Ensuring Operational Resilience with DORA: Requirements on Business Continuity Management
On 17 January 2025, the DORA Regulation entered into force, strengthening the requirements for operational resilience and how financial entities manage crisis preparedness and business continuity before, during, and after an incident or disruption to operations.
Read our summarised one pager here
To ensure compliance with the new requirements, financial entities must identify and map critical and important functions, conduct business impact analyses (BIA), implement continuity strategies, and regularly test and refine their plans. These efforts should be embedded within the overall governance framework and continuously updated as operations evolve. A structured approach to continuity management linked to ICT is needed, alongside a holistic perspective that aligns with the organisation’s overall continuity planning.
Below, we outline key practices and approaches to meet DORA’s business continuity management requirements and to help ensure your organisation can sustain operations during a disruption.
Identification and Mapping
A foundational step in achieving operational resilience is the accurate identification and mapping of critical elements within the organisation. This enables firms to understand which business functions and supporting assets are essential for service delivery.
- Process mapping
- Identification of critical and important functions
- Identification of critical and important ICT assets and other resources
This phase forms the basis for risk assessments and continuity planning by providing a clear picture of the organisation’s operational anatomy.
Analysis and Risk Assessment
Building on the identification phase, financial entities must conduct a thorough analysis of potential impacts and risks to operations in the event of a disruption. This ensures that continuity strategies are proportionate and effective.
- Business Impact Analysis (BIA)
- Risk assessments at function and resource level
- Development of continuity measures and strategies
These assessments inform the development of targeted and risk-based continuity strategies.
Improvement and Reporting
Continuity management must be continuously refined and embedded into governance processes, where lessons learned from tests and exercises must be documented and acted upon.
- Updates to response, recovery, and continuity plans based on test results
- Training and engaging staff through regular exercises and drills
Transparent reporting and documentation of these activities are essential for oversight and accountability.
Testing
DORA requires financial entities to regularly test their continuity capabilities, both technically and organisationally. This ensures that plans are practical and that the organisation can respond effectively in real scenarios.
- Development of test scenarios and execution of tests for all plans
- Reporting of test results to senior management and board of directors
Testing fosters continuous improvement and provides assurance to internal and external stakeholders.
Ongoing Business Continuity Work
Effective continuity management is a living process. Organisations must maintain alignment between business and ICT continuity while adapting to changes in the operational environment.
- Integration of both business and IT perspectives in continuity planning
- Coordination of ICT continuity measures with the organisation’s overarching continuity strategies
- Ensuring that changes in processes, resources, and ICT systems are continuously updated in the continuity plans
This ongoing work is key to maintaining long-term resilience and regulatory compliance.
Conclusion
Ensuring compliance with DORA’s business continuity management requirements is not only about meeting regulatory expectations, it is about building true operational resilience. By adopting a structured, integrated approach to continuity management, organisations can better prepare for, respond to, and recover from disruptions, safeguarding both critical services and stakeholder trust.
We help you meet DORA’s requirements for continuous business continuity management:
Our experts can assist your organisation in implementing and improving continuity management practices that meet DORA’s standards. We provide both strategic and hands-on support, including:
- Gap analysis against DORA’s continuity management requirements
- Evaluation of business processes and conducting process mapping
- Conducting Business Impact Analysis (BIA)
- Identifying risks and the need for continuity measures
- Developing continuity plans, recovery plans, and continuity strategies
- Ensuring continuity management meets all regulatory requirements and industry standards
- Evaluating and improving continuity plans based on new risk assessments and organisational changes
- Developing test material and conducting tests of continuity, response- and recovery plans
- Establishing a structured approach that includes both business and IT perspectives in continuity planning
- Providing ongoing advice and support
Read our summarised one pager here
Key terms
Continuity Management – refers to the ability to maintain operations during a disruption at a sufficient level until normal processes are restored.
Business Impact Analysis (BIA) – is conducted through workshops to assess the criticality of business processes, the impact of disruptions, risk assessments, and the development of appropriate continuity measures.
