SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

Why You Need a Third-Party Assessment for DORA Compliance

Cybersecurity Assessments

As cyber threats continue to grow more complex and difficult to defend against, regulatory cybersecurity requirements are becoming increasingly stringent—the Digital Operational Resilience Act (DORA) is the latest, and it demands your attention. The law comes into full effect in just a few short months—January 2025—and an independent assessment could help ensure you achieve full compliance in time.

That’s because DORA isn’t just a regulatory checkbox; it’s a safeguard for your business's reputation, client trust, and financial stability. And here’s where the fear factor kicks in—getting it wrong could cost you dearly, both in terms of financial penalties and long-term business viability. So, while DORA doesn’t require a third-party evaluation, it may help you rest a little easier to get that outside perspective.

As cybersecurity experts who stay on top of all the latest developments and their effects on organizations around the globe—and as one of your assessor options—we're going to detail why. In this article, we’ll provide a basic overview of DORA before getting into how you can prepare for compliance and why an independent assessment would help tremendously in your endeavors.

What is the EU’s DORA?

 

Formally known as Regulation (EU) 2022/2554, DORA is meant to address a crucial gap in EU financial regulation. Before, financial institutions primarily managed operational risks through capital allocation, leaving the full spectrum of their operational resilience somewhat unaddressed. Obviously, that's left these institutions vulnerable, as these unaddressed weaknesses in Information and Communication Technology (ICT) systems could jeopardize the entire financial system.

But now, DORA mandates that financial institutions develop and maintain the necessary capabilities to ensure your digital operations withstand disruption without crumbling under pressure. To do that, your organization must follow the regulation’s stringent guidelines, which are structured around five key pillars:

DORA Pillar

Requirements

1

ICT Risk Management

You must establish a robust framework that includes policies, procedures, and regular assessments.

2

ICT-Related Incident Response and Reporting

You must standardize the process for reporting major ICT incidents with stringent timelines.

3

Digital Operational Resilience Testing

You must conduct the mandatory, regular testing of ICT systems, including threat-led penetration testing (TLPT).

4

ICT Third-Party Risk

You must impose strict(er) controls and oversight of third-party ICT service providers.

5

Information Sharing

You must implement secure mechanisms for sharing information on cyber threats and vulnerabilities.

 

4 Initial Steps to Prepare for DORA

 

There's a lot to do to prepare, and with DORA coming into full effect by January 17, 2025, there’s not a lot of time to do it, so here are four things you can do to jumpstart your compliance with this new law:

1. Map out your ICT risk management framework to ensure that it’s comprehensive and aligns with DORA.

2. Review your incident response process and verify that your systems can handle the rapid reporting timelines DORA mandates.

3. Develop or update your testing plan to confirm that the cadence and thoroughness are up to DORA standards.

4. Conduct a gap assessment to identify where your current practices fall short of DORA’s requirements.

4 Reasons to Invest in an Independent DORA Assessment

 

That last item—a gap assessment—will be key since knowing where you currently stand as you begin additional implementations will orient your internal team regarding what areas need attention.

Of course, given how complex and unforgiving it is, becoming DORA compliant will undoubtedly challenge your personnel conducting the assessment, and you also run the risk that the folks working in your operational environment every day may be too close to spot every potential gap or conflict of interest.

That worry is why a third-party assessment may be the better, safer tack, and here are four more reasons why you should consider leveraging an independent assessor for your DORA compliance:

1. Objective and More Comprehensive Evaluation

Unlike your staff who are already very familiar with your ICT systems, an external party would bring a fresh, unbiased perspective, enabling them to spot risks that might otherwise go unnoticed—they also wouldn’t be subject to any subtle internal pressures that may cause an employee to overlook an issue.

Not only that, but an external assessment will conclude with the delivery of a detailed report that contains actionable insights, helping your organization to address specific areas of concern and strengthen your overall digital resilience.

2. Expert and Specialized Knowledge

The challenges of DORA are real—from managing third-party risks to meeting the stringent incident reporting requirements—but investing in the expertise of a seasoned cybersecurity assessor would help your organization overcome them.

While you’ve been primarily focused on your business, assessors have been immersed in the minutiae of regulatory compliance, including DORA’s specific requirements, so they will not only help you implement the best practices for your organization, but they'll help streamline the process of doing so, thanks to their technical experience.

A comprehensive DORA assessment requires not just insight into the regulation itself, but also a deep understanding of your specific operational risks, vulnerabilities, and the resilience measures needed to mitigate them—an external assessor can offer you all of that.

3. Enhanced Credibility and Trust

As with any compliance initiative, validation from an independent third party goes a much longer way with stakeholders than a self-evaluation. So, while DORA does not require such, inviting an external assessor to perform your gap assessment will demonstrate to your customers and partners that you don’t just take DORA compliance seriously, but that your organization is committed to maintaining the highest standards of digital operational resilience.

Additionally, if you were to face any future regulatory reviews, having engaged with subject matter experts for a prior assessment could be beneficial in addressing any related concerns.

4. Improved Efficiency and Resource Allocation

 

As we mentioned earlier, the complexities of DORA may strain your team, and the work necessary to achieve compliance—including performing a gap assessment—will certainly divert their focus from their other responsibilities.

However, by outsourcing your DORA gap assessment, you’ll spare your internal resources from the effort of conducting the assessment themselves and they can instead just focus on implementing necessary improvements recommended by the experts and return to their status quo—i.e., supporting your bottom line.

 

Moving Toward DORA Compliance with an External Gap Assessment

 

As financial institutions become more reliant on technological infrastructure, the cybersecurity stakes have never been higher. In recognition of that, DORA is not just another regulation; it’s a game-changer, one that could determine the survival of your business in an increasingly volatile digital world.

As the compliance deadline steadily approaches, making it will demand a level of expertise and an objective perspective that really can only be provided by a seasoned third party, and engaging one to conduct your DORA assessment could be the difference between confidently navigating this new regulatory landscape or finding yourself in the headlines for all the wrong reasons.

At Schellman, we’re ready to help you meet DORA head-on. With our deep expertise in regulatory compliance and operational resilience, we’ll ensure that your business identifies all gaps and fortifies itself against the uncertainties of the digital world.

To learn more about what a partnership between our two organizations would look like, contact us today to speak with our team of specialists.

About AVANI DESAI

Avani Desai is the CEO at Schellman. Avani has more than 15 years of experience in IT attestation, risk management, compliance and privacy. Avani’s primary focus is on emerging healthcare issues and privacy concerns for organizations. Named as one of the 2017 Global Leaders in Consulting by Consulting Magazine she has also been featured and published in the ISSA Journal, ITSP Magazine, ISACA Journal, Information Security Buzz, Healthcare Tech Outlook, and many more. Avani also sits on the board of Catalist, a not for profit that empowers women by supporting the creation, development and expansion of collective giving through informed grantmaking. In addition, she is co-chair of 100 Women Strong, a female only venture philanthropic fund to solve problems related to women and children in the community.