How to prepare for DORA? Expert insights

Today we are interviewing Michael Von Glasow, a cybersecurity expert with extensive experience (both at CGI Lithuania and CGI Deutschland), who will present the key highlights of the European Union's (EU's) DORA regulation (Digital Operational Resilience Act). In the interview, you will find answers on what DORA is, who it applies to and why it is crucial for companies to pay attention now to see if there are any gaps in its implementation.

What is DORA and who does it apply to?

DORA is a European Union regulation that came into force in 2025. DORA applies to a fairly broad range of companies, i.e. companies working in the financial sector. It includes banks, insurance companies and more. It is important to note that DORA does not only apply to companies in the financial sector but also to their IT service providers.

How does DORA differ from other security regulations such as NIS2?

The DORA Regulation takes a much broader view of digital operational resilience. It covers not only cyber security, but also a wide range of operational disruptions such as fires, earthquakes or other disasters. In addition to availability and confidentiality of information, DORA emphasizes data integrity and continuity of service.

What risks can businesses face if they are not yet ready for DORA?

Businesses that have not implemented DORA requirements face, in particular, an increased risk of operational and cyber incidents. If a disruption or attack occurs and an organization is not prepared, the consequences can be significant - financial losses, reputational damage or service disruption. In addition, DORA requires specific risk management measures to be put in place, and failure to do so may result in regulatory liability and sanctions.

Where should a company start in order to comply with DORA? What would be the first steps?

The first step should be a thorough analysis - the company should assess what it has already implemented and what is missing. Often some of the measures are already in place, but it is necessary to identify the gaps and plan how to fill them. The requirements are proportionate, depending on the size of the company, the nature of its activities, its risk profile and the scale of the services it provides. For some companies, simplified risk management procedures and reduced administrative obligations apply, but responsibility for preparedness remains in all cases.

How long can it take to prepare for DORA requirements?

It is difficult to give an exact timeframe, as the length of the preparation process is highly dependent on the size and complexity of the company and the processes and resources already in place. For example, in one of our projects, the preparatory analysis (GAP analysis) and the planning of the main measures took about 200 hours. However, there are also projects that run faster, so only after assessing the current situation can you objectively say how long the preparation will take - it depends very much on the scope and the approach to quality.

Who should be responsible for implementing DORA requirements in a company - the IT department or the management? Does the regulation clearly define responsibilities?

As in other areas of security, the ultimate centre of responsibility lies with the management - they must ensure that the organization complies with the legal requirements. The IT department or other departments may enforce specific technical or organizational measures, but it is the responsibility of management to ensure compliance across the whole company. In addition, the DORA Regulation clearly states the role of the governing bodies (managers) - they must be actively involved in risk management and be held accountable for compliance.

How should companies respond to IT incidents? How prepared do you think they are today?

I notice that most companies already have some kind of incident management tools in place. However, the question often arises as to whether they are sufficient and whether they comply with the requirements of DORA. One of the specific requirements of DORA is the reporting of high-impact incidents. In Lithuania, the Bank of Lithuania must be notified of such incidents. Therefore, it is important not only to have the tools in place, but also to regularly check that they are working properly and to make sure that the incident management processes are in line with the legal requirements.

In the event of an incident, the company must notify the regulatory authorities. What happens next? What should the action plan be?

A proper incident management process must be in place, which includes not only the management of the incident itself but also communication. Under DORA, an initial notification must be made to the Bank of Lithuania within 24 hours of the incident being identified. Further, an update must be provided within 72 hours at the latest if additional information about the incident becomes available. All of this must be clearly described in the company's internal procedures.

Does a company need to renew contracts with IT service providers to comply with DORA?

Yes, this is one of the five key areas of DORA (“pillars”) - third party (supplier) risk management. The company must review and, if necessary, update its contracts with IT service providers to comply with DORA requirements. Contracts must clearly set out the supplier's obligations, such as security, business continuity, incident management, right of inspection by supervisory authorities, etc. As a DORA entity, the company must ensure that suppliers comply with these conditions and has the right to verify this.

You are talking about the five “pillars” of DORA. Can you remind me what they are?

Yes, the DORA Regulation is based on five main “pillars”, i.e. thematic areas where specific requirements are defined:

• IT risk management - the company must have an effective information and communication technology (ICT) risk management system.
• IT incident management and reporting - an incident management process must be in place and strict reporting deadlines must be met (e.g. 24 hours after the discovery of an incident).
• Digital Operational Resilience Testing - the company must regularly test its readiness to withstand technological disruptions.
• Managing third party/supplier risks - the firm must manage risks arising from service providers and ensure that their activities comply with DORA requirements.
• Information sharing - this is a voluntary area that allows for the exchange of information on threats and incidents between entities in the sector in order to strengthen overall resilience.

These five areas form the basis of DORA and their implementation is essential for full compliance with the Regulation.

Can the implementation of DORA give a company a competitive advantage?

Yes, it can definitely be a competitive advantage. Companies that have not only formally implemented the DORA requirements but also have strong digital resilience stand out in the market. They can ensure that their services will continue to operate uninterrupted even in challenging situations, which increases customer confidence. By contrast, competitors with minimal preparation may face higher levels of risk.

How do you think company management should be involved in the implementation of DORA? Is special training required?

I would recommend working with an IT consultancy that can objectively assess the current situation - what measures are already in place, what is missing and how to specifically apply the DORA requirements in that company. Such an assessment provides a clear understanding of what actions are needed and where the points of management involvement should be.

How can CGI help in this process?

We can help in all phases of DORA implementation - from the initial situation analysis and gap assessment (GAP) to the implementation of concrete measures and operational support (operational implementation). We are ready to work from scratch to full compliance.

Could you share some examples from your practice - client stories where you have had experience with DORA requirements?

Yes, I have been personally involved in two significant projects. One of them was with an insurance company. There, we carried out a thorough analysis of the situation and helped to implement the necessary measures: we prepared all the necessary documents - policies, plans, procedures.

Another case was with a telecommunications company (a mobile operator). Although their core business is not financial, they were still covered by DORA. There, we worked with an integrated approach, combining both DORA and NIS2 requirements, as the company falls under both regulatory regimes.

Who is responsible for the implementation and supervision of the DORA Regulation? How should a company deal with multiple regulatory regimes?

In the EU, there is one competent authority designated in each Member State for the implementation and supervision of the DORA Regulation. For example in Germany or Italy, it is their central banks or other competent authorities - usually one main body. Sometimes complex situations can arise where a firm falls under several regulatory regimes, for example if it is regulated under DORA and also under other EU regulations (e.g. NIS2). In this case, the company has to comply with the requirements and communicate with all the relevant authorities that apply those regulations.

What advice would you give to companies regarding the implementation of DORA requirements? Should they rush? What is the most important thing to pay attention to?

Companies that fall under DORA, some of them are already late because the requirements need to be implemented now. Therefore, my main recommendation is not to wait. We need to start as soon as possible with a GAP analysis, to assess where the biggest gaps are and to plan our actions accordingly. It is also important to remember that DORA is applied on a proportionate basis - the measures must be tailored to the size of the company, the level of risk and the nature of the activity. It is therefore important to assess your situation carefully and act systematically.