The Digital Operational Resilience Act (Regulation (EU) 2022/2554, "DORA") is applicable from today — Friday the 17th of January 2025. The regulation imposes detailed cyber-resilience requirements on financial-services entities operating in EU jurisdictions, including ICT risk management, incident reporting, operational-resilience testing, third-party risk management, and information-sharing obligations. The financial-services customer-organisation in our portfolio has been on the DORA-readiness programme through 2024 and is in attestable position. The actual operational regime begins now.
The substantive content. DORA's structure is, in operational shape, comparable to NIS2 with financial-services-sector-specific specifications. The principal areas the customer-organisation programme work has addressed are: ICT risk management framework documentation (with substantive board-level governance integration), incident classification and reporting (including the major-incident reporting cadence to competent authorities), operational-resilience testing including threat-led penetration testing for entities meeting the relevant size thresholds, third-party ICT risk management with detailed concentration-risk analysis and contractual-control specifications, and information-sharing arrangements with industry peers and regulatory authorities. The aggregate operational machinery is substantial and the customer-organisation programme work over the past two years has produced an attestable posture against each of these areas.
The TLPT (threat-led penetration testing) requirement is the part of DORA that is operationally most novel. The framework requires affected entities to conduct red-team-style threat-led penetration testing on a regular cadence, with the testing conducted against realistic threat scenarios specific to the entity's operational profile. The customer-organisation TLPT programme has been an Hedgehog-internal pen-testing-team-extension project through 2024 and we have completed the customer's first formal TLPT exercise in November-December 2024. The exercise produced findings that have been incorporated into the customer-organisation programme work; the next TLPT cycle is scheduled for 2026.
The wider regulatory environment. The post-NIS2 (October 2024), post-DORA (January 2025), continuing AI Act (staged through 2025-2026), continuing UK Cyber Resilience Act legislative progression — the aggregate regulatory landscape is, in 2025, comprehensive across the customer-portfolio operational scope. The customer-organisation programme work continues across multiple regulatory frameworks in parallel.
For the customer-portfolio briefings, the post-DORA-deadline operational regime is settled. The Q1 customer-portfolio strategic conversation will continue to develop the longer-arc regulatory-environment progression. The book that I have started outlining on regulatory-environment-as-customer-organisation-discipline is, in 2025, becoming the central writing project.
I will write more as the post-DORA enforcement environment develops through 2025.