homepage
Menu
Open menu
  • Training
    Go one level top Back

    Training

    • Courses

      Build cyber prowess with training from renowned experts

    • Hands-On Simulations

      Hands-on learning exercises keep you at the top of your cyber game

    • Certifications

      Demonstrate cybersecurity expertise with GIAC certifications

    • Ways to Train

      Multiple training options to best fit your schedule and preferred learning style

    • Training Events & Summits

      Expert-led training at locations around the world

    • Free Training Events

      Upcoming workshops, webinars and local events

    • Security Awareness

      Harden enterprise security with end-user and role-based training

    Featured: Solutions for Emerging Risks

    Discover tailored resources that translate emerging threats into actionable strategies

    Risk-Based Solutions

    Can't find what you are looking for?

    Let us help.
    Contact us
  • Learning Paths
    Go one level top Back

    Learning Paths

    • By Focus Area

      Chart your path to job-specific training courses

    • By NICE Framework

      Navigate cybersecurity training through NICE framework roles

    • DoDD 8140 Work Roles

      US DoD 8140 Directive Frameworks

    • By European Skills Framework

      Align your enterprise cyber skills with ECSF profiles

    • By Skills Roadmap

      Find the right training path based on critical skills

    • New to Cyber

      Give your cybersecurity career the right foundation for success

    • Leadership

      Training designed to help security leaders reduce organizational risk

    • Degree and Certificate Programs

      Gain the skills, certifications, and confidence to launch or advance your cybersecurity career.

    Featured

    New to Cyber resources

    Start your career
  • Community Resources
    Go one level top Back

    Community Resources

    Watch & Listen

    • Webinars
    • Live Streams
    • Podcasts

    Read

    • Blog
    • Newsletters
    • White Papers
    • Internet Storm Center

    Download

    • Open Source Tools
    • Posters & Cheat Sheets
    • Policy Templates
    • Summit Presentations
    • SANS Community Benefits

      Connect, learn, and share with other cybersecurity professionals

    • CISO Network

      Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

  • For Organizations
    Go one level top Back

    For Organizations

    Team Development

    • Why Partner with SANS
    • Group Purchasing
    • Skills & Talent Assessments
    • Private & Custom Training

    Leadership Development

    • Leadership Courses & Accreditation
    • Executive Cybersecurity Exercises
    • CISO Network

    Security Awareness

    • End-User Training
    • Phishing Simulation
    • Specialized Role-Based Training
    • Risk Assessments
    • Public Sector Partnerships

      Explore industry-specific programming and customized training solutions

    • Sponsorship Opportunities

      Sponsor a SANS event or research paper

    Interested in developing a training plan to fit your organization’s needs?

    We're here to help.
    Contact us
  • Talk with an expert
  • Log In
  • Join - it's free
  • Account
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. How to Prepare for DORA Before the 2025 Deadline
SANS_social_88x82.jpg
SANS Institute

How to Prepare for DORA Before the 2025 Deadline

Discover how to prepare your organisation for the Digital Operational Resilience Act (DORA) and strengthen your cyber resilience.

December 6, 2024

Don't let the January 2025 deadline catch you off guard. Discover how to prepare your organisation for the Digital Operational Resilience Act (DORA) and strengthen your cyber resilience.

In an era where digital operations have become the backbone of the financial sector, the European Union (EU) has taken a significant step to proactively enhance financial institutions' cybersecurity and operational resilience. The Digital Operational Resilience Act, commonly known as DORA, is set to reshape the landscape of risk management and cybersecurity practices across the EU's financial services industry. As the January 17, 2025 deadline approaches, financial institutions are grappling with the complexities of this new regulation and its far-reaching implications.

DORA addresses the increasing frequency and sophistication of cyber incidents targeting the finance sector. Bojan Zdrnja is a SANS Certified Instructor and coauthor for SEC542TM: Web App Penetration Testing and Ethical HackingTM and Chief Technical Officer and penetration team lead at INFIGO IS. “The European Central Bank, which is the main authority over any bank in the EU, noticed that there should be one regulation that helps financial institutions guide their investments in cybersecurity and other important digital aspects”, he says about the genesis of DORA.

Unlike the Network and Information Security (NIS2) Directive, DORA applies uniformly across all EU member states without the need for individual transposition into national law. This harmonized approach aims to create a consistent cybersecurity framework across the EU's financial landscape. As Zdrnja notes, DORA's broad scope and immediate effect are significant, making the audience feel the magnitude of the regulation.

Risk Management, Third-Party Providers, and Mandatory Testing

DORA’s implications for financial organisations are profound and multifaceted. At its core, DORA mandates a comprehensive information and communication technology (ICT) risk management framework, which forms the foundation for all other requirements. This comprehensive framework necessitates a thorough understanding and documentation of an organisation's digital assets, services, and interdependencies. “Banks should have clear documentation of how their services depend on other components, correlated to each other. They can have everything up and running, but now they need clear documentation of how their services depend on something else”, Zdrnja says.

Third-Party Risk Management

One of the most significant implications is the heightened focus on third-party risk management. DORA recognises the potential vulnerabilities introduced by the complex web of service providers and suppliers that modern financial institutions rely upon. Organisations must maintain a detailed catalogue of all third-party providers, assess risks, and develop exit strategies for critical services. “DORA covers that nicely because, they hold all parties accountable now. Let’s say you are a front-end third-party provider and reselling services. Now under DORA, the company that actually provides the services, will be subject to the regulation as well”.

This level of scrutiny extends to the oversight of critical third-party service providers, including cloud services providers (CSPs), which may now be subject to direct audits by supervisory authorities. “If there is a cloud provider that is part of your critical service, like mobile banking, for example, then this provider is subjected to, what DORA calls, ‘the Oversight Framework’, which means that there will be a supervisor that can directly audit your critical service provider.”

Resilience Testing

Another key implication is mandatory resilience testing. “DORA now makes that very, very strict. You have to do weekly vulnerability scanning and yearly penetration testing of critical functionality”, says Zdrnja. DORA stipulates specific requirements for security testing. Moreover, it introduces the concept of threat-led penetration testing (TLPT), which must be conducted at least once every three years. Inspired by the TIBER-EU framework , this approach simulates real-world cyber-attacks to test an organisation's detection and response capabilities.

Incident Reporting

“DORA also introduces stringent incident reporting requirements. When an organisation classifies an incident as critical, it must inform its authorities within four hours. That's quite severe. And obviously, the reasoning behind this makes sense because we are talking about a critical incident impacting that particular financial institution and their customers”, Zdrnja notes. This rapid reporting timeline underscores the regulation's emphasis on swift action and transparency in the face of cyber threats. 

Challenges of DORA

DORA’s challenges are as significant as its implications. Compliance with DORA is a substantial undertaking for smaller financial institutions or those with less mature cybersecurity practices. "Not every single bank will be able to do this overnight because this will be quite a bit of investment that smaller organisations in particular will struggle with", Zdrnja points out. "It's a big document, and I already see a lot of banks, insurance companies, and other financial institutions struggle with DORA and even with an understanding of all the requirements".

One of the primary challenges lies in creating and maintaining the comprehensive documentation required by DORA. Organisations must map out their critical services, understand their dependencies, and document the relationships between various components of their ICT infrastructure. This level of detail and transparency is unprecedented for many institutions and requires significant time and resources. Zdrnja believes the biggest challenge to organisations will be to “create documentation that describes the dependency of services, figure out which third parties they depend on, and perform a proper risk assessment of those third parties."

Another major challenge is the potential need to reevaluate and possibly change third-party relationships based on the risk assessments mandated by DORA. "I wouldn't be surprised if some financial institutions have to change some of their third-party providers. If the third parties cannot mitigate against identified risks, banks or financial institutions will no longer be able to work with them”.  For instance, a CSP with inadequate security measures or a payment processor with a history of data breaches might be candidates for re-evaluation. Such changes can be complex and expensive, adding to the overall cost of compliance.

Implementing advanced security testing approaches, particularly TLPT, is another challenge for organisations. Many organisations may lack the internal expertise to conduct such sophisticated tests and must either develop these capabilities in-house or engage external specialists. This requirement incurs additional costs and demands a cultural shift towards a more proactive and adversarial approach to security testing. "Other things like resilience testing, to be honest, is something they should have been doing for many years. It will require a bit more organisation and management. If your organisation is already at 80 per cent, you’ll need to improve by 20 per cent, which is doable. However, if you're at 20 per cent, it will take a bit more time and effort".

Relating Frameworks and Regulations

DORA's relationship with existing frameworks and regulations, such as TIBER-EU and NIS2, is an aspect organisation’s must consider. While DORA incorporates elements of TIBER-EU, particularly in its approach to threat-led penetration testing, it goes beyond TIBER-EU by making these tests mandatory. “They took the TIBER-EU methodology and modified it a little bit, so it's not a 100 per cent copy and paste of the TIBER-EU methodology, but more like 98 per cent”. This means that financial institutions with experience with TIBER-EU will have a head start in understanding and implementing DORA.

As for NIS2, while there is some overlap in areas such as risk management and incident reporting, DORA is specifically tailored to the financial sector and introduces more stringent and detailed requirements. However, organisations that have already made progress in complying with NIS2 may find that they have a head start in certain aspects of DORA compliance.

Start Preparing for DORA

Given DORA's complexity and breadth, organisations must prepare well before the 2025 deadline. “Start from the ICT risk management perspective, which is like the foundation of DORA. Go through identification and enumeration of critical services you provide because many other activities are based on these”.

Zdrnja advises organisations to conduct a comprehensive gap analysis as a crucial first step in preparation. This involves comparing the organisation's current practices and capabilities against DORA's requirements to identify areas for improvement. Based on this analysis, you can develop a roadmap for achieving compliance, prioritising the most critical areas and those that require the most time and resources to address.

Developing or enhancing the ICT risk management framework should be a priority, as this forms the basis for many other DORA requirements. This includes creating detailed inventories of digital assets, mapping service dependencies, and establishing robust risk assessment processes. Organisations should also focus on strengthening their third-party risk management practices. This involves assessing the risks associated with current providers, developing strategies for ongoing monitoring, and establishing clear exit plans for critical services.

Another crucial aspect of preparation is implementing or enhancing security testing regimes which may involve investing in new tools and technologies, developing internal capabilities, or engaging with external security testing providers. Organisations should also review and update their incident response plans to meet DORA's strict reporting timelines.

Help in the DORA Compliance Journey

As a global leader in cybersecurity training and certification, SANS Institute is uniquely equipped to assist organisations in their DORA compliance journey. SANS offers many courses covering many technical skills required for DORA compliance, including risk management, penetration testing, and incident response. These courses help organisations build the internal capabilities needed to meet DORA's requirements and maintain ongoing compliance. SANS can also provide guidance on best practices for implementing the various components of DORA, from establishing effective ICT risk management frameworks to conducting threat-led penetration tests. “I think our expertise can be invaluable in helping organisations navigate the regulation's complexities and develop effective compliance strategies”, Zdrnja says.

As the deadline for DORA compliance approaches, financial institutions across the EU face a significant challenge and an opportunity to enhance their operational resilience and cybersecurity posture. By taking a proactive approach, leveraging expert guidance, and investing in the necessary skills and technologies, organisations can achieve compliance and build a more robust and resilient digital infrastructure for the future.

Unlock essential strategies for achieving cyber resilience in the financial sector with SANS Institute’s DORA Resource Hub. Gain expert insights on DORA and TIBER-EU to protect your organization from evolving threats today.

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Tags:
  • Cybersecurity and IT Essentials

Related Content

Blog
SCA_Blog_Cyber Skills Shortage_340 x 340.jpg
Cybersecurity and IT Essentials
May 15, 2025
Cyber Skills Shortage: SANS Institute to Triple Academy Cybersecurity Scholarships By 2026
The cost of a bad hire in cybersecurity isn’t just about money, it’s about risk, downtime, lost productivity, and missed opportunities.
thomas.jpg
Thomas Wolfe
read more
Blog
powershell_option_340x340.jpg
Offensive Operations, Pen Testing, and Red Teaming, Penetration Testing and Red Teaming, Cybersecurity and IT Essentials, Cyber Defense
July 27, 2022
Month of PowerShell: Fileless Malware with Get-Clipboard
Let's take a look at a sneaky attack to use PowerShell maliciously while evading detection (and some ways to detect it).
Josh Wright - Headshot - 370x370 2025.jpg
Joshua Wright
read more
Blog
powershell_option_340x340.jpg
Cyber Defense, Cybersecurity and IT Essentials
July 19, 2022
Month of PowerShell: Solving Problems (DeepBlueCLI, Syslog, and JSON)
Let's look at an example of problem solving using PowerShell with DeepBlueCLI, Syslog, and JSON data.
Josh Wright - Headshot - 370x370 2025.jpg
Joshua Wright
read more
  • Company
  • Mission
  • Instructors
  • About
  • FAQ
  • Press
  • Contact Us
  • Careers
  • Policies
  • Training Programs
  • Work Study
  • Academies & Scholarships
  • Public Sector Partnerships
  • Law Enforcement
  • SkillsFuture Singapore
  • Degree Programs
  • Get Involved
  • Join the Community
  • Become an Instructor
  • Become a Sponsor
  • Speak at a Summit
  • Join the CISO Network
  • Award Programs
  • Partner Portal
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • Privacy Policy
  • Terms and Conditions
  • Do Not Sell/Share My Personal Information
  • Contact
  • Careers
© 2025 The Escal Institute of Advanced Technologies, Inc. d/b/a SANS Institute. Our Terms and Conditions detail our trademark and copyright rights. Any unauthorized use is expressly prohibited.
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn