Steps financial companies must take to achieve DORA & NIS2 compliance

To achieve DORA & NIS2 compliance, financial companies must prioritise the protection of sensitive financial data and infrastructure security. The critical steps that companies are strongly advised to take to reach compliance are as follows: 

Step 1: Perform a gap analysis and maturity assessment 

To effectively navigate DORA requirements, it is imperative for your company to conduct a thorough assessment of your current digital resilience and operational practices. This assessment should involve evaluating your governance structure, internal practices, maturity level and the complexity of your operations. By identifying gaps and areas of non-compliance in line with DORA requirements, you can lay the groundwork for targeted improvements and strategic alignment.  

Step 2: Bring the right people and talent together

Assemble a capable team with the necessary skills to oversee the implementation of DORA and drive operational resilience within your company. As outlined in DORA, the team should form senior and third-party risk managers, communications leads, ICT risk managers, internal auditors and media and crisis managers. 

Step 3: Understand DORA requirements 

Ensure your team understands the five pillars of DORA and review your company’s risk management framework, policies, controls and risk assessment activities in line with DORA’s requirements.  

Step 4: Reshape your digital and operational resilience strategies 

Revise and enhance your digital and operational resilience strategies to align with the principles and focus areas highlighted in DORA while also considering emerging technologies and evolving threats.  

Step 5: Implement DORA requirements  

Select a comprehensive framework that eases the systematic implementation of DORA’s requirements. This framework should accurately identify all obligations and translate gap analysis results into specific tasks. By breaking down the implementation process into sub-projects aligned with each pillar of DORA, you can specifically address its requirements. Remember to stay flexible in your implementation approach, as additional rules in the form of regulatory technical standards (RTS) will be introduced within the two-year implementation window.  

Step 6: Prepare for the future UK DORA-equivalent legislation 

The UK government has hinted that they will legislate for a UK equivalent of DORA in the next parliamentary year. Ensure your team remains proactive and up to date on the latest news so you can be prepared to adapt operations and compliance practices to meet any forthcoming requirements. 

How can CACI help? 

With over 20 years’ experience in helping deliver effective IT and security strategies to financial companies, CACI can help you navigate the changes and challenges brought on by DORA. Our experienced security and compliance experts can bolster your understanding of your network assets, help you conduct maturity assessments, address compliance gaps regarding the fulfilment of DORA implementation requirements, and much more.  

To learn more, please read our recent whitepaper “Compliance with DORA and NIS2: Essential steps for UK financial companies”, which explores the impact of DORA and NIS2 on financial companies in the UK, key considerations for senior management and best practices for achieving compliance. You can also get in touch with the team here.