DORA Compliance: A Comprehensive Guide to Digital Operational Resilience

vor 14 Stunden34 Min. Lesezeit

High-tech cybersecurity control room with multiple monitors displaying digital security dashboards, threat detection graphs, and financial network data. The dimly lit room features a blue-green cyber glow, symbolizing fintech security, DORA compliance, and digital operational resilience in financial institutions.

Management Summary: Navigating DORA Compliance

This blog post features an interview with cybersecurity expert Giles Inkson, Director of Services EMEA at NetSPI, discussing the Digital Operational Resilience Act (DORA) and its implications for the financial sector. DORA is a new EU regulation designed to ensure the digital operational resilience of financial entities. The discussion covers key aspects of DORA, including ICT risk management, cybersecurity incident reporting, and third-party risk management. It also addresses the challenges fintech companies face in balancing innovation with compliance, and provides practical advice on how to approach DORA implementation. The interview emphasizes the importance of understanding DORA's requirements, prioritizing continuous improvement, and seeking expert guidance to navigate this complex regulatory landscape effectively.

This Blog Post is Brought to You By Vanta

Vanta automates security and compliance for frameworks like ISO 27001, SOC 2, and more—so you’re always audit-ready without the stress and manual work. No more endless spreadsheets, no last-minute panic. With real-time monitoring and automated security questionnaires, Vanta saves you time, effort, and money—so you can focus on growing your business.

Over 9,000 companies, including Atlassian, Flo Health, and Quora, already trust Vanta to manage security seamlessly.

Make compliance simple—get $1,000 off now at vanta.com/startupradio.

The Video Podcast Will Go Live on Thursday, March 18, 2025

The video is available up to 24 hours before to our channel members.

The Audio Podcast

You can subscribe to our podcasts here. Find our podcast on your favorite podcasting app or platform. Here are some of the links to subscribe.

DORA Compliance: Your Essential Guide

The Digital Operational Resilience Act (DORA) is here, and it's crucial for financial entities to get up to speed. But what exactly is DORA, and how can your organization ensure compliance?

In this in-depth discussion, Startuprad.io's Joe Menninger speaks with Giles Inkson, Director of Services EMEA at NetSPI, to demystify DORA and provide actionable guidance. Giles, an ethical hacker and expert in red teaming and security testing, shares valuable insights on navigating this critical EU regulation.

What is DORA and Why Does It Matter?

DORA, the Digital Operational Resilience Act, is a European Union regulation focused on strengthening the digital operational resilience of the financial sector. As Joe Menninger from Startuprad.io points out, DORA is not just "a first name of a lady" but a significant piece of legislation. While already in force, the real scrutiny begins next year, with authorities and auditors poised to conduct the first checks of financial institutions' compliance.

Giles Inkson explains:

"DORA is a piece of EU regulation, a directive, aimed at addressing digital operational resilience within the financial sector." Giles Inkson

DORA is designed to ensure that financial institutions can withstand, respond to, and recover from all types of ICT-related disruptions and threats.

Key Components of DORA Compliance

DORA focuses on several core areas. Let’s dive into some of the most critical aspects.

ICT Risk Management

Effective ICT risk management is at the heart of DORA. Financial entities must establish robust frameworks to identify, assess, and mitigate ICT risks. This includes everything from cybersecurity threats to operational failures.

Giles Inkson emphasizes the importance of a comprehensive risk management framework:

"A risk management framework as a concept is an overarching set of standards, guidelines, and procedures which organizations can use to put processes in place and manage the risks within their organization." Giles Inkson

Incident Reporting

DORA mandates that financial entities establish procedures for reporting ICT-related incidents to the relevant authorities. This includes timely detection, analysis, and reporting of incidents to minimize their impact.

According to the European Banking Authority (EBA), competent authorities, such as the Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) in Germany, need to receive regular reports and information on ICT-related incidents. This ensures a coordinated response and proactive risk mitigation across the financial sector. [cite: 100, 101, 102]

Third-Party Risk Management

Financial entities increasingly rely on third-party providers for critical ICT services. DORA emphasizes the need for robust third-party risk management to ensure that these dependencies do not create vulnerabilities.

Giles Inkson points out:

"It’s key that they're ensuring that their suppliers also have resilient systems, they can keep their contracts in place." [cite: 132, 133, 134]

This includes due diligence when selecting providers, clear contractual terms, and ongoing monitoring of their performance.

Implementing a DORA Compliance Strategy

Successfully navigating DORA requires a strategic approach. Here are key steps to consider:

Conducting Risk Assessments: Start by thoroughly assessing your organization's current ICT risks and vulnerabilities. Identify areas that need strengthening to comply with DORA requirements.
Establishing Governance and Policies: Develop clear governance structures and policies that support digital operational resilience. This includes defining roles and responsibilities, setting security standards, and establishing incident response procedures.
Staff Training and Awareness: Ensure that all staff members are aware of DORA requirements and their role in maintaining digital operational resilience. Provide regular training on cybersecurity best practices and incident response procedures.

Giles Inkson stresses the human element in cybersecurity:

"Security is still a human thing. We hack people." [cite: 237, 238, 239, 240, 241, 242, 243, 244]

DORA Implementation Challenges

Implementing DORA can be challenging, especially for smaller financial entities. Some common challenges include:

Resource Constraints: Smaller organizations may lack the resources and expertise to implement DORA requirements effectively.
Legacy Systems: Older systems may be difficult to adapt to comply with DORA's requirements.
Complexity of Compliance: Understanding and implementing the full scope of DORA can be complex and require expert guidance.

Giles Inkson advises:

"My advice to pretty much all customers and potential customers is, start small." [cite: 270, 271, 272, 273, 274, 275, 276]

Preparing for DORA Audits

DORA compliance will be subject to scrutiny by regulatory authorities. Financial entities must be prepared for audits to demonstrate their adherence to the regulation's requirements.

Ensure you have comprehensive documentation of your ICT risk management framework, incident reporting procedures, and third-party risk management practices. Regular internal audits can help identify and address any gaps in compliance before external audits.

Looking Ahead: Digital Operational Resilience is Key

DORA represents a significant step towards enhancing the digital operational resilience of the financial sector. By understanding the key requirements and implementing a strategic compliance approach, financial entities can navigate DORA effectively and strengthen their ability to withstand and recover from digital disruptions.

Key Takeaways

DORA is a critical EU regulation for digital operational resilience in the financial sector.
Key compliance areas include ICT risk management, incident reporting, and third-party risk management.
Organizations should conduct thorough risk assessments, establish robust governance structures, and prioritize staff training.
Start small, seek expert guidance, and prepare for audits.

Additional Resources

NetSPI https://www.netspi.com/
European Union https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en

External Links:

European Banking Authority (EBA) on DORA https://www.eba.europa.eu/activities/direct-supervision-and-oversight/digital-operational-resilience-act
BaFin Webiste on DORA: https://www.bafin.de/DE/Aufsicht/DORA/DORA_node.html

Automated Transcript

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:00:00]:

Foreign Your podcast and YouTube blog covering the German startup scene with news interviews and live events. Hello and welcome everybody. This is Joe From Startup Rate IO, your startup podcast, YouTube blog and Internet radio station from Germany, Austria and Switzerland. Today I do have another episode expert interview with you talking about Dora again. We have been in the past hearing one guest who was talking about third party assets on your website that you need to take care of. This time I do have Giles here as a guest. Hey, how you doing?

Giles Inkson | Director of Services EMEA NetSPI [00:00:50]:

Hi, nice to see you. Nice to. Thanks for having me on.

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:00:53]:

Totally my pleasure. You are director of Services Emir at netspy and we will talking a little bit broader about Dora and what she you should do. I do have a few questions to guide you through this interview and hopefully it will be very useful for everybody of us. But before we get started, can you introduce yourself a little bit to our audience? Keep in mind most people would just listen to us.

Giles Inkson | Director of Services EMEA NetSPI [00:01:19]:

Of course. So I'm Giles and I look after a number of different testing services. So I am a security tester and before that involved in IoT infrastructure for a long time in my career. So in terms of my profession now what I do is something called red teaming and that is an expression of security testing. It's essentially organization wide resiliency testing and it's the type of testing that sort of DORA asks us to undertake and Tiber2 and other frameworks, things like CBest for instance in the UK and other frameworks globally. It is essentially for want of a better way of putting it, I'm a hacker. But in a good way.

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:02:08]:

You are, can you say an ethical hacker, Correct?

Giles Inkson | Director of Services EMEA NetSPI [00:02:12]:

Yes, absolutely. An ethical hacker.

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:02:15]:

I see. So today we're talking about Dora. No, it's not a first name of a lady. It's the Digital Operational Resilience act from the European Union. And before we do get started right now it already reply it it's already in force. But we do know the way bureaucracy work likely next year the first checks will be done by authorities, by auditors and so on and so forth. So this is the time to really get your stuff done, to really get down to business if you appear or think you have some holes in there. And for this reason we go a little bit broadly over the whole regulation and tell you potential places where you may have to work on before you get audited.

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:03:10]:

Should we start with government and risk management please. Governance structure. Have I established a clear governance governance framework for digital operational resilience and our roles and responsibilities well defined? And that is a pretty interesting question and what kind of answer should an entrepreneur have, except for yes, of course.

Giles Inkson | Director of Services EMEA NetSPI [00:03:36]:

Yeah, that's a, that's a really interesting one. I think it's, it's, it's about the evidence base and the rationale behind it. And I think that's the, that's the kind of some of the core aspect to this. So if you can prove that rationale of that structure and sort of why you've made the choices that you have, I think that's a key component of it, reasoning behind things, if that makes sense. It's not just the process and I think that's one of the things that is critical to this. It's about the reasoning for the process and sort of the evaluation, the showing you're working, if you will. But I think this is really trying to prize out if that makes sense.

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:04:15]:

So that means if an auditor asks you why did you do that? You should have a pretty good reason. But I do believe most will have thought it through at this point. Then we're talking about risk management strategy, having a comprehensive risk management framework to address all potential ICT risks. Can you first tell us a little bit what ICT risks are and then what you would expect from such a risk management strategy if you would look at it from an outside perspective?

Giles Inkson | Director of Services EMEA NetSPI [00:04:51]:

So I think there is a significant amount of this that is kind of understanding your organization and sort of where you sit within the market, where you intend to be in 3, 5, 10 years time, for instance, and where you need to integrate to be able to understand what those risks might be. The component parts of your business and what keeps you operational is really important. What are the cogs that keep the business turning from an IT perspective, The critical important functions, to use the sort of the terminology there, these are the component parts of the business that you absolutely must keep running and operational. And that's why operational resiliency is a big, big part of this risk management approach, if you will.

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:05:39]:

Actually, funny thing, in German it's called information and communications technology information. So that should give a little bit more hint about that. But please go on.

Giles Inkson | Director of Services EMEA NetSPI [00:05:53]:

The approach in terms of the sort of the strategy and the vision is you have to understand all of your assets that form part of that ICT estate and the processes and components and the human element as well, if you will that go into that to be able to drive the business and that accurate mapping of IT is essentially the most fundamental component of that strategy, if you will.

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:06:17]:

Yes, sure. Risk insurance framework. When would it be comprehensive to address all potential ICT risk?

Giles Inkson | Director of Services EMEA NetSPI [00:06:27]:

Thank you. So without understanding your Entire estate and all of your ICT systems and the usage of them and sort of how they integrate to the business. It's an incredible challenge to be able to make it complete. So a strong asset inventory or a strong understanding of your nict systems is critical to be able to understand the risk to them or the potential risk to them.

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:06:53]:

And that I have just. Sorry, I have one question. You said it's important to have like overall overview. I do believe a lot of people tend to forget one or two tools. Do you have any experience where people usually forget some ICT assets, meaning physical or digital tools, software it?

Giles Inkson | Director of Services EMEA NetSPI [00:07:18]:

Yeah. So I think shadow IT as a concept is something that people talk often about, which is parts of the infrastructure that have been sort of created dynamically or by individuals or users that are unknown. And I think that's one of the key missing elements from a lot of people's asset inventory. So you have to have an element that is through known mechanisms, things like sort of databases that you might have of assets that exist already, but you also need to have the ability to dynamically map them and to be able to dynamically understand the component technology assets of your business on a continuous basis. So there are a number of sort of platforms and sources and tools that aim to do that dynamically to varying degrees of success in the market. But doing an evaluation of those as part of your component infrastructure and looking at the efficacy of those is a really important task. As part of this kind of this overall framework development is you need to be able to assess the tools you use. In fact at a kind of almost the next level if you will that assess how you work.

Giles Inkson | Director of Services EMEA NetSPI [00:08:22]:

It's a bit of a non answer almost sometimes, but the approach you need to be able to know what you don't know and how do you quantify that and I think that's the tricky question here is how do you map the unknown and how do you rate a tool that allows you to do that? Often people lean into things like SaaS, platforms that sort of offer a, for want of a better way, you know, a magical solution to these problems. I think validation and checking and due diligence. Again another core concept of this act, of what it tries to instill are key components of that. So you need to make sure that you are checking and validating the software that you use, even to that you use to understand your business and evaluate itself, if that makes sense.

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:09:12]:

So you shouldn't have any freelancers who do have developers proprietary tool, they transfer data and then put it back into your system. That that's the kind of risk we're talking about. Plus getting your data into a third party software and not be aware of that. Do you have. Because this shadow it is always a pretty difficult topic especially to figure out. Oh, if you have something like that, I once talked to a guest and they say yeah, look at the company credit card bill. If there's software charged that could be a good hint. Do you, do you have any other, other ideas, suggestions how somebody may find.

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:10:00]:

May learn more about potential shadows of where they could find hints about it?

Giles Inkson | Director of Services EMEA NetSPI [00:10:08]:

Yeah, there's a. There are elements. So some of this might be externally facing for instance, so Internet facing and available to the public and you may not be aware of it. So there are tools and techniques and processes that you can do to dynam dynamically scan and to sort of, sort of search for assets that might be linked to your business in some way. You know, products like this are often called things like Attack Surface mapping for instance. These are what they aim to do is look for traces of your organization externally so then that you can take sort of reparatory action or some form of action to investigate where they may have come from, what the background might be. Credit card data is in fact quite an interesting one because company, company assets, company finance are tracked already in a lot of organizations. So that gives you that aud trail other sources of data, things like in the sort of the computer sort of identity sense for instance, things like cloud services will hold databases of users.

Giles Inkson | Director of Services EMEA NetSPI [00:11:03]:

Perhaps you can track what those users, what resources they're creating the same for sort of on premise systems like Active Directory for instance. Those are means by which you can have a look at what resources are being spun up. But that's not dynamic, that's fairly static.

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:11:23]:

The regulation talks about ICT risk assessment. How frequently should you do that and how. I mean there are of course different methodologies but how would you go about figuring out what methodology one should use?

Giles Inkson | Director of Services EMEA NetSPI [00:11:42]:

That's an interesting, an interesting topic. You have to assess it. Again I think that's a really important thing and I think this is kind of again this is the territory of non answer again where you're expected to do the due diligence but often there's not a great deal of guidance on it and to be able to prove and validate that and argue the case for it again is one of the key things. But in terms of the sort of the way that you manage that due diligence on third party suppliers, existing and new ones, a lot of organizations, for instance, that I've spoken to are re evaluating contracts as a result of this act. So that's kind of a one time monolithic sort of evaluation of those organizations and how they treat their own security as part of that supply chain risk piece. But also when you are updating or changing contracts or when you are refreshing service contracts with those organizations, that's when you should be doing this assessment, for instance, or at least on a yearly basis or an annual basis to make sure that you are regularly reviewing and revisiting them. And I think the review and revisit is another core component to this is you can't treat something as trusted if you've done this forever, if you know what I mean. So if you've done your due diligence once, that doesn't mean that that due diligence continues year after year, year after year.

Giles Inkson | Director of Services EMEA NetSPI [00:13:00]:

Organizations can become insecure that you deal with as a supplier, for instance, over the course of their lifetime. So what you need to be doing is making sure that you are continuously checking those, understanding their downstream processes for sort of how they manage their own vulnerabilities, their own risk management approaches, their own processes. And that's one of the big challenges around this act is organizations are now presented with how do they present information about how and where they are vulnerable to their clients without giving away data that is sensitive or controlled under other legislation, things like GDPR for instance. And that's a very tricky question to get a, an accurate and clear answer on. And I think that's been one of the challenges for organizations trying to solve this.

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:13:48]:

When we're talking about DORA here, we're talking about incident reporting and management. Can you help us to understand this field? First step, how do you identify an incident? What is the level? Again, it's a little bit subjective here. When is it an incident?

Giles Inkson | Director of Services EMEA NetSPI [00:14:11]:

Yeah, absolutely. So you have to need to have a reasonable level of confidence that this is a operationally affecting incident, cyber security or otherwise. So you know, for instance, the one that a lot of people lean towards is cyber security incident or a breach, for instance, you need to have a good degree of confidence of that is a genuine breach, for instance, and be able to report that as soon as possible, ideally within 24 hours. So you need to have a strong ability to respond to these types of events and identify them, triage them and treat them as quickly as possible, ie, identify them as quickly as possible. And then you've got a responsibility at that point to do the notification process and follow through the rest of your incident response plan. And that can vary depending on what type of incident you face. So in a lot of breaches, for instance, you see things like ransomware affecting organizations. That type of breach is very, very fast moving, typically in the market for a lot of organizations.

Giles Inkson | Director of Services EMEA NetSPI [00:15:13]:

So there's a real challenge with the timing of being able to identify something like this, respond to it and sort of recover from it, as well as going through the notification process at the same time. And I think that's where we'll see a real stretch for organizations to meet that compliance standard. How do you, how do you show that you can do the identification process and you know, adapt and prevent and recover from a threat at the same time, for instance. So it's a really tricky thing to get right. It needs to be documented, you need to be able to again justify it. You need to be able to talk about why you believe that the method and approach that you're using is appropriate. Because when you come to audit, you will need to go through that process. You will need to meet the challenge of, you know, these questions being asked of your organizations and why you've chosen that.

Giles Inkson | Director of Services EMEA NetSPI [00:16:00]:

If you don't have a robust set of evidence behind it about behind why you've made the choices, then there is a high likelihood that, you know, you'll need to take some measure afterwards. So if you've got good justification, you may well have to take less action to sort of get up to the right standard for next year and a year after that. So the improvement plan will be much reduced, if you will.

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:16:25]:

I see we've been talking about communicate communication, reporting of incidents of course to the relevant authorities and the stakeholders. But what kind of channels would you use? Because I do believe it's not secure enough and not sufficient to just send an email. Hey guys, look at this. Something happened.

Giles Inkson | Director of Services EMEA NetSPI [00:16:48]:

Yeah, absolutely. So in these types of incidents, especially in a cybersecurity incident where you know the systems you use to actually send those emails may be compromised in and of themselves, there is a balance between sort of using the systems that are breached and some other out of band method like a telephone call or an SMS or a reporting platform or something similar. So some, some nations, for instance, will have direct report that you can do through a website, for instance. Those are methods that are often used if you are in a market that is heavily regulated already. You will often have a contact or a representative or a sort of an agency, if you will, or a TCT in the sort of, the tiber terms that you would, you would sort of make contact with. So you would Have a familiar contact normally typically they would be a first point or a local law enforcement agency if it's relevant as well. That's a tricky one with the. With the kind of.

Giles Inkson | Director of Services EMEA NetSPI [00:17:51]:

The balance of sort of when and where you are allowed to do that in some regions. But I won't go too into that because there be dragons.

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:18:02]:

Plus we just trying to provide here a high level summary for the audience that they can start thinking about where may they be A weakness not to be found in your first audit because that's what everybody wants to avoid and that's why we are here and talking today. I would like to go a little bit over to topic of third party risk management. You've been already talking about adjusting the contract with vendors here. I'm pretty confident everybody now has already the class, the required criteria in their evaluation, third party ICT providers and so on and so forth. How would you proceed with existing vendors that may be a little bit late to come by or promise something and didn't deliver yet? Because that's a problem for you and not necessarily for them.

Giles Inkson | Director of Services EMEA NetSPI [00:19:10]:

Absolutely. So there is guidance to say that you need to have good termination procedures in place as well. For instance, so the ability to terminate contracts with the sort of supply chain or with third parties when they are shown to not be complying. And I think that's a. You need to be able to pull that plug and have a process for it and be resilient against the impact that that might have. And I think that's especially seen for managed service providers or managed security service providers, especially in the ICT realm, which is a common practice. Outsourced it outsourced Security Operations center or outsourced endpoint detection and response are all things that you may have to terminate them and the agreement with them if they're unable to provide sufficient improvement or documentation or evidence.

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:20:01]:

Of course you should have by now at least looked and adjusted the contract and service level agreements. Do you think there is a minimum of clauses you must put in this contract with third parties to align with dora?

Giles Inkson | Director of Services EMEA NetSPI [00:20:17]:

Absolutely. So their ability to share their own security process with. With you, that is their vulnerability management, their. Their own sort of incident response procedures and sort of what the expected SLAs around those are so that they are communicating to you if they present a risk to you. And I think that's one of the. The core elements in terms of the other other pieces. So contractually speaking, you mentioned that they've, they've. Sorry.

Giles Inkson | Director of Services EMEA NetSPI [00:20:44]:

Contractually speaking, you know these things are negotiated already at that point it's data management, I think, and it's handling of your data and segregation of your data and evidence of that would be another key component as well. How do they deal with your data in relation and how do they protect that data? So I've seen in a number of examples, for instance, large service providers are now providing that level of attestation to their clients, for instance, and that's part of the negotiations that are ongoing for them.

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:21:14]:

Let us go a little bit into the ICT tools and systems. The integrity, system integrity. Everybody needs to ask themselves, are my current systems resilient enough to withstand operational disruptions as outlined in dora? But what, what would that mean for me as a maybe smaller startup, Fintech here?

Giles Inkson | Director of Services EMEA NetSPI [00:21:44]:

Yeah, absolutely. So I think as a smaller organization, the cost overhead of compliance and being able to show compliance build the process is a big consideration for them. Equally, the nature of a startup or a scale up is that they are dynamic organizations. They need to be able to adapt and respond and they are the guerrilla fighters, if you will, of the kind of the business world. And that's one of the things that makes this quite tricky is because you're asking them to build a rigid structure and to do things that may prevent some level of innovation. And I think that's part of the pushback that some organizations have sort of have said cost is kind of probably going to come first for a lot and then complexity afterward, I would say for the implementation and the challenges for them.

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:22:42]:

You talking about richest systems, dynamic startups here? I was wondering what, how do you have seen any good solutions, any good systems? How does startups do work with backup and recovery? Because they tend to change a lot of what they're doing and how they're doing this and the backup and recovery needs to adjust. So how do they keep pace with their current development in terms of backup and recovery?

Giles Inkson | Director of Services EMEA NetSPI [00:23:14]:

That's a, that's a really interesting question and one that I think the hard part is to design a system when you are a small organization and have the scale that you will reach in mind and understand how to build for that scale and for backup and recovery, the system that applies to a smaller company with five people, for instance, to one that has a thousand people or anywhere in between. It's tricky to get that scaling right. What you need to be able to do is build the, build the backup scalability and the recovery scalability into every machine in a granular way. So this is where a lot of organizations are turning to things like SaaS, platforms that offer that backup and retention dynamically without them really doing any sort of thought. There are some pitfalls to that approach. You're outsourcing the risk to another vendor rather than sort of doing the full process yourself. For instance, if you. So finding a good place to retain the original sort of backup.

Giles Inkson | Director of Services EMEA NetSPI [00:24:18]:

So the original backups is a good start looking at how you can backport new iterations of systems or new generations of architecture into that is a key component. Things like immutability, for instance, are another element that people often think about and talk about is whether or not those backups can be changed. The regular review of what you are doing as part of that backup and generational changes and the kind of the transformation journey are. It's very difficult. You have to track it over its lifespan, if that makes sense. So you have to kind of understand those systems as they evolve and start.

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:24:56]:

To plan forward spelled out in every aspect. And I do believe after the first audits there will be some issues coming up. People will discuss it on events and over time it will be an established enforcement as well as rules and guidance people can adhere to. But right now we do have a little bit of wiggle room in some areas and that's why we try to cover as much space as we're doing here. Talking about monitoring and testing, especially penetration testing you've been talking about. I do know there is some guidance here in Germany, especially from BSI and other and other associations. What kind of standards and certifications would you use and recommend for your clients to, to do that?

Giles Inkson | Director of Services EMEA NetSPI [00:25:49]:

Yeah, it's an interesting one. So under, under the sort of the, the, the Tiber standard that's been sort of across EU for some time now for there were originally some guidelines around qualifications that organizations and sort of the team members within them would have to have to conduct tests under the TIBER framework. Actually those are not enforced anymore and there's a bit of a gap there. Although a lot of the organizations will still refer to them as the kind of the standard that is expected. What I would tend to advise is look for organizations that have individuals tested and accredited as well as the organization itself to a recognized industry standard level. So for instance, for the TLPT or the similar standards Threat LED PEN test under DORA or essentially Advanced Testing or Advanced Red Teaming Intelligence LED Red Teaming. The typical standard is something like sort of a Crest certification like a CC SAM or a CCSAS for operators and managers, you're looking at something that has a bit of a history and a legacy. For instance, other similar standards exist as well and there's A lot of emergent organizations now that are bringing really good forward thinking standards to the to the fore.

Giles Inkson | Director of Services EMEA NetSPI [00:27:17]:

I would also expect organizations to perform due diligence tech and so would, so would so that's what the standard advises. So looking at the individuals who are conducting testing, whether it's advanced or basic if you will and their experience and capability. So sort of five years of experience testing against financial services organizations for an experienced Red Team operator is considered to be the appropriate mount to amount to conduct TLPT or TIBER in these instances need to validate those, those those and, and sort of do those checks. Again, understand the justification for it and the best approach and the approach that I've seen most welcomed is to talk to your authority or regulator if you will and sort of run your approach past them. Say we've checked these, do these meet your standard? Are there any other standards that you would like like us to meet? Again, no fixed qualifications at this moment in time, but look for credited accredited, credible, long standing institutions if you're in any doubt and do the due diligence on the individual testers themselves that will be performing work on your ICT systems, critical important functions. And that's kind of the right approach.

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:28:35]:

I do believe something very similar would be required for the resilient testing except the level of testing to demonstrate digital operational resilience. I would be a little bit more interested in threat intelligence. You already talked about real time threat intelligence. How is a best practice to integrate that? As far as you've seen?

Giles Inkson | Director of Services EMEA NetSPI [00:29:01]:

It's a really interesting concept. So the threat intelligence plays an important part in understanding how to design against threats to your resiliency. So having a constant feed and knowing the types of organizations that or threat actors or groups that might be targeting your organization or one similar to you on a continuous basis is really, really important. That helps you design against them, if you will. The there is a difference between sort of continuous threat intelligence and that element as well as something that might be a, you know, a standalone report or a, you know, a point in time assessment. Need to have continuous feeds of what's directly interacting with your systems. For instance. That's what a lot of threat intelligence providers will now do.

Giles Inkson | Director of Services EMEA NetSPI [00:29:55]:

So they'll be looking at who's actually actively scanning your networks. What can that be attributed to? Likewise organizations that are able to sort of get into the sort of the dark recesses of the Internet, deep web, dark web, those types of things and look for evidence of threat actors targeting your organization. And then there's also things like sort of Nation state or nation state linked groups that might be targeting you for strategic advantage. For instance, a lot of financial sector organizations will be targeted because they're prime targets for nation state level groups. So having the feed and the understanding of what's going on on that side of things, who they might be, what they might be targeting, have they made some kind of public announcement or is, you know, have they affected similar organizations is really, really important. Equally, that information source, that threat intelligence source could be a platform or a vendor or a sort of a threat intelligence team you have yourself or threat intelligence capability you have of your own. Or it could be your peers in the market, it could be the other financial institutions or similar types of institutions or the ICT institutions that into them sharing information. And that's another core tenet of this, is actually sharing that information about near misses, incidents, events between the different parts of the ecosystem is another source of really valuable threat intelligence.

Giles Inkson | Director of Services EMEA NetSPI [00:31:18]:

And there needs to be a good way to share that in a private way and not expose each other's vulnerabilities and issues for competitive advantage.

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:31:26]:

For instance, that sounds like a lot of lunch appointments you're recommending here.

Giles Inkson | Director of Services EMEA NetSPI [00:31:33]:

Yeah, I think everyone's waistlines would have increased. I think that's the side effect of this.

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:31:40]:

I see. We'll be back with policies and procedures after a little break for our sponsor. Okay, we are back here with Giles. We are still talking about dora, giving you a high level overview here of steps you should and could have taken. As we said, it's, it's not really yet enforced, it's not yet audited. That's why we give you a very broad, very high level overview of the, of this, of the steps we would take, questions we would ask. Therefore you could go through and start thinking, did I miss something? Is everything in there? We'll also link for the German authorities here. They have some guidelines for the, for the enforcement of.

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:32:35]:

Have some guidelines for dora. I'll download, I'll link it here in the show notes. Unfortunately it is not in English. Nonetheless, let's talk a little bit about policy and staff training because one kind of reinforces the others. We assume you currently have policies for operational resilience reviewed, but how often, how frequently do you need to adopt them to evolve in order to keep current?

Giles Inkson | Director of Services EMEA NetSPI [00:33:11]:

The world changes rapidly, so all the time it is the optimal answer, but possibly also equally not the realistic one. So as a minimum you'd need to be sort of annually reviewing as an absolute minimum. But if you're undergoing major change as a business, you're taking on new initiatives or you've acquired, say for instance. Merger and acquisitions are a thing that happens all the time. Perhaps you've got an influx of new people in the team. When there's a major event like that, then you need to start building that in. Much like if you were building a new product or developing something new, you'd want to test that. When there's a major update to it, you'd want to do the same for your business and its people and your culture to make sure that that is well understood, adopted part of the kind of that onboarding process, if you will.

Giles Inkson | Director of Services EMEA NetSPI [00:34:00]:

So yeah, major changes and at least annually.

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:34:03]:

Yeah. And staff training should take place on a regular basis. I vividly remember that I had a few years ago a company here in the interview that offered this kind of testing. They just sent out mails and looked who clicked on links and I remembered the answer. Most clicks came from top management, but they are also the fastest ones to learn. I think there'll be a lot of required trainings. And don't make it like a boring online presentation, a YouTube video or something like that. Make it interactive.

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:34:40]:

That usually helps a lot more. Especially I can tell from my past, especially if you get your staff, a group of people together, try to do the penetration testing themselves or at least give some ideas. It's really interesting how dark some people's thoughts can get here. Talking a little bit about cross border compliance, assuming you're a little bit bigger company. But even in financial services, if you have a few hundred employees, you're not really necessarily that big. But you can have operations in multiple EU countries or outside of EU countries. How does DORA apply there?

Giles Inkson | Director of Services EMEA NetSPI [00:35:34]:

That's a. It's an interesting dilemma for a lot of organizations. So we have had the privilege of working with global organizations that are facing this same challenge. So it may be that for instance, you face the challenge of multiple regulatory compliance. So it could be different regions you have to comply to. And a common practice for a lot of organizations when they start to get a bit larger, a little bit more global in this side is to look at the most stringent requirement and try and comply to that or try and go for the kind of the path of most resistance where it comes to the compliance journey. And that's a typical approach. If you are sort of taking.

Giles Inkson | Director of Services EMEA NetSPI [00:36:16]:

Taking kind of taking this as a fairly sweeping legislation as it is, and with lots of, lots of kind of enforcement power, it's likely that this legislation will probably be the most stringent standard that you face. So Targeting sort of DORA and the act and the various articles underneath as the kind of the primary component is probably the most sensible approach. Other standards are other, you know, there are other standards of a similar nature. But I would suggest that this is probably the most complex for a lot of organizations to undertake and target this.

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:36:47]:

First in this instance, data localization. Of course it's always preferable to have the data within the country where you're regulated, where you're located. Are there specific requirements to store the data, for example, within the European Union to ensure compliance?

Giles Inkson | Director of Services EMEA NetSPI [00:37:09]:

Absolutely. So the data itself, much like some of the kind of the elements around sort of GDPR and what that brought in for a lot of global sort of companies, if you will, having that data where it is relevant, stored in the European Union is the right approach in this instance. So it is, it should be residing there and you should be able to sort of see it as we say in the uk, farm to plate. So when you, when you, you know, when you have a meal and you maybe you have meat or whatever it might be, you know that where that data has sort of been held throughout its life cycle. So being able to trace that back and make sure that you understand its location in full and that your suppliers are able to give you that information as a key component to that. So that goes downstream as well as for yourself, if you see what I mean. So cloud providers for instance, often will allow you to put your data in specific regions if that's the way that you operate. So that's the, you know, the right approach.

Giles Inkson | Director of Services EMEA NetSPI [00:38:03]:

In this instance, if you are consuming services, SaaS services or web based products, for want of a better way of putting it, that are based in other regions, that's a good reason and a good time to do a review and understand whether or not they're compliant to this legislation.

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:38:23]:

I see the last topic that I have here is pretty funny because it's areas of uncertainty. We've learned throughout this interview with we're now asking you questions for more than 40 minutes that we do have a big area of uncertainty which kind of is all around DORA because it's not enforced yet. There are some guidelines, there will be some incidents, there will be some learnings, there will be a lot of lunches. We've learned and over time this will, this will disappear. But right now we trying to help you a little bit here. Where would you say is the implementation guidelines are still ambiguous? How or where are they for you and how would you seek clarification?

Giles Inkson | Director of Services EMEA NetSPI [00:39:17]:

That's a really interesting topic. For a lot of organizations at the moment. So for instance, things like the RTSS themselves are due to be published fairly soon. I think that's around March time that we're looking to see those. And there are still quite a few big question marks around. Things like a lot of organizations are interested in pooled testing, for instance, and the kind of the role of service providers that a lot of organizations will use. There are still, dare I say it, quite a few question marks, lacks of answers, even from sort of the kind of the top down, the authorities themselves about sort of how that will play out. And that shows the complexity of, of this and what's trying to be achieved.

Giles Inkson | Director of Services EMEA NetSPI [00:40:01]:

So it's trying to type organizations together to get them to communicate and to be able to share that data in a collaborative way. But the reality of that is very difficult to implement. Sorry, could you remind me of the question again softly?

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:40:18]:

We've been talking about unclear guidelines and how you would seek clarification for them.

Giles Inkson | Director of Services EMEA NetSPI [00:40:24]:

Yeah, absolutely. So in terms of the way that you would be able to seek guidance for such a thing, speaking to the authority that you have in your region or when that's assigned, and sort of getting the guidance directly from them is definitely a good thing to do. Being communicative, almost over communicative and asking those questions is the right approach. And it's been something that's worked for sort of organizations trying to get themselves ready for Tiber testing in years past. For instance, talking, asking the question of your authority once they've been enshrined, hopefully in March will be the right way to make sure that you got the right information and the right point of contact, if that makes sense, or the right structure and the right approach.

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:41:11]:

For what level of compliance would you aim? Usually you should aim for good enough to pass an audit. You should also take the opportunity to look a bit, little bit through the cybersecurity of your organization. What kind of level would you recommend for your clients to implement in order to not really get in any big trouble? Do everything as best as you can, ask as many questions as you can, and then you should be at least.

Giles Inkson | Director of Services EMEA NetSPI [00:41:50]:

Okay, well, it is possible to ask too many questions and to force yourself down a path that's too complex. So I would start with the questions to understand the size of that delta to start with. In terms of the do the best that you can approach, I think it's difficult to go wrong. But the reality, the commercial reality of that can be quite challenging. It could cost quite a lot to be able to do the best you can and you may not get business support for it or investment or funding, whatever it might be. So the minimum level is probably the realistic level for a lot of organizations in this instance, but have a plan rather to improve beyond that point and a structured set of goals that you want to exceed that, start with that minimal and work your way up and in continuous improvement. And showing that continuous improvement in the your approach, your thinking, your documentation and the process and building that out over time is the right way to stay ahead of that curve. If you treat this as point in time, I'm good for now.

Giles Inkson | Director of Services EMEA NetSPI [00:42:55]:

Nothing changes. The world changes around you. You will find that there is a compliance gap 12 months, 18 months, 24 months away. So make sure that you are hitting that minimum, at least to start with as much as possible and then planning forward to try and get better over time. And I think that's what this is trying to encourage.

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:43:13]:

I was aiming for the continuous improvement as well. As I've seen a lot of consulting projects in the past, they really blow up. They became much, much bigger than you would expect. And that's what you've been referring to with the exploding cost. So basically you should aim at a level where you feel secure that you've done enough. And as you said, you can ask too many questions. And guys, keep in mind this is not a regulatory or legal advice here. That is just a place to start doing your own homework does I do believe I've bothered you with a lot of questions here.

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:44:01]:

We talked a lot of high level stuff and I do believe some people listening to this really got some value added out of it because they have now some areas where they can think and rethink their approach to Dora. Thank you very much.

Giles Inkson | Director of Services EMEA NetSPI [00:44:18]:

Thank you.

Jörn 'Joe' Menninger | Founder and Editor in Chief | Startuprad.io [00:44:25]:

That's all folks. Find more news streams, events and interviews@www.startuprat IO. Remember, sharing is car.

STARTUPRAD.IO

DORA Compliance: A Comprehensive Guide to Digital Operational Resilience

Management Summary: Navigating DORA Compliance

This Blog Post is Brought to You By Vanta

The Video Podcast Will Go Live on Thursday, March 18, 2025

The Audio Podcast

DORA Compliance: Your Essential Guide

What is DORA and Why Does It Matter?

Key Components of DORA Compliance

ICT Risk Management

People Also Ask:

Incident Reporting

People Also Ask:

Third-Party Risk Management

People Also Ask:

Implementing a DORA Compliance Strategy

DORA Implementation Challenges

People Also Ask:

Preparing for DORA Audits

Looking Ahead: Digital Operational Resilience is Key

Key Takeaways

Additional Resources

Read Also

External Links:

Automated Transcript

Aktuelle Beiträge

Comments

STARTUPRAD.IO