident runbooks to DORA’s four-stage timeline (initial, intermediate, final, and post-incident reports) and pre-stage regulator distribution lists for each market.
- Aggregate third-party telemetry so critical ICT providers feed incident data into the same SIEM and case management tooling used for internal events.
Enablement moves
- Brief executive committees on supervisory escalation powers, including public notices and penalties, to secure budget for remediation sprints.
- Update procurement templates with the minimum contract clauses from Articles 28-30—right to audit, data location, exit support, and subcontractor disclosure—so renewals stay compliant.
Sources
- ESAs publish the first batch of DORA policy products (January 2024)
- Regulation (EU) 2022/2554 — Digital Operational Resilience Act
- ENISA Financial Services Threat Landscape 2023
Zeph Tech partners with financial institutions on DORA readiness, from ICT risk registers and outsourcing governance to threat-led testing orchestration.