Sander Zwiebel (NN Group) on DORA: The Final Countdown

Summary

• DORA as evolution, not revolution
  The Digital Operational Resilience Act (DORA) consolidates existing best practices in risk management, security, and operational resilience into a unified, mandatory legal framework for financial institutions. Rather than reinventing practices, it enforces formalized, board-level attention to resilience and compliance.

• Third-party risk management under scrutiny
  DORA mandates detailed oversight of third-party providers, including subcontractors. Financial institutions must develop formal strategies, conduct Threat-Led Penetration Testing (TLPT), and assess critical suppliers—even if regulated by authorities—independently.

• Compliance vs. security: bridging the gap
  While DORA can risk becoming a checkbox exercise, Sander encourages using the legislation to reinforce true security goals. Emphasis is placed on embedding risk-based decisions, real-world testing, and ensuring security isn’t sacrificed for superficial compliance.

• Collaborative regulation is key
  Implementation involves continuous dialogue with regulators. Questions and assumptions should be tested through industry collaboration, regulatory FAQs, and panel sessions, enabling shared understanding and easing burden.

• Challenges in tooling and clarity
  Many technical requirements—such as information registers or micro-segmentation—lack mature tooling support. Organizations must build interim solutions and adapt as standards evolve, emphasizing practicality over perfection.

• Strategic scoping and prioritization
  Organizations should begin by identifying their most critical functions and dependencies. Setting proper scope reduces implementation complexity, ensures effective resilience efforts, and aligns well with regulator expectations.

• Toward global regulatory convergence
  Sander predicts that DORA’s influence will extend beyond the EU, potentially shaping global standards. Integration with upcoming regulations like the AI Act and alignment across frameworks could reduce friction and improve efficiency.

• Final implementation advice
  With the January 17, 2025 compliance deadline looming, institutions are urged to leverage existing governance processes, avoid massive overhauls, and adopt small, high-impact changes. Peer alignment and assumption-based action are essential in the absence of finalized guidance.