Q&A – Martin Greenfield, CEO at Quod Orbis

Posted on

As the EU’s Digital Operational Resilience Act (DORA) moves toward full enforcement, financial institutions must act now to build resilience across their digital infrastructure. From third-party risk to real-time monitoring, the regulation sets out stringent requirements that go far beyond traditional compliance frameworks.

In this Q&A, Martin Greenfield, CEO at Quod Orbis, breaks down what DORA means for finance and risk teams, how Continuous Controls Monitoring (CCM) supports compliance, and the practical steps CFOs can take today to prepare for the supervisory phase in 2028.

What is DORA, and why is it critical for financial organisations to understand and comply with its requirements?

DORA, the Digital Operational Resilience Act, is a comprehensive EU regulation designed to bolster the resilience of the financial sector against digital disruptions. Critically, DORA mandates that financial institutions and related entities implement robust measures to prevent, manage and recover from ICT-related incidents.

The digital revolution irrevocably transformed the financial landscape since the 2008 crisis. DORA acknowledges the financial industry’s existing rigor but places a spotlight on the underlying technology infrastructure and the importance of compliance across third party networks. The regulation goes beyond ISO 27001, especially for financial entities within the EU, building on it with more specific and stringent requirements. If businesses have ISO 27001, they are certainly part way there, but have work to do on the risk management part. By ensuring operational resilience, the regulation aims to safeguard the stability of the entire financial ecosystem.

How does Continuous Controls Monitoring (CCM) help banks and financial firms meet DORA’s operational resilience standards?

DORA places huge emphasis on the need to continuously monitor business systems in order to maintain a clear understanding of gaps that need to be addressed. Continuous Controls Monitoring is the orchestration layer that pulls every tool together into a single source of truth, monitoring an organisation’s entire ecosystem.

Automated, continuous monitoring minimises human errors that can occur in periodic manual assessments. This leads to more accurate and reliable data, ensuring that the organisation’s controls are functioning as intended at all times. It also reduces the need for manual checks and audits, freeing up resources and allowing employees to focus on higher-value tasks. CCM allows teams to directly monitor their DORA controls in real-time and delivers instant alerts of any non-compliance. The platform arms businesses with evidence for DORA compliance as it regularly tests controls for audit readiness. Continuous monitoring allows for the early detection of potential issues, enabling a proactive approach to resolving them before they escalate into significant problems.

What are the most common gaps you see in financial institutions’ existing controls when preparing for DORA and related regulations?

Something that many businesses may not realise is that the five pillars of DORA are weighted differently in terms of effort, and there’s a risk that some will fall short in critical areas. Third-party risk is the prime example, followed closely by reporting requirements.

DORA mandates the rigorous management of third-party risks to ensure the digital resilience of financial institutions. While financial entities may believe they fully understand their operational resilience and have a good idea of how long they can survive if something goes wrong, today’s environment demands a deeper understanding of how third-party risks impact operational resilience.

From a reporting standpoint, financial entities must establish robust processes to detect, manage and report significant ICT-related incidents to the relevant authorities. This transparency ensures that swift action can be taken to mitigate risks. By exchanging information on attack types and remediation strategies, financial institutions can collectively strengthen their defences. While local competent authorities must be notified of any breaches, reporting and sharing best practices is crucial for ensuring that financial institutions are committed to incident reporting and collaborative efforts.

How can finance professionals collaborate effectively with IT and security teams to translate DORA requirements into actionable controls?

Effective DORA implementation relies heavily on efficient stakeholder management across all levels and relevant departments. DORA’s multifaceted nature necessitates forming a dedicated taskforce composed of key representatives across the organisation, whose sole focus is achieving compliance. This group should operate separately from core business activities to maintain objectivity. The selection of appropriate personnel, whether internal or external, requires careful consideration of roles and responsibilities. While some organisations may have existing structures in place, similar to regulatory compliance committees, dedicated attention and commitment to DORA is vital.

Open and consistent communication regarding DORA’s stipulations and the potential consequences of non-adherence is paramount to keeping stakeholders informed and fostering a culture of mutual accountability and continuous improvement. DORA emphasises ongoing monitoring, testing and learning from incidents. Finance professionals can support this by advocating for resources dedicated to continuous improvement initiatives. Stakeholder engagement also extends to third-party service providers, ensuring they meet the same resilience standards and are integrated into the organisation’s compliance framework.

What role does real-time monitoring play in demonstrating compliance to regulators under DORA?

Tools like CCM provide continuous visibility into the state of controls and compliance. As organisations grow, their risk and compliance needs become more complex. CCM scales more effectively than periodic manual monitoring, ensuring that controls remain robust across larger and more distributed environments and making it easier for teams to demonstrate compliance to regulators.

Specifically, CCM gives businesses:

  • Continuous alignment to DORA for efficient reporting and assurance of regulatory compliance.
  • Enhanced risk management with real-time monitoring for proactive risk identification.
  • Increased operational resilience through instant alerts of non-compliance to DORA.
  • Enhanced data integrity and security through continuous threat detection and adherence to DORA standards.
  • Real-time visibility of DORA compliance status.
  • Evidence for DORA audit by continuously testing controls for audit readiness.
  • Assurance of DORA compliance through automated checks.
  • Tailored dashboards that are aligned to DORA’s reporting and documentation requirements.
  • Reduced manual data input in GRC tools and automating the attestation process from CCM to GRC to respond to issues in real-time.

How should organisations balance the need for robust security controls with the agility required for innovation and digital transformation?

At the very least, businesses must integrate security proactively, rather than as an afterthought. Firms should embed a ‘security by design’ culture into every stage of innovation, making the most of intelligent, automated tools like CCM to maintain a state of continuous monitoring and to catch issues early. This risk-based approach is essential, prioritising controls based on impact, ensuring resource and attention is placed on the most critical areas.

Aside from DORA, which other emerging regulations should financial services firms be prioritising, and how do their requirements overlap?

NIS2 (Network and Information Systems Directive 2) is a big focus for businesses at the moment. It significantly expands the scope of its predecessor, covering a wider array of important entities across various critical sectors, including financial market infrastructures, credit institutions and insurance and reinsurance undertakings.

Another regulation businesses need to be mindful of is the Cyber Resilience Act (CRA), which regulates the security of products with digital elements (both hardware and software) throughout their lifecycle, before they are placed on the EU market. This includes products that financial services firms might develop or use, such as mobile banking apps, APIs, and other digital solutions.

DORA, NIS2 and CRA have distinct focuses, but there are clear overlaps, particularly in the areas of risk management, incident response, supply chain security and governance. Financial services firms that implement a robust framework for one regulation will often find themselves partially compliant with others.

What metrics or key performance indicators (KPIs) can finance leaders track to ensure ongoing compliance and risk reduction?

  1. Control effectiveness rate – Track the percentage of cyber security, operational and financial controls operating as intended.
  2. Time taken to detect and respond to incidents – How quickly threats are identified and remediated.
  3. DORA/NIS2 relevance – Ensure robust incident detection and reporting per regulatory requirements.
  4. Third-party risk exposure – Measure the percentage of vendors assessed or overdue on risk reviews.
  5. Compliance coverage score – Percentage of applicable regulatory controls monitored.
  6. Risk register closure rate – Ratio of risks mitigated vs. newly identified ones.

For board and C-suite reporting:

  • Compliance Readiness Score (% aligned with DORA/NIS2)
  • Operational Resilience Index
  • Third-Party Risk Index
  • Cyber Risk Heatmap (top 10 threats and their financial exposure)

How can CCM platforms like Quod Orbis integrate with existing GRC (governance, risk, and compliance) systems to streamline reporting and audit readiness?

Integrating GRC and CCM turns DORA compliance from a reactive process to proactive compliance. The integration of this technology propels all regulatory compliance frameworks that need to be monitored. GRC with CCM is a game changer in any form of regulatory compliance and with so much ambiguity around DORA, integrating these two technologies will ensure compliance with DORA is airtight, streamlined and continuous with near real-time information that provides total assurance of compliance.

Automation within the integration of GRC and CCM provides assurance of the information you receive and significantly reduces the burden for control operators. You may think you have two technologies; but you won’t, it is a seamless integration that your business won’t even notice – it’s all about the information that the two technologies combined can deliver accelerated efficiency and assurance, effective risk management and constant compliance status.

What practical steps can CFOs and their teams take today to build a culture of resilience and continuous compliance ahead of DORA’s full supervisory phase in 2028?

The three critical steps are:

#1 – Allocate a dedicated and sufficient budget for DORA compliance. This includes funding for a comprehensive gap analysis and investment in technology and expertise.

#2 – Establish robust financial oversight and reporting mechanisms to track compliance costs and effectiveness. This includes setting procedures to identify and classify ICT-related incidents.

#3 – Play a leading role in managing third-party risk. Review and update all contracts with third-party providers to include DORA-mandated clauses related to security, audit rights, and termination plans.

Related Posts