Reality: DORA Regulation is much broader, covering organisational structures, risk management, incident classification, third-party control, resilience testing, and business continuity.
The most common myths related to the implementation of the DORA Regulation
Modestas Sadauskas
The DORA (Digital Operational Resilience Act) Regulation is particularly important for the Lithuanian financial sector in terms of strengthening the digital resilience of organisations. The Regulation sets out requirements for organisations to ensure that they can withstand, respond to, and recover from ICT disruptions and threats. These requirements include ICT risk management, incident reporting, operational resilience testing, and monitoring of third-party services.
When helping companies implement the DORA Regulation, we often encounter various myths, so Modestas Sadauskas, Cybersecurity Advisory Team Lead at NRD Cyber Security, dispels them and advises on what the regulation actually requires.
1. Myth: The DORA Regulation is only about cybersecurity.
2. Myth: Only the IT or information security team needs to worry about DORA compliance.
Reality: Effective implementation of DORA requires the involvement of the entire organisation. IT, risk, legal, human resources, procurement, and business development departments work together, and the board and senior management are directly responsible for the ICT risk management strategy and decisions. This is a matter of organisational maturity, not just technical competence.
3. Myth: If an organisation has ISO 27001 certification, it automatically complies with DORA.
Reality: ISO 27001 is a solid foundation, but DORA imposes specific, additional requirements that are not covered by ISO. These include scenario-based resilience testing, comprehensive management of third-party ICT risks, detailed accounting of ICT services and assets, and classification of incidents according to the thresholds set by DORA.
4. Myth: Once the documentation has been sorted out, DORA compliance has been achieved.
Reality: DORA compliance is an ongoing process. Organisations must maintain a living ICT risk management cycle: testing controls, assessing threat scenarios, regularly updating processes, and integrating lessons learned from incidents.
5. Myth: Incident classification according to DORA is limited to identifying major incidents and reporting them to the regulatory authority.
Reality: An organisation must have a comprehensive incident classification system that meets its operational needs and ensures that incidents that are significant under DORA are accurately identified.
6. Myth: If an ICT service provider is reliable, well-known, or certified, there is no need to assess the risks.
Reality: DORA clearly stipulates that every ICT service provider must be assessed according to established criteria: from criticality to contractual obligations and ongoing monitoring. Reputation or certificates do not guarantee compliance with DORA, so risk management must be systematic and documented.
Other news and stories
SOCcare December 2025: RondoDox Campaign: Routers Beware
Engaging management and operational teams to do trainings, TTXs, practice sessions, etc.
Designing an engaging and realistic TTX for an organisation
Weekly cyber drills? How to make them a mission possible
How to design and lead multi-organisational and multi-national TTXs?
NRD Cyber Security liquidates NRD Bangladesh
What impact might NIS2 have on Africa?
