PanDORA’s Box Opened – April 1, 2025

This is the final wrap-up document for this initial set of DORA articles… So, here goes for one final ride…

We opened PanDORA‘s box and took a look inside—examining what DORA aims to achieve, the pillars that form its foundation, and the implications and work this regulation brings.

As part of this wrap-up, I thought it might be useful to highlight some key takeaways and what you should be thinking about on your DORA journey. You’re likely already doing a lot of this, but here goes:

 

Understand your gaps and have a plan: 

You’ve probably conducted your gap analysis, uncovered a few skeletons in your closet (who hasn’t with these kinds of activities?), and identified areas where you may not fully comply with DORA. The next key action is ensuring you have workable, actionable plans in place—plans that are actively being executed with appropriate executive oversight. Keep this in your toolkit for when the regulator comes knocking. They will see that you understand your risks, have a plan to close them, and know where you need to be.

Here is a bit of a guide of some of the key aspects to focus on: 

  1. Raise those risks: If you’ve identified a gap, document it in your corporate risk system. This shows that you acknowledge the issue, are tracking it, and that your risk and management bodies are aware of it.

  2. Have a plan: – For every identified gap, ensure there’s a detailed, tangible plan demonstrating how you will close it. Make sure this plan has a realistic timeline—one that is achievable but also reassures regulators that you’re treating these gaps with the appropriate level of urgency.

  3. Be Pragmatic & Proportionate: DORA is not one-size-fits-all. Your response should be proportionate to the size and complexity of your organization. Read and understand the proportionality principle in DORA, and determine how it applies to you. (There’s a helpful article on this here: DORA Proportionality Principle).

  4. Map Those CIFs (and All Functions): DORA clearly mandates identifying and mapping your Critical or Important Functions (CIFs). This isn’t a one-time activity—your business will evolve, and so should your mapping. Ensure this process is built into your operating model.

Overall Risk Management: A robust risk management framework is essential for effectively managing ICT risks. Two key areas to focus on:

  1. Understanding Your Key ICT Risks: Identify and document your key ICT risks. Ensure there are processes in place to assess, test, and highlight these risks, along with appropriate responses.

  2. Third-Party Risk Management: As highlighted in previous articles, third-party risk management is a major focus of DORA. Understanding the risk profile of critical suppliers—especially those tied to your CIFs—is crucial. This is one of the most common areas of failure and will be a thematic focus during audits. Stay proactive and continuously mature your approach in this area

Register of Information: This serves as a database of all contractual agreements with third parties and legal entities. Things can get complex if your organization has multiple legal entities, as agreements may occur across different parts of your business. Ensure they are recorded and managed in the same way as third-party agreements, focusing on key risks.

Testing, Testing, and More Testing: Ensure you have a structured approach to testing in the context of resilience. Not only should you be able to evidence your testing efforts, but this process should also be part of a continuous improvement loop. The legislation aims to drive increasing ICT resilience maturity—so demonstrating this evolution is key.

Reporting to Your Management Body: It’s not enough to “do the right things”—your executive and management bodies must also be in control of the ship. Regular reporting on DORA-related risks and compliance should be integrated into your governance structures. Two critical yearly reporting elements include:

  1. DORA Strategy – Have a clear strategy that is embedded into your organization. Show that it has the necessary weight, plans, and investment to drive maturity.

  2. Lessons Learned – Regular operational cycles, incidents, and risk assessments should be aggregated into an annual report. This should highlight trends, improvements made, and lessons to carry forward to drive further resilience.

    If you’re covering these areas, you’re probably on the right path!

Final Thoughts

Refer back to the “DORA house” model (discussed in the first article) if you need a refresher on key focus areas.

One final piece of advice (besides “keep calm and carry on”): engage with your industry peers. See how others are tackling DORA, leverage trusted partners, and explore innovative solutions—whether it’s network segmentation, segregated backup/recovery strategies, open-source software management, or advanced monitoring and capacity management. There’s a lot of creativity happening in this space—get involved!

That’s it from me for today. I hope this series of articles has been insightful.

If you’d like to discuss any DORA challenges—or other regulatory concerns—feel free to reach out to HighPoint. We’re happy to help, share ideas, and collaborate to get you where you need to be.

Thanks for reading! If there’s anything else you’d like to see covered in a future blog, let us know. Have a great day—and keep smiling! 😊

 

Wrapping It Up

Do our bi-weekly insights prove valuable to you? Have you noticed trends or threads that you think our community should know about? Connect and share your insights with us on LinkedIn.

Get in touch to learn more