ABSTRACT: Europe’s Digital Operational Resilience Act (DORA) is rapidly reshaping how organizations address technology, risk, and compliance requirements, particularly for financial entities operating in the EU. This article provides a high-level overview of DORA’s ten core technical mandates—ranging from ICT risk management and incident response to third-party oversight—and highlights what to expect at the upcoming Dynatrace Perform conference. With AI-driven tools like Dynatrace Davis, companies can automate event correlation, threat detection, and compliance reporting, helping them meet DORA’s ongoing operational resilience standards. Ultimately, DORA isn’t a one-and-done regulation; rather, it requires continuous testing, monitoring, and iterative improvements to protect organizations and ensure they remain agile in the face of evolving cyber threats.
This is an exciting time of the year with companies rolling out new strategies, finishing up their corporate fiscal years, and organizations getting ready to advance their technology strategies. One of the things many organizations will have to address is the Digital Operational Resilience Act (DORA) that went into effect or applies as of January 17th, 2025. While the exact wording in the law is very nuanced and detailed, with many of the GSI partner communities offering compliance services, below is my high-level summary of ten key technical requirements commonly associated with DORA. I was also quoted in a Dynatrace release this week as they prepare to show off what is new at their Dynatrace Perform conference at the beginning of February, where I expect expanded capabilities using their long-standing AI capabilities. Here is the quote:
“Organizations are grappling with new regulations and technologies, such as GenAI, and struggling to address, upskill, and staff compliance functions,” says Rob Strechay, Managing Director and Analyst with theCUBE Research. “DORA is a major regulation that profoundly impacts organizations’ resilience and security requirements across any organization doing business in the EU. Dynatrace aims to help specifically with requirements like efficient event correlation, threat hunting, and more. This is where automation via Dynatrace with Davis AI can make a difference for organizations.”
As we can see in the August ETR.ai Drill-down Survey for Cloud 2024, organizations in EMEA are using more cloud year over year, 50% vs 45% in 2023, but still less than in 2022 when it was at 52%. The analysis is that this is basically flat growth in the cloud market in EMEA. But that may be swinging back as more organizations consider where to do AI. DORA will also have a significant impact on this, going toward 2027 and beyond.
Top Ten Technology Areas To Consider with DORA
1. Comprehensive Information and Communication Technology (ICT) Risk Management Framework
DORA requires financial entities to establish a holistic ICT risk management framework that identifies, assesses, and manages ICT-related risks across the organization. This framework must be integrated with overall enterprise risk management processes, with clearly defined roles and responsibilities at senior management and board levels. Its purpose is to ensure that ICT risks are systematically identified, measured, and addressed throughout all business lines, ensuring that organizations remain agile and responsive to evolving threats. This will be a huge challenge out of the gate for many organizations. If you have no been able to do regular tabletop exercises, you might need some work here. More to come on this subject from theCUBE research.
2. Robust ICT Security Controls
Financial entities and their technology supply chain subject to DORA must deploy a range of technical and organizational security controls designed to protect systems and data from cyber threats. These controls typically include role-based access, network and endpoint security, multi-factor authentication, and encryption for data in transit and at rest. Adequate patch management and secure configurations are also vital, as they help close common attack vectors and reduce vulnerabilities. This will also impact all the way down to how organizations deploy from their CI/CD pipelines.
3. Cyber Incident Detection & Management
DORA strongly emphasizes prompt detection, management, and reporting of cyber incidents. Entities are expected to implement real-time monitoring, logging, and incident response procedures that include defined escalation paths, clear communication protocols, and robust forensic capabilities to investigate and analyze the root causes of incidents. Major ICT incidents must be reported to the relevant supervisory authorities within strict timelines to enable coordinated responses and minimize systemic risks. This will come at a cost similar to those that have been under SEC 17a-4(b), where every financial services broker or dealer subject to the law must preserve their communications, such as email, text, IM, Slack, etc., for not less than three years and having the first two years in an easily accessible place.
4. ICT Business Continuity & Disaster Recovery
Under DORA, financial entities must develop and maintain thorough ICT business continuity and disaster recovery plans. These plans should specify recovery time objectives (RTOs) and recovery point objectives (RPOs), alongside strategies to keep critical functions running during disruptions. Regular testing of business continuity procedures and failover mechanisms is essential for validating the organization’s ability to recover from disruptions, such as cyberattacks, system failures, or natural disasters. If you want more on Cyber Resilience, check out Christophe Bertrand’s recent Cyber Resilience summit.
5. ICT Testing & Vulnerability Assessments
DORA encourages continuous ICT testing, which includes penetration testing, vulnerability scanning, and other forms of security assessments. By proactively identifying and remediating weaknesses, entities can bolster their defenses before attackers exploit them. Moreover, red team exercises and external audits simulate real-world attacks and independent reviews, providing additional insights into potential gaps in the organization’s security posture. You may want to move beyond red teaming to purple teaming things, too. Coordinate so that issues are exposed, and there is a constant flow of how to capture anomalous data, even when it is not seen as relevant at the time.
6. Third-Party Risk Management
Organizations must extend their ICT risk management practices to include critical ICT service providers, such as cloud service providers. DORA mandates thorough due diligence before onboarding external providers and robust contractual clauses covering security requirements, performance metrics, and data protection. Regular monitoring ensures that third-party compliance remains consistent while having clear exit strategies guarantee operational continuity if a provider fails or the partnership is terminated. An example that can happen and was one of the significant factors in DORA being created was the scenario that your EU cloud region goes down or financially collapses, and your application is deemed under the DORA umbrella; how will you be resilient to another provider, colo, or even on-premises to keep that application accessible to your customers? Remember, you already have to consider GDPR from your customer’s data perspective.
7. Governance & Accountability
DORA insists on clear governance structures, whereby the management body or board of directors is responsible for ICT risk oversight and digital operational resilience. Financial entities should appoint roles or committees tasked explicitly with monitoring ICT risk and providing regular reports to senior management. Documented policies and procedures help embed DORA’s requirements into daily operations, fostering a culture of accountability and compliance throughout the organization. This is the stuff IT organizations are used to doing, but is critically important. Saying you don’t have a policy could have dire consequences.
8. Logging & Monitoring of ICT Systems
Effective logging and monitoring mechanisms underpin an organization’s real-time ability to detect potential threats. DORA highlights the need for detailed logs of user activities, configuration changes, and security events. A centralized log collection and correlation system enables swift threat detection, while well-defined retention policies ensure that logs remain available for forensic analysis and compliance checks. This is where observability (o11y) and Security information and event management (SIEM) come into play. This goes beyond collection to emphasize correlation, where something like AI will be helpful, like in the Dynatrace Davis AI inside their platform.
9. Data Management & Integrity
Protecting data integrity and availability is central to DORA’s operational resilience objectives. Financial entities are encouraged to classify data based on sensitivity, deploy cryptographic controls, and maintain regular backups with offsite or offline storage. Proper data lifecycle management ensures compliance with regulatory requirements and helps preserve the accuracy and consistency of critical information in the event of disruptions or cyber incidents. This, again, is so important as these regulations and what regulators say is the “right amount” of data will be an ever-moving target. From my experience with the SEC regulations, I suggest that anytime there is a “bump in the night,” you better preserve the logs and information for a long time.
10. Resilience Testing & Oversight
Finally, DORA obliges organizations to validate the effectiveness of their controls, processes, and recovery capabilities through regular resilience testing. Threat-led penetration testing, red, blue, and purple team exercises, and scenario-based assessments allow organizations to simulate severe but plausible disruptions. Test findings feed into continuous improvement cycles, enabling firms to refine their ICT risk management strategies and maintain high standards of digital operational resilience over time. Building muscle memory will take an organization time, and preparing for the test can’t take three months.
Our ANGLE
DORA is the tip of the iceberg, and we see that technology will be increasingly managed, such as financial services products, mutual funds, and stock transactions, where compliance will be significantly higher. Expect more on this topic out of all of us, especially Jackie McGuire on our Cyber side of things. For now, organizations should be looking for partners like Dynatrace that are looking into the regulations and pointing out how they can help in the race to compliance through ongoing simplification of the information influx from all of the applications and systems in the cloud and on-premises. An Important note is that DORA requires ongoing compliance, not just a one-and-done certification like many of the technology regulations of the past. This is more in line with what the FDA or SEC requires as new products, which we call applications in technology, are rolled out to consumers. Having been at highly regulated organizations, the best way to approach this is to over-prepare and know that more people will not be the answer as the data and technology is so broad and voluminous. Also, tools alone will not solve the problem. It is a blending of the two that will help. Also, as we know, many organizations have five or more o11y platforms and a couple of SIEMs. For those organizations, consolidation is a must.
