Ángel Briceño

The recent implementation of DORA (Digital Operational Resilience Act) represents a significant challenge for many organizations in the financial and insurance sectors. This European regulation demands a commitment from the organization to managing technological risks, operational continuity, and effective recovery from ICT-related incidents. I recently participated in the Cybersecurity Bank & Finance 2025 (CBIF) event alongside Amanda Bertucci from Commvault. I shared practical experiences and recommendations on how to effectively implement the requirements of this new regulation from Govertis, part of Telefónica Tech. DORA demands a rigorous commitment to managing technological risks, operational continuity, and effective recovery from ICT incidents. What does DORA concretely imply? DORA requires financial entities to be more advanced in their preparation and response to technological incidents, focusing particularly on five fundamental pillars: ICT risk management: Implement robust frameworks to identify, evaluate, and mitigate technological risks that could affect business operations. Incident response and management: Have clear and effective procedures to quickly detect incidents, promptly notify pertinent authorities, and respond swiftly to minimize impacts. Operational resilience testing: Conduct periodic tests to ensure continuity and recovery plans, demonstrating their real effectiveness in critical scenarios. Proactive third-party risk management: Closely monitor critical suppliers, ensuring they adequately manage technological risks that could impact operations. Secure and effective information exchange: Actively promote collaboration between entities to share relevant threat information, thereby strengthening the sector’s overall capability to respond to cyber incidents. Financial entities must conduct periodic operational resilience tests to evaluate the effectiveness of their continuity and recovery plans. Practical application of DORA to real clients At Govertis, we have worked closely with various financial and insurance organizations facing these challenges. During the CBIF event, we highlighted some key experiences: Periodic testing and isolated environments: One of the most frequent demands is the generation of auditable and reliable evidence of real recovery capability. In this context, we mentioned how advanced technological solutions like Commvault’s Cleanroom Recovery enable safe and auditable testing, fully complying with DORA’s requirements. Generation and management of auditable evidence: Another critical aspect is effective incident management. In our experience, it is essential to have integrated platforms like SIEM and SOAR that facilitate early incident detection and the automatic generation of necessary evidence to comply with notification obligations to competent authorities. Active and continuous protection of critical assets: Most of our clients emphasize the need to actively protect key systems like Active Directory. During the session, we shared real examples of how continuous monitoring and specialized solutions can significantly reduce operational risks associated with common threats like ransomware. Active monitoring and early alerts in third-party risk management: Finally, we highlighted how client organizations have significantly improved their technological risk management through advanced continuous monitoring systems for their critical suppliers. Early alerts and quick response plans have proven essential to minimize negative impacts from third parties. It is imperative to closely monitor critical suppliers to ensure they adequately manage cyber risks that could impact business operations. The importance of a comprehensive, realistic, and proactive approach At Govertis, part of Telefónica Tech, we firmly believe in a comprehensive approach that combines clear and defined processes, practical experience, and advanced technological solutions. Effective DORA implementation requires understanding the specific operational needs of each organization. This requires offering real solutions that ensure regulatory compliance and tangible operational resilience improvements against future technological incidents.