How to comply with DORA without losing your sanity

What is it?

DORA is the Digital Operational Resilience Act. It’s an EU regulation that will apply from January 2025.

It will force regulated financial services firms to significantly improve their ability to withstand, respond to and recover from IT-related disruptions and threats, including but not limited to cyber attacks.

What’s involved?

For a financial services firm, there are 5 key areas:

  1. IT risk management
  2. IT Third-Party risk management
  3. Incident Response Management
  4. Operational Resilience Testing
  5. Information Sharing

Where can you read more?

The Regulation’s official reference is Regulation (EU) 2022/2554.

The text of the regulation is available from U

A more user-friendly, hyperlinked, and searchable (unofficial) version has been published at (Credit to Springflod for their work on this).

Why can I help?

I am not the world’s leading expert on DORA. BUT..

  • I have probably spent more time reading and digesting the regulation than you have.
  • when GDPR was on the way, I helped many regulated firms to comply without losing their sanity. I have also helped firms with CBoI’s, EBA’s and EIOPA’s regulatory guidance on Cyber Security and Outsourcing. In other words, I have extensive experience interpreting regulations and translating their key requirements into actionable advice.

How can I help?

As a free first step, sign up to my short course on DORA.

The course is designed to ease you into the world of DORA compliance.

You will receive 1 email per day for 5 days, and I guarantee that each email will take less than 5 minutes to read.

The course focuses on the key things you need to know about DORA and ways to eat this elephant. For example:

  • How to assess if / how DORA will apply to your firm.
  • Which of the 64 articles to concentrate on.
  • How to identify your critical or important functions.

Sign up here:

    For information on how your personal data is protected, take a look at my Data Protection Policy.

    And then what?

    Join my online DORA community – You will receive an invite at the end of the DORA course.

    • The focus in the community is to ask questions and share knowledge. If DORA follows the same path as GDPR, there will be a lot of noise and confusion online about what compliance really looks like. Participation in this community will reduce the noise so we can all focus on the core requirements – Without losing our sanity.
    • No-one is selling solutions or services within the community. If they do, they will get kicked out. (And yes, this rule applies to me too!)
    • All discussions within the community remain confidential. Anyone breaking the rule gets kicked out. (And yes, this rule also applies to me!)

    If you want 1:1 guidance and assistance, I can also help.

    • A Lunch & Learn session on DORA would be a good first step for you and your management team.
    • A Regulatory Assessment Workshop will enable you to get into the details and identify the areas that you should focus on first.