homepage
Menu
Open menu
  • Training
    Go one level top Back

    Training

    • Courses

      Build cyber prowess with training from renowned experts

    • Hands-On Simulations

      Hands-on learning exercises keep you at the top of your cyber game

    • Certifications

      Demonstrate cybersecurity expertise with GIAC certifications

    • Ways to Train

      Multiple training options to best fit your schedule and preferred learning style

    • Training Events & Summits

      Expert-led training at locations around the world

    • Free Training Events

      Upcoming workshops, webinars and local events

    • Security Awareness

      Harden enterprise security with end-user and role-based training

    Featured: Solutions for Emerging Risks

    Discover tailored resources that translate emerging threats into actionable strategies

    Risk-Based Solutions

    Can't find what you are looking for?

    Let us help.
    Contact us
  • Learning Paths
    Go one level top Back

    Learning Paths

    • By Focus Area

      Chart your path to job-specific training courses

    • By NICE Framework

      Navigate cybersecurity training through NICE framework roles

    • DoDD 8140 Work Roles

      US DoD 8140 Directive Frameworks

    • By European Skills Framework

      Align your enterprise cyber skills with ECSF profiles

    • By Skills Roadmap

      Find the right training path based on critical skills

    • New to Cyber

      Give your cybersecurity career the right foundation for success

    • Leadership

      Training designed to help security leaders reduce organizational risk

    • Degree and Certificate Programs

      Gain the skills, certifications, and confidence to launch or advance your cybersecurity career.

    Featured

    New to Cyber resources

    Start your career
  • Community Resources
    Go one level top Back

    Community Resources

    Watch & Listen

    • Webinars
    • Live Streams
    • Podcasts

    Read

    • Blog
    • Newsletters
    • White Papers
    • Internet Storm Center

    Download

    • Open Source Tools
    • Posters & Cheat Sheets
    • Policy Templates
    • Summit Presentations
    • SANS Community Benefits

      Connect, learn, and share with other cybersecurity professionals

    • CISO Network

      Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

  • For Organizations
    Go one level top Back

    For Organizations

    Team Development

    • Why Partner with SANS
    • Group Purchasing
    • Skills & Talent Assessments
    • Private & Custom Training

    Leadership Development

    • Leadership Courses & Accreditation
    • Executive Cybersecurity Exercises
    • CISO Network

    Security Awareness

    • End-User Training
    • Phishing Simulation
    • Specialized Role-Based Training
    • Risk Assessments
    • Public Sector Partnerships

      Explore industry-specific programming and customized training solutions

    • Sponsorship Opportunities

      Sponsor a SANS event or research paper

    Interested in developing a training plan to fit your organization’s needs?

    We're here to help.
    Contact us
  • Talk with an expert
  • Log In
  • Join - it's free
  • Account
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. DORA's Role in Enhancing Cybersecurity for EU Finance
SANS_social_88x82.jpg
SANS Institute

DORA's Role in Enhancing Cybersecurity for EU Finance

DORA represents a significant step in the EU's efforts to create a more secure and resilient financial ecosystem.

December 12, 2024

The financial sector faces growing cyber threats that could disrupt critical services and undermine public trust. Recognising this challenge, the European Union (EU) has introduced the Digital Operational Resilience Act (DORA), a comprehensive and all-encompassing regulatory framework to enhance financial institutions' cybersecurity and operational resilience across the EU.

DORA represents a significant step in the EU's efforts to create a more secure and resilient financial ecosystem. The financial system is highly interconnected, making it a prime target for cybercriminals. Steve Armstrong-Godwin is a SANS Principal Instructor, author of the SANS LDR553TM: Cyber Incident ManagementTM course, and Lead of Security Incident Response and Threat Management at Danske Bank. “What it comes down to is that money makes the world go round”, Armstrong-Godwin says. “So, the two major ways that a threat actor would compromise a country are to hit the power or the money. DORA represents a requirement being placed on EU financial institutes to be resilient to cyber-attacks”.

The regulation builds on existing cybersecurity frameworks and introduces new obligations that compel organisations to rethink their approach to digital security. It encompasses a wide range of financial entities, including banks, insurance companies, investment firms, and crypto-asset service providers. It sets out uniform requirements for information communication technology (ICT) risk and incident management, incident classification and reporting, digital operational resilience testing, information sharing, and the management of ICT third-party risk. The goal is not only to protect organisations but also to safeguard the entire financial ecosystem, ensuring that it remains stable and trustworthy even in the face of large-scale cyber threats.

Implications and challenges of DORA

For many organisations, one of the immediate effects of DORA will be a shift in focus towards ICT risk management. Companies must develop comprehensive strategies for identifying, assessing, and mitigating risks associated with their information and communications technology infrastructure. Armstrong-Godwin points out that “good ICT-related management and classification is knowing what is critical to your organisation and to ensure how you can quickly recover if those systems are compromised”. This involves not only identifying and assessing risks but also implementing appropriate measures to mitigate them.

Additionally, DORA extends its reach beyond the organisation itself, imposing strict requirements on third-party providers. Financial institutions often rely heavily on external service providers for critical ICT services, which can introduce additional vulnerabilities. DORA requires organisations to carefully assess and monitor the risks associated with these third-party relationships. “You need to understand fully who is in your supply chain, identifying which suppliers are critical and ensuring they meet the same resilience standards”.

The regulation also introduces new incident reporting obligations, requiring financial entities to report significant ICT-related incidents (including their direct and indirect cost) to relevant authorities within specified timeframes. This emphasis on timely and comprehensive reporting aims to improve the overall visibility of cyber threats across the sector and enable more effective responses.

Another significant challenge is the potential complexity of implementing DORA's requirements, especially for smaller organisations or those new to such comprehensive regulatory frameworks. The regulation's emphasis on proportionality means that the specific measures required may vary depending on an organisation's size, complexity, and risk profile. However, determining what is ‘proportional’ can be a challenge in itself. “Also, the cost of compliance with DORA may be substantial; upgrading systems, conducting resilience testing and managing third-party risks require significant investment. However, if done efficiently, the long-term benefits of compliance – such as avoiding fines, maintaining customer trust and preventing costly disruptions – far outweigh the initial expenses”.

Intertwining DORA, TIBER-EU, and NIS2

DORA does not exist in isolation but forms part of a broader ecosystem of cybersecurity regulations and frameworks in the EU. It closely ties with initiatives such as TIBER-EU (Threat Intelligence-based Ethical Red Teaming) and the NIS2 Directive (Network and Information Security).

TIBER-EU is a framework for intelligence-led red teams testing financial entities' critical live production systems. “TIBER is a requirement to demonstrate your ability to detect and respond to attacks. It's more of a practical demonstration of your external footprint, the attack surface you present, the external vulnerabilities, and the patching mechanisms you do to close those down”, Armstrong-Godwin explains. While not directly part of DORA, TIBER-EU tests can provide valuable insights into an organisation's operational resilience and help meet DORA's testing requirements.

The NIS2 Directive, on the other hand, is a broader cybersecurity regulation that applies to various sectors beyond finance. While there is some overlap between DORA and NIS2, DORA is specifically tailored to the financial industry and goes into greater depth on specific requirements. “Being DORA compliant should help your NIS compliance, and if you've been working toward this for the last couple of years, then you should be very closely aligned with what your DORA requirements will be”.

Preparing for DORA

Given the comprehensive nature of DORA and its potential impact on organisations, financial entities must prepare well before its implementation. Armstrong-Godwin offers ten critical steps for organizations to consider:

  1. Understand the requirements: Thoroughly review and comprehend DORA's regulations. Armstrong-Godwin suggests using resources that provide clear summaries of each article. Then map these, via a stakeholder based RACI matrix to the DOAR Articles and Chapters, as this will ensure you can allocate tasks and ensure that some of the broad aspects on incident response for example are covered.
  2. Conduct a gap analysis: Assess your current practices against DORA's requirements to identify areas that need improvement. Get support from organisation’s SMEs as only they can deep dive into the Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) as these require know how of the procedures and implementation.
  3. Enhance ICT risk management: Develop or improve procedures for identifying, assessing, and monitoring ICT risks. Ensure you have a robust risk management platform that aligns with financial sector standards.
  4. Improve incident reporting processes: Establish clear protocols for timely and accurate incident reporting. Define who is authorised to report and how to report and develop templates and guidelines for various scenarios (start with the provided standards and guidelines).
  5. Review and update third-party agreements: Examine existing contracts with ICT service providers. Introduce new requirements for accountability and monitoring that align with DORA's stipulations.
  6. Develop and test a business continuity plan: If you don't have one, create a comprehensive business continuity plan. If you do have one, ensure it is up-to-date and regularly tested.
  7. Educate employees: Ensure that all employees, including those who might be in standby positions for key roles, understand their roles and responsibilities under DORA. Run educational sessions for “Service Owners” of critical services that are in scope for DORA, so they are aware what’s coming and what information they’ll need to provide in case of a major incident.
  8. Engage with authorities: Proactively communicate with relevant regulatory bodies to understand their expectations, focus areas, and any guidance they can provide. While Article 45 addresses the need for information sharing (related to cyber threats and intelligence securely and efficiently), seek guidance from your national authority on how they believe this should occur and get onto those platforms to get access to others shared threat intel.
  9. Prepare for audits: Organise your documentation and evidence of compliance. Ensure that all teams have audit-ready materials and understand the audit process.
  10. Monitor ongoing developments: Monitor changes in the regulatory landscape, new guidance, and best practices as DORA implementation progresses.

Armstrong-Godwin emphasises that “if organisations haven't started these steps already, they need to begin immediately, as some aspects, particularly updating third-party agreements, can take considerable time to implement fully”.

Enhancing Operational Resilience

Organisations don't have to go at it alone in preparing for DORA. Training and education providers like SANS can play a crucial role in helping organisations build the skills and knowledge needed to meet DORA's requirements. Armstrong-Godwin highlights several SANS courses that can be particularly helpful, including SEC504TM: Hacker Tools, Techniques, and Incident ResponseTM, LDR553: Cyber Incident Management and, SEC566TM: Implementing and Auditing CIS ControlsTM covering the 20 critical security controls.

“If you're quite new to this, the 20 critical controls help you get a grip on things whilst also mapping that across to the DORA requirements, which would be a good start”.

While DORA presents significant challenges for financial organisations, it also offers an opportunity to enhance operational resilience and build greater trust in the digital financial ecosystem. Organisations can achieve compliance and strengthen their overall cybersecurity posture by taking a proactive approach to understanding and implementing DORA's requirements. As the financial sector continues evolving in an increasingly digital world, DORA is crucial to ensuring its stability, security, and resilience.

Stay ahead of cyber threats and compliance challenges—explore the SANS DORA Resource Hub for actionable advice on building resilience in the financial sector.

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Tags:
  • Cybersecurity and IT Essentials

Related Content

Blog
SCA_Blog_Cyber Skills Shortage_340 x 340.jpg
Cybersecurity and IT Essentials
May 15, 2025
Cyber Skills Shortage: SANS Institute to Triple Academy Cybersecurity Scholarships By 2026
The cost of a bad hire in cybersecurity isn’t just about money, it’s about risk, downtime, lost productivity, and missed opportunities.
thomas.jpg
Thomas Wolfe
read more
Blog
powershell_option_340x340.jpg
Offensive Operations, Pen Testing, and Red Teaming, Penetration Testing and Red Teaming, Cybersecurity and IT Essentials, Cyber Defense
July 27, 2022
Month of PowerShell: Fileless Malware with Get-Clipboard
Let's take a look at a sneaky attack to use PowerShell maliciously while evading detection (and some ways to detect it).
Josh Wright - Headshot - 370x370 2025.jpg
Joshua Wright
read more
Blog
powershell_option_340x340.jpg
Cyber Defense, Cybersecurity and IT Essentials
July 19, 2022
Month of PowerShell: Solving Problems (DeepBlueCLI, Syslog, and JSON)
Let's look at an example of problem solving using PowerShell with DeepBlueCLI, Syslog, and JSON data.
Josh Wright - Headshot - 370x370 2025.jpg
Joshua Wright
read more
  • Company
  • Mission
  • Instructors
  • About
  • FAQ
  • Press
  • Contact Us
  • Careers
  • Policies
  • Training Programs
  • Work Study
  • Academies & Scholarships
  • Public Sector Partnerships
  • Law Enforcement
  • SkillsFuture Singapore
  • Degree Programs
  • Get Involved
  • Join the Community
  • Become an Instructor
  • Become a Sponsor
  • Speak at a Summit
  • Join the CISO Network
  • Award Programs
  • Partner Portal
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • Privacy Policy
  • Terms and Conditions
  • Do Not Sell/Share My Personal Information
  • Contact
  • Careers
© 2025 The Escal Institute of Advanced Technologies, Inc. d/b/a SANS Institute. Our Terms and Conditions detail our trademark and copyright rights. Any unauthorized use is expressly prohibited.
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn