top of page

DORA Compliance and your Threat & Vulnerability Management (TVM) Programme. What you need to know


Intro


With DORA regulations fast approaching in January 2025, financial institutions need to ensure their Threat & Vulnerability Management (TVM) programmes are up to par. Failing to comply could result in significant disruptions, financial penalties, and reputational damage.


Having spent over 10 years in cybersecurity for government and financial services, I’ve seen firsthand how organisations struggle with TVM processes, and more and more we are seeing the challenge of aligning with emerging regulations. This two-part blog post series aims to simplify what DORA compliance entails from a TVM perspective, and offer actionable steps to fortify your vulnerability management programme over the coming weeks and months.


What is DORA?


The Digital Operational Resilience Act (DORA) is an EU regulation designed to enhance the digital resilience of financial institutions. It mandates that these organisations develop robust strategies to manage and mitigate ICT (Information and Communication Technology) risks. DORA sets out requirements for risk management, incident reporting, testing, third-party risk management, and information sharing. The regulation aims to ensure that financial entities can withstand, respond to, and recover from all types of ICT-related disruptions, thereby maintaining operational continuity in the face of cyber threats.


Why Threat & Vulnerability Management Should Be Prioritised

A recent Google M-Trends report from 2024 shows the most common initial infection vector for a data breach was exploits (38%), followed by phishing (17%), prior compromise (15%), and stolen credentials (10%).


With exploited vulnerabilities being more than double the cause of breaches than phishing, which has been an area for huge investment and attention over the years, the importance of having a robust Threat & Vulnerability Management (TVM) programme has never been higher.


What I’ve Learned from 10+ Years in Cybersecurity:

Working across government and financial sectors, I’ve seen organisations grappling with outdated vulnerability management approaches and misaligned priorities. Many businesses are still relying on CVSS scores without contextualising those vulnerabilities to their unique environments. What I’ve learned is that context is everything. Knowing whether a vulnerability has an active exploit, how it maps to your critical business functions, and whether it’s a priority based on your risk tolerance are all key factors in driving better decision-making.


The biggest TVM challenges that organisation's face today are:


  • Lack of Visibility: Many organisations struggle with gaining a comprehensive view of vulnerabilities across all their assets, making it difficult to prioritise risks.

  • Inconsistent Policy Implementation: Policies often exist on paper but are not consistently applied in practice, leading to gaps in risk mitigation.

  • Regulatory Pressure: The evolving landscape of regulations like DORA, PCI-DSS, and ISO27001:2022 makes it challenging to keep TVM programmes fully aligned.

  • Resource Constraints: Overworked security teams may find it difficult to keep up with the sheer volume of critical vulnerabilities, especially if their processes are not automated.



DORA Compliance & TVM, Key Areas To Be Aware Of


  1. You’re required to establish, maintain, and review an ICT risk management framework that is comprehensive, well-documented, and updated on a regular basis


    What this means for you: As called out above, exploiting vulnerabilities is the most common initial access vector, therefore vulnerability management should be high on your ICT risk monitoring.

  2. DORA emphasises that entities must " identify, classify and adequately document all ICT supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risk.”


    What this means for you: A simple vulnerability scanner provides you with a list of known vulnerabilities, but translating this against your identified business functions and assets is a key part to understanding your risk profile and enabling effective decision making.


  3. “Financial entities shall ensure that their ICT security policies, information security, and related procedures, protocols, and tools as referred to in Article 9(2) of Regulation (EU) 2022/2554 are embedded in their ICT risk management framework.”


    What this means for you: Great - It’s time to dust off the information security policies and make sure your risk management framework align with them. The vulnerability management policy is one that teams commonly struggle to comply with due to the restrictions and requirements being unrealistic – I’ll go into more detail on this later.


  4. “Financial entities shall develop, document, and implement ICT risk management policies and procedures that shall contain…” “…an indication of the approval of the risk tolerance level for ICT risk established in accordance with Article 6(8), point (b), of Regulation (EU) 2022/2554;”


    What this means for you: If your risk tolerance is that you must fix all vulnerabilities classified with a CVSS score above 7 (High or Critical), you’re likely breaching your tolerance levels on a regular basis.


  5. “A procedure and a methodology to conduct the ICT risk assessment, identifying:

    (i) vulnerabilities and threats that affect or may affect the supported business functions, the ICT systems and ICT assets supporting those functions; (ii) the quantitative or qualitative indicators to measure the impact and likelihood of the vulnerabilities and threats referred to in point (i);”

    What this means for you: Risk management within the vulnerability management programme will be crucial to fully understanding the vulnerabilities and threats described above. New metrics above the traditional approach to Threat & Vulnerability Management are a must.


  6. The Vulnerability and patch management section of the risk management framework is a welcome read, especially the requirement for the patch management procedure to “set deadlines for the installation of software and hardware patches and updates and escalation procedures in case those deadlines cannot be met.”

    What this means for you: This will reframe how the industry thinks about SLA’s within the Threat & Vulnerability Management programme.


  7. Threat-Led Penetration Testing is a core component of DORA.

    What this means for you: If you are using internal testers, you must use external Threat Intelligence providers to assess your risks and develop the testing plan.

 

While this is just a sample of the different areas of the DORA regulation, it demonstrates the critical importance of vulnerability management in the overall ICT risk management framework.



Closing


In the next post, we’ll dive deeper into practical tips to help you get your Threat & Vulnerability Management programme ready for DORA compliance. From updating policies to automating your vulnerability assessments, we’ll cover actionable steps that will make a significant difference to your organisation's security posture.


Stay tuned for Part 2: Tips to Get Ready for January 2025, where I will offer key insights into how you can strengthen your processes and ensure compliance with DORA.

bottom of page