DORA
DORA (Digital Operational Resilience Act)
EU financial entities and their critical ICT third-party providers. Banks, insurers, investment firms, crypto-asset providers, and the technology vendors that serve them.
January 17, 2025 enforcement date passed; ongoing enforcement and ICT-vendor concentration analysis are creating waves of remediation work.
ICT risk management, incident classification and reporting, operational resilience testing (including threat-led penetration testing for significant entities), and third-party risk management.
Brings the CRO, head of operational resilience, and ICT third-party risk teams into the buying motion. Financial regulators are de-facto stakeholders.
A resilience and concentration-risk story, not a cyber-feature story. The buyer wants to demonstrate to the regulator that ICT failure cannot cascade across the system.