As organizations embark on their journey to become Digital Operational Resilience Act (DORA) compliant, many find the initial stages of getting started and gaining buy-in to be the most challenging.
I had a chance to sit down with Pål Myren, CTO at ZTL Payments, who is currently leading his company through DORA implementation. As we shared on our blog previously, DORA is a regulation set to transform digital risk management in the European Union's (EU) financial industry. While it entered into force in January 2023, it is scheduled to be applied in January 2025.
In my conversation with Pål, he shed light on becoming DORA compliant and what organizations can do to overcome the challenges.
Andy: Pål, could you tell us a little bit about yourself and your background?
Pål: I'm the CTO at a Norwegian B2B Paytech startup, regulated under the Norwegian FSA, hence our focus on DORA. Throughout my career, from being a software developer to holding multiple C-level positions, I've always been connected to compliance and regulatory attestations or certifications in some way.
Andy: When did you first hear about DORA, and when did your organization start preparing for it?
Pål: I first heard about DORA two years ago from the Norwegian FSA. They presented some high-level information before any deadlines were really set. Given that the current ICT regulations in Norway are outdated, it was overdue and a good time to revisit them.
Andy: What was the first step you took as an organization to start the DORA implementation process?
Pål: The first step is to understand what DORA is about, read through the requirements, and identify similarities with other regulations or certifications. I took the five pillars stated in the framework and put them into a spreadsheet. Then, I mapped out what we already had in place, whether it was incident management, disaster recovery, or risk management procedures. It's important to note that you need buy-in from management, someone at the C-level who understands that this is paramount to your business.
DORA's five key pillars are:
- ICT risk management
- Cyber incident reporting and response
- Operational resilience testing
- Third-party risk management
- Information sharing
Andy: How does DORA compare to other controls, mandates, or regulations you've experienced?
Pål: There are a lot of similarities, and much of it is common sense if you've been working in IT. The main focus areas I see from the regulators are cybersecurity, given the current geopolitical landscape, and vendor management, particularly conducting risk assessments of the companies or providers you do business with.
Andy: How did you manage and foster cross-collaboration among different departments during the DORA implementation?
Pål: Cross-collaboration is probably the biggest challenge in the DORA adoption process. The key is implementation - you can have the best quality systems or processes in place, but if they're not used, it doesn't matter. We focused on awareness and training. We arranged meetings with key stakeholders, such as department heads, C-levels, lawyers, and risk and compliance officers, to discuss the framework. We also conducted role-play exercises, like simulating a cybersecurity attack, to ensure everyone knew their responsibilities.
Andy: Any final advice for organizations just starting their DORA journey?
Pål: Focus on implementation and getting your stakeholders engaged. When you start talking about these challenges cross-departmentally, it not only addresses the regulatory and financial requirements but also changes culture. It removes polarization and breaks down barriers between divisions. Getting people to collaborate on incidents or disaster recovery emphasizes teamwork and takes down silos. That's one of the hidden benefits of implementing a framework like DORA.
I can’t thank Pål enough as his insights highlight the importance of preparation, collaboration, and practical implementation when embarking on becoming DORA compliant. By focusing on awareness, training, and fostering cross-departmental communication, organizations can not only achieve compliance but also reap the hidden benefits of improved culture and teamwork. As more companies navigate this path, sharing experiences and best practices will be crucial in helping the industry adapt to this new regulatory landscape.
Further information:
- What is the Digital Operational Resilience Act (DORA)?
- DORA in Atlassian Cloud: An Expert Approach to Compliance
- Your guide to meeting business continuity and resilience requirements in EU regulation
- Get started now!