“This is something that worries, above all, the smaller players who are struggling with how to solve it. Do they have to be staffed 24/7? The larger players who are used to tough regulations cope better,” says Rönn.

And even though the time to prepare for DORA is running out, not all technical regulations have been determined by the EU yet. They have been coming out in batches with the last one due in July. 

Questions remain

Much about DORA’s impact, scope, and details remain unclear. This week the Financial Supervisory Authority, which will become the supervisory authority, organized a forum for questions about what will apply going forward, but there are questions the authority still cannot answer. 

“There is so much that is not ready — that the Financial Supervisory Authority could not answer,” Rönn says, including “such things as, for example, how the reporting of incidents should be registered, whether there will be templates. Everyone must do the same and you have to wait to see what the methods will look like.” 

Tighter security is paramount

So what should CISOs whose organizations will be subject to DORA do while waiting for answers? 

“What everyone can do is think about what exactly is their golden egg, their critical assets and start from that. Identify which agreements support it and which suppliers you depend on,” Rönn says.