The Digital Operational Resilience Regulation (DORA) is a new EU regulation designed to improve operational resilience in the financial sector. From 2025, all financial institutions operating in the EU and their ICT providers will have to comply with this regulation. DORA is based on five fundamental pillars, which are key to ensuring the business continuity and security of critical systems such as Active Directory.
The 5 pillars of DORA compliance
ICT risk management:
Enterprises must have a documented framework for managing the risks to their critical assets. In the case of Active Directory, this requires full visibility of its configuration, change control and incident recovery plans.
2. Incident management:
DORA requires standardised classification and reporting of ICT-related incidents. Organisations must have clear procedures for identifying, classifying and responding to incidents in key systems such as Active Directory, an essential component of business continuity.
3. Digital operational stress tests:
Regular testing should be carried out to assess responsiveness to failures or cyber-attacks. For Active Directory, it is vital to have a test environment that allows scenarios to be simulated without putting the operational infrastructure at risk.
4. Third party risk management:
Organisations must ensure that external providers comply with security standards and provide support in case of incidents. DORA places particular emphasis on access that external providers or partners have through Active Directory, which introduces additional complexities in their management.
5. Exchange of information:
The secure sharing of cyber threat information is crucial. DORA encourages financial institutions to collaborate and share incident and threat information to improve the resilience of the industry as a whole. Ensuring compliance with these pillars for systems such as Active Directory is key to security and business continuity in financial organisations.
