DEVLHON Consulting deciphers the DORA regulation

DEVLHON Consulting deciphers the DORA regulation: Strengthening the digital resilience of financial companies in Europe

The Digital Operational Resilience Act (DORA), the new legislative framework of the European Union, aims to improve the digital operational resilience of companies in the financial sector. By early 2025, companies operating within the EU, along with their Information and Communication Technology (ICT) providers, will need to comply with these new requirements. This regulation goes beyond mere compliance, imposing a complete overhaul of digital risk management within organizations.

 The Five Pillars of DORA Compliance

DORA is built on five pillars of resilience, essential to ensuring the security and continuity of services in the face of growing digital threats:

1. ICT risk management
2. ICT incident management and reporting
3. Digital operational resilience testing
4. ICT third-party risk management
5. Information sharing

These pillars require companies to establish robust mechanisms to anticipate, prevent, and respond to digital disruptions, particularly through proactive risk management and continuous monitoring of critical systems, such as Active Directory (AD), which often sits at the heart of IT systems.

 The Importance of Active Directory in DORA Compliance

Active Directory is crucial for identity and access management within financial companies. Any failure of this critical component could paralyze all services. Therefore, the security of this environment must meet DORA’s five pillars requirements.

ICT Risk Management: Companies must prove they have complete control over AD configuration and are able to quickly restore access in case of a failure. Continuous monitoring and tools like Semperis Directory Services Protector (DSP) play a key role by automating assessments and proactively detecting threats.

ICT Incident Management: DORA mandates standardized processes for reporting ICT-related incidents at different stages (initial, intermediate, final). Given AD’s importance for business continuity, incidents must be properly classified, with clear roles assigned for response.

Digital Resilience Testing: Conducting resilience tests is mandatory under DORA, but testing Active Directory can be complex. Simulating attack or failure scenarios in an isolated test environment can help identify weaknesses while minimizing risks to the main system.

Third-Party Risk Management: ICT service providers, often integrated via Active Directory, increase risks for companies. Managing these risks requires continuous monitoring and regular audits of third-party access and activities.

Information Sharing: DORA encourages companies to collaborate with peers to share information on threats and incidents, thus helping to strengthen the overall security of the financial sector.

 A Strategic Challenge for Leaders

Under DORA, boards of directors and executive management play a crucial role. They must ensure that their company is prepared to face digital threats and make the necessary investment decisions to strengthen the resilience of critical systems. For example, by investing in proactive monitoring technologies, companies will be better equipped to meet the regulation’s requirements while enhancing their overall security.

 Conclusion

DORA represents a major transformation for financial companies within the EU. Beyond complying with a strict regulatory framework, they must adopt a proactive approach to strengthen their digital resilience. Active Directory, at the core of digital infrastructure, is a key element of this strategy. Through effective risk management, rigorous resilience testing, and collaboration with external providers, companies will be better prepared to face digital disruptions and threats in an increasingly complex