The goal of the Digital Operational Resilience Act (DORA), enacted by the European Union and applicable from 17th January, 2025, is to enhance cyber resilience across the financial sector.

The legislation aims to ensure that institutions can withstand, respond to, and recover from Information and Communication Technology (ICT) related risks and disruptions. Financial institutions are now required to follow stringent guidelines for safeguarding against these incidents, including measures for protection, detection, containment, recovery, and repair.

There are five key pillars of DORA:

• ICT risk management – policies and requirements defining an ICT risk management framework.
• Third-party risk management – assessing and monitoring of third-party service providers.
• Incident reporting – systems must be in place to report incidents in real time (including major incidents) to the relevant authorities.
• Operational resilience testing – testing of resilience, including critical systems and applications, to ICT-related incidents, and business continuity.
• Intelligence sharing - sharing of information, encouraging collaboration between financial institutions, and exchange of threat intelligence.

DORA applies to financial entities, such as banks, pension funds, insurers and credit agencies, and any ICT service provider outside of the financial sector if they supply critical ICT-related services to regulated entities. Additionally, it applies to organizations outside of the EU if they have subsidiaries or do business within Europe.

DORA applies to financial entities, such as banks, pension funds, insurers and credit agencies, and any ICT service provider outside of the financial sector if they supply critical ICT-related services to regulated entities. Additionally, it applies to organizations outside of the EU if they have subsidiaries or do business within Europe.

With human risk being one of the biggest contributors to cyber incidents, DORA introduces several implications for cybersecurity human risk management, requiring financial entities to adopt proactive strategies to mitigate threats posed by human error, negligence, or insider threats. The regulation covers education, risk assessment, governance, monitoring, and reporting.

OutThink’s AI-powered Cybersecurity Human Risk Management platform combines the best of adaptive security awareness training and adaptive security to prevent human-initiated security incidents. Through analysis of a combination of data points such as user inputs and attitudes together with attack and threat intel, security behaviors, and access and permissions, the platform supports financial organizations in proactively addressing human cyber risk. It also ensures compliance with DORA and reduces the likelihood of financial penalties and reputational damage.

Specifically, OutThink provides:

1. Training for CXOs, HR, IT Admins, Developers and Legal to understand DORA and its impact on daily operations.
2. Personalized cybersecurity training based on risk profiles and job roles.
3. Cybersecurity human risk identification and assessment: behavioral risk insights to identify, measure and mitigate human risk effectively.
4. Human sensor insights as to physical and environmental security.
5. Continuous monitoring and reporting to ensure resilience against human-related cyber threats and compliance with DORA's requirements.

OutThink has DORA training modules which cover its impact on daily operations and how to ensure compliance. General awareness modules exist for all staff, with additional content specifically targeted at CXOs, HR, Legal, Developers and IT Admins to enable them to understand the essentials for their role. A sample of this training can be found here.

DORA mandates that all organizations must provide “relevant ICT security awareness programmes and digital operational resilience training and ICT skills for all staff.”

OutThink's human risk management platform can provide personalized, adaptive security awareness training and phishing simulations based on behavioral risk insights to align with DORA’s continuous improvement requirement. The training is proven to drive engagement and increased knowledge amongst employees when targeting content specifically to a user based on their role, responsibilities, behaviors and sentiments towards cybersecurity. As an example, targeted training can be provided for senior executives which enables them to understand the unique cyber threats associated with their high-risk profile roles.

Additionally, OutThink’s adaptive security awareness training can be customized to each organization’s bespoke cybersecurity policies, enabling them to meet the DORA requirement that all staff “be informed about, and adhere to, the financial entity’s ICT security policies, procedures, and protocols” and “be aware of the reporting channels put in place by the financial entity for the detection of anomalous behavior.”

OutThink’s CyberIQ product enables employees to self-determine their own cyber resilience, and build an understanding of how their digitial interactions, assessed against 13 behaviors such as secure web browsing and use of a password manager, contribute or prove detrimental to the overall cyber resilience of the organization.

Within Article 3, DORA mandates organizations have “a procedure and a methodology to conduct the ICT risk assessment, identifying vulnerabilities and threats that affect or may affect the supported business functions, the ICT systems and ICT assets supporting those functions”. To be comprehensive, these ICT risk assessments must include the human element, identifying employees who pose vulnerability in operational resilience.

OutThink provides a data-driven approach to understanding the human risk portraits that exist within an organization and enables security teams to assess which employees are the most susceptible to cyber risk based on their knowledge, behaviors, and sentiments towards cybersecurity. This information is combined with environmental factors such as their role, department and if, for example, the user has privileged access, determining whether the risk-level increases as a result.

Risk assessments are elevated by combining people, process and technology – data can be fed into Governance, Risk and Compliance platforms via OutThink APIs, taking GRC assessments to the next level.

DORA mandates that organizations take steps to ensure their physical and environmental security, with “measures to preserve the availability, authenticity, integrity, and confidentiality of the data, including a clear desk policy for papers.”

OutThink gathers insights and feedback from employees on the behaviors they see around them and how well their colleagues are complying with, for example, clear desk policies or wearing ID badges in offices. This enables security teams to identify pockets of risk across the organization, such as in offices where there are no facilities provided to lock away documents.

DORA imposes strict incident reporting obligations, requiring firms to document and analyze incidents – including those caused by human error or insider threats – and implement corrective actions. This would include:

• Tracking and documenting incidents caused by human actions (e.g., misconfigurations, credential leaks).
• Conducting root cause analysis to determine if employee awareness gaps contributed to incidents.
• Implementing mitigation strategies, such as targeted training or access restrictions.
• Implementing mitigation strategies, such as targeted training or access restrictions.
• Establishing an incident response framework that includes human factors.

OutThink helps organizations analyze incident trends related to human errors and provides actionable insights to prevent recurring mistakes. Additionally, the adaptive security component of the platform enables organizations to utilize a set of powerful outbound actions to automate conditional access across identity platforms for users based on observed attitudes, behaviors, and real security events. CISOs can enforce actions such as frequent re-authentication, re log-ins and session management to protect their organization.

OutThink's compliance dashboards and APIs allow customers to feed data into wider board and leadership reports.

In summary, OutThink's AI-powered cybersecurity human risk management platform provides:

1. A data-driven approach to human risk, leveraging behavioral analytics.
2. Tailored, targeted security awareness training to build a security-aware culture.
3. Continuous assessment and monitoring of employees’ behaviors to detect potential threats early.
4. Governance frameworks and reporting to embed human risk into overall resilience strategy.

By adopting OutThink, financial organizations can proactively address human cyber risks while ensuring compliance with DORA, reducing the likelihood of financial penalties and reputational damage.