By Chris Duffy
Operational resilience is quickly becoming the cornerstone of business strategies, especially within the financial services industry. One significant regulatory advancement is the Digital Operational Resilience Act (DORA), which the European Union rolled out to strengthen the operational stability of financial institutions in the face of digital threats. DORA was released in December of 2022, and will go into effect January 17, 2025, giving financial institutions two years to comply.
As organizations analyze DORA’s requirements, it’s essential to recognize that business continuity (BC) is the bedrock upon which compliance with this regulation is built. Without a robust BC foundation, complying with DORA’s requirements becomes costly and inefficient.
DORA’s Core Pillars And Their Connection To Business Continuity
At its root, DORA ensures that financial institutions and their Information, Communication, and Technology (ICT) service providers maintain resilience through effective risk management, incident response, and continuity planning. DORA’s requirements aim to prevent operational disruptions that could impact the financial system’s stability. While there are several key articles that explicitly refer to areas where business continuity plays a pivotal role, its best to level-set the involvement and depth required of ICT vendors, and Article 4 sets the proportionality of involvement.
Article 4: ICT Risk Management Framework
Article 4 of DORA introduces the principle of proportionality in ICT risk management, requiring financial entities and their critical vendors to tailor resilience measures according to the scale, complexity, and risk profile of their operations. For BC professionals, this means continuity strategies should be adapted to reflect the specific characteristics of the organization, ensuring risk management practices are neither excessively burdensome nor insufficient. Smaller firms or those with simpler operations can implement more streamlined resilience measures, while larger or more complex entities must adopt more comprehensive approaches.
This proportionality ensures resilience efforts are effective and resource-efficient, aligning with the entity’s actual risk exposure.
Article 11: ICT Business Continuity Policy
Article 11 mandates that financial entities establish a clear ICT business continuity policy. This policy must ensure the availability, integrity, and recovery of systems in the event of disruptions or incidents. Without a strong policy approved and implemented by leadership, a business continuity program is rarely more than a compliance checklist.
Article 11 basically states that it’s important to have business continuity plans in place for ICT. It reinforces that an organization’s ability to continue its critical functions during a disruption is based on its pre-established BC plans. A robust BC program provides the framework to identify essential processes, assess risks, and develop detailed actionable continuity strategies.
For companies with a strong and established BC foundation, the policies required by Article 11 are a refinement rather than a redesign. Investments in BC directly translate into DORA compliance, saving costs that would otherwise be spent on reworking disaster recovery or ICT continuity plans.
Article 12: Disaster Recovery Capabilities
Article 12 outlines the necessity of comprehensive disaster recovery (DR) capabilities. Financial entities are required to demonstrate that they can recover operations within a specified timeframe, and this mandate applies proportionally (Article 4) to their third-party ICT providers.
Business continuity and a quantitative and qualitative auto-calculated BIA is what informs drive IT recovery, defining the acceptable downtime (RTO) and the recovery of data (RPO). Strong BC programs help organizations not only define these metrics but also test, validate, and update their DR plans on an ongoing basis.
For companies with mature BC practices, the DR capabilities DORA requires are should already be embedded into their resilience framework. Financial investment in this area is more strategic, focusing on enhancement and increasing resiliency rather than the creation of new processes.
Article 15: ICT Incident Reporting
Article 15 requires financial entities to implement a robust ICT incident reporting process. While the immediate focus of DORA appears to be cybersecurity, BC leaders should recognize that incident reporting and crisis communication are core components of an effective business continuity plan.
BC frameworks ensure that communication protocols, escalation paths, and recovery processes are clearly documented and tested. This synergy means that financial entities with strong BC processes can meet this Article’s reporting requirements without having to revise or overhaul their incident management structures.
Article 23: Testing ICT Tools & Systems
Article 23 focuses on the testing of an organization’s ICT systems and tools to ensure operational resilience. Regular testing and validation of ICT systems is a staple of both BC and disaster recovery programs. Through stress testing, scenario analysis, and live simulations, organizations can validate preparedness and refine responses.
For organizations with established BC practices, this is second nature. DORA’s testing requirements can easily be integrated into existing business continuity tabletops, saving time, resources, and money. Instead of creating separate DORA-specific tests, organizations can enhance their BC exercises to meet these standards, leveraging as “dual-purpose testing” that covers both operational resilience and compliance.
Article 27: Outsourcing & Third-Party Risk Management
Article 27 focuses on managing third-party ICT risks, especially when financial entities outsource critical ICT services. Ensuring resilience in third-party operations is essential, as disruptions can cascade into the primary organization.
Business continuity practices are critical here. Vendor risk assessments through use of the SIG or other tools, continuity plans, and recovery testing with third-party providers are all elements of a well-established BC program. Organizations that already incorporate third-party risk into their BC frameworks can meet DORA’s stringent third-party management requirements without creating redundant efforts. Financial entities can optimize their internal resources by enhancing their existing vendor management and BC strategies, rather than starting from scratch.
Why A Strong BC Foundation In DORA Is Fiscally Responsible
Building a strong business continuity foundation is a strategic move that helps organizations align with DORA in several key ways:
- Avoiding Duplicative Investments: Without a mature BC program, organizations may find themselves scrambling to meet DORA’s requirements by investing in siloed ICT continuity or disaster recovery tools that may overlap with existing systems. A well-integrated BC framework allows for streamlined investments, ensuring that resources are directed toward enhancing existing capabilities rather than duplicating efforts.
- Proactive vs. Reactive Spending: Organizations with strong BC foundations tend to approach compliance proactively. They are able to anticipate regulatory changes and adapt their resilience strategies accordingly. In contrast, those without robust BC frameworks may find themselves making reactive, ad-hoc investments that drive up costs and often result in inefficient solutions. Proactive investment in BC leads to a more sustainable and scalable approach to compliance.
- Optimized Resource Allocation: A business continuity program allows organizations to identify the most critical processes and allocate resources to protect them effectively. This prioritization means that DORA compliance investments can be made more intelligently, focusing on areas that genuinely need enhancement, rather than wasting resources on less critical functions.
- Efficiency Through Existing Processes: With a strong BC program in place, many of the processes DORA requires—such as incident reporting, system testing, and vendor risk management—are already operational. This allows financial institutions to leverage existing infrastructure to meet compliance standards, minimizing the need for new investments and reducing the overall cost of compliance.
DORA has emerged as a critical regulatory framework to ensure the operational resilience of financial entities across the EU, with a global impact on their critic ICTs. Organizations that have invested in robust business continuity programs will find themselves in a much stronger position to meet DORA’s demands efficiently and cost-effectively.
The bottom line is a strong BC framework is not just a regulatory requirement, it is an intelligent investment in organizational resiliency that delivers value well beyond compliance, ensuring both operational stability and financial prudence.
Chris Duffy is the Chief Strategy & Delivery Officer at OpResONE, where he partners with clients to achieve resilience and compliance, focusing on Digital Operational Resilience Act (DORA) regulatory requirements. With expertise in business continuity, disaster recovery, operational and vendor risk, cybersecurity, and resiliency, Chris is an award-winning speaker and consultant known for his success in program development, governance, and driving compliance acceleration. His work consistently supports business continuity professionals while enhancing shareholder value.
Click here for more information about DORA.