Product & Engineering

Understanding DORA Compliance with Versa 

What is DORA (Digital Operational Resilience Act)?

The Digital Operational Resilience Act (DORA) is a European Union regulation for financial organizations and information and communications technology (ICT) providers. Its goal is to  ensure greater stability in the financial industry by strengthening the operational resilience of EU financial entities against ICT-related disruptions and cyber attacks. 

DORA compliance is now mandatory from January 17, 2025 and applies to a wide range of entities operating in the EU financial sector. These entities include banks, insurance companies, investment firms, and other financial market participants. DORA also applies to ICT third-party service providers that deliver critical technology or operational services to these entities, such as major cloud infrastructure providers and data centers. In essence, any organization whose operations or services are essential to the continuity, security, or resilience of EU financial institutions can fall within DORA’s scope. 

The Five Pillars of DORA and Oversight

DORA establishes a comprehensive framework structured around five pillars: 

1. ICT Risk Management
   Financial entities must establish a comprehensive ICT risk management framework. The framework must include clear strategies for prevention, detection, incident response, recovery, and business continuity planning. As part of this framework, organizations must also detail key dependencies on ICT third-party service providers.
2. ICT Incident Management and Reporting
   Financial entities must have an ICT incident management process that includes procedures to identify, track, log, categorize ICT-related incidents according to the severity and services impacted. ICT-related incidents must be reported to regulators promptly using standardized templates. The goal is to improve transparency, accelerate the identification of systemic risks, and enable coordinated responses across the EU.
3. Digital Operational Resilience Testing
   Organizations must conduct regular testing to evaluate the resilience of ICT systems, with all critical tools and applications tested annually. All firms must perform basic resilience testing, while organizations classified as critical are required to conduct advanced threat-led penetration testing (TLPT) every three years. 
4. ICT Third-Party Risk Management
   Organizations must manage risks arising from their reliance on third-party service providers such as cloud, hosting, and infrastructure services. These risks must be outlined in an ICT third-party risk strategy reviewed regularly. Provisions are designed to reduce dependency risks and ensure service continuity.
5. Cyber Threat Information Sharing
   DORA promotes the exchange of cyber threat intelligence among financial entities to strengthen sector-wide resilience. By sharing information on emerging threats and vulnerabilities, firms can better prepare for potential risks.

Oversight of Critical Third-Party Providers 

Besides the five framework pillars, DORA has also introduced an oversight framework for designating “critical” ICT third-party providers such as cloud services and data hosting companies.  These critical ICT providers are subject to oversight by the European Supervisory Authorities (ESAs) who can conduct inspections, audits, and issue recommendations to mitigate risks associated with the providers. 

How Versa Helps Achieve DORA Compliance 

Versa Networks provides integrated networking and security services through our VersaONE Universal SASE platform, which include our SD-WAN, SSE, and SASE products. As a key technology and security provider, our solutions help customers achieve and maintain DORA compliance.

Versa’s can help in the pillars of ICT Risk Management (Pillar 1) and ICT Incident Management and Reporting (Pillar 2) in areas of threat detection, prevention, and reporting: 

Versa Capabilities for ICT Risk Management (Ch II, Articles 6-14)

• Zero Trust Access and Segmentation: Enforcement of consistent access policies between users, applications, and workloads, reducing the risk of unauthorized access or lateral movement.  
• Resilient and Redundant Connectivity: Network continuity and availability through SD-WAN capabilities designed for failover and high performance. (Articles 6, 7, 11, 12) 
• Advanced Security: Integrated threat prevention, detection, and policy enforcement through SSE product suite including Advanced Threat Protection (ATP), Cloud Access Security Broker (CASB), Secure Web Gateway (SWG), and Next Generation Firewall (NGFW) for detection, protection, and prevention. (Articles 9, 10) 
• Simplified Management: Single-pane-of-glass management, visibility, and reporting capable of identifying and categorizing users and devices. End user notifications also configurable here. (Articles 8, 13, 14) 

Versa Capabilities for ICT Incident Management and Reporting (Ch III, Articles 18, 19, 24)

• Visibility and Monitoring: End-to-end observability across WAN, cloud, and edge environments to detect risks and maintain compliance with monitoring obligations. (Articles 18, 19, 24) 
• Analytics and Reporting: Provides telemetry, logs, analytics, and risk events supporting regulatory reporting obligations for ICT-related incidents. (Articles 18, 19, 24)  

By consolidating networking and security into a unified architecture, Versa enables organizations to strengthen their digital resilience while simplifying operations. This integrated approach helps financial entities meet DORA’s requirements for ICT governance, resilience, and oversight without adding additional management overhead. 

Finally, while Versa is not directly subject to DORA, we maintain a strong commitment to compliance and security. Our Security and Trust Center outlines the policies, controls, and practices we have in place to safeguard our operations and customer environments. These measures ensure that our technology does not introduce unnecessary risk, supporting the resilience and trust our clients expect. 

Versa Networks delivers the secure, resilient, and intelligent infrastructure needed to meet DORA requirements to ensure that financial sector customers can withstand and recover from ICT disruption. By leveraging Versa’s integrated SASE, SD-WAN, and SSE capabilities, organizations can achieve greater operational resilience while aligning with the objectives of DORA. 

Learn more about how Versa supports compliance and digital resilience with VersaONE Universal SASE.  

Learn more about Versa’s security practices and compliance in our Security and Trust Center.