Category: Perspectives

Understanding the Third Chapter of DORA

As we continue with our analysis of the Digital Operational Resilience Act (DORA), Chapter 3 stands out as a pivotal component in shaping the operational resilience framework for financial entities across the EU. For those who have been following our series, we’ve already explored the foundations laid out in Chapter 1 and the specific incident managements requirements highlighted in Chapter 2. This article explores Chapter 3, focusing on digital operational resilience testing requirements.

Chapter 3: What is it?

Chapter 3 of DORA focuses on the digital operational resilience testing of ICT (Information and Communication Technology) systems, tools, and processes within financial entities. This chapter mandates that financial entities within the EU or operating within the EU, including banks, investment firms, insurance companies, and other financial market infrastructures, rigorously test their ICT systems to identify vulnerabilities and mitigate potential risks.

Key sections of Chapter 3 include:

  1. Regular Testing Requirements: Businesses must carry out regular, comprehensive testing of their ICT systems. This includes vulnerability assessments, penetration testing, scenario-based testing, and more.
  2. Advanced Testing for Critical Functions: For critical functions and high-risk areas, more sophisticated testing techniques are required, such as threat-led penetration testing (TLPT). This involves simulating cyber-attacks to evaluate the resilience of ICT systems against sophisticated threats.
  3. Third-Party Testing: Businesses are encouraged to involve independent third-party testers to ensure objectivity and thoroughness in the testing process. These testers must have no conflicts of interest to maintain the integrity of the testing outcomes.
  4. Reporting and Remediation: After testing, businesses must document findings, report significant vulnerabilities, and outline remediation plans. This ensures transparency and facilitates continuous improvement in ICT resilience.

Practical Implications of Chapter 3

Implementing the requirements of Chapter 3 has profound practical implications for financial businesses. The emphasis on rigorous testing and continuous monitoring may well necessitate a strategic overhaul in how organisations approach their ICT infrastructure.

  1. Resource Allocation: Organisations must allocate adequate resources, including skilled personnel and financial investments, to conduct the required testing. This may involve hiring cyber security experts or engaging with third-party testing firms.
  2. Integration with Existing Frameworks: Businesses must integrate DORA’s testing requirements with existing risk management and cyber security frameworks. This means aligning DORA mandates with frameworks like ISO/IEC 27001 or NIST Cyber Security Framework to ensure comprehensive coverage.
  3. Enhanced Cyber Security Posture: Regular and advanced testing helps organisations uncover hidden vulnerabilities and strengthen their cyber security posture. By addressing these vulnerabilities proactively, financial entities can mitigate the risk of cyber incidents that could disrupt operations or compromise sensitive data.
  4. Regulatory Compliance: Adhering to DORA’s testing requirements is not merely a regulatory obligation but also a competitive advantage. Organisations that demonstrate robust digital operational resilience can build trust with stakeholders, including clients, regulators, and partners.

Ensuring Compliance with Chapter 3

To ensure compliance with Chapter 3 of DORA, financial entities must adopt a proactive and structured approach.

Martin Tully  – CRMG Delivery Lead Governance & Compliance Consultant highlights below his key tips to help businesses navigate this chapter effectively:

  1. Develop a Comprehensive Testing Strategy: Create a detailed testing strategy that outlines the scope, frequency, and methods of testing for different ICT components. This strategy should prioritise critical functions and high-risk areas.
  2. Engage Qualified Experts: Whether conducting internal testing or involving third-party testers, ensure that the individuals or firms engaged possess the necessary expertise and certifications in cyber security and digital resilience.
  3. Establish Continuous Monitoring and Improvement: A continuous monitoring mechanism will help to keep track of emerging threats and vulnerabilities. Regularly update testing procedures and remediation plans based on the latest threat intelligence and industry best practices.
  4. Maintain Documentation and Reporting: Thorough documentation of all testing activities, findings, and remediation efforts is crucial for regulatory reporting and demonstrates a commitment to transparency and continuous improvement.

    Book A Meeting.

    From Us To You.
    Explore Our Resources.

    VIEW RESOURCES

    Cyber Risk for Small Businesses in 2026: Why ‘If’ Is No Longer the Question

    Cybersecurity is no longer a concern just for large corporations. In 2026, it has become a fundamental business risk for

    READ MORE

    Cyber Security Looking Ahead to 2026: What Organisations Need to Be Ready For

    As cyber security continues to mature as both a discipline and an industry, the challenges facing organisations are shifting from

    READ MORE

    Retail’s Greatest Vulnerability: Why Cyber Security Must Start with People

    The UK retail sector is undergoing a rapid digital transformation, transitioning from omnichannel customer experiences to AI-driven supply chains. But

    READ MORE

    Meet Our Leadership Team.

    At CRMG, our senior leadership team brings a rich history and deep expertise in cyber security. Spearheaded by consultants who are influential figures in the industry, our leaders are highly networked and well-established, with backgrounds in the ‘Big- Four’ firms.

    LEARN MORE

    Simon Rycroft

    CO-FOUNDER AND CEO

    Former Head of Consulting at the ISF. On a journey to bring accessible risk management to growing enterprises.

    Nick Frost

    CO-FOUNDER AND CHIEF PRODUCT OFFICER

    Former Group Head of Information Risk, PwC. Motivated by the need to implement cyber risk principles for the real world!

    Dan Rycroft

    DELIVERY DIRECTOR

    Former Head of Delivery, Cyber Security at DXC. Delivers risk-based cyber security programmes with maximum efficiency.

    Matt Brett

    DELIVERY LEAD – CYBER RISK SOLUTIONS

    Former Portfolio Director, Tech Security & Risk, GSK. Specialises in implementing efficient, pragmatic cyber risk solutions.

    Martin Tully

    DELIVERY LEAD – GOVERNANCE AND COMPLIANCE

    Twenty years’ experience in delivering fit-for-purpose cyber governance initiatives.

    Ryan Hides

    DELIVERY LEAD – THIRD PARTY RISK MANAGEMENT

    Project Management and Six Sigma expertise. Specialises in turning effective third party risk management into a scalable reality.

    Sarrah Ahmed

    HEAD OF MARKETING

    Bringing over 17+ years of marketing expertise, passionate about crafting innovative marketing campaigns.

    Tom Everard

    Director Risk Services

    Director of Risk Services with a passion for people-focused cyber security, crisis management, and tackling insider risk.

    Rebecca Stanley

    Finance Manager

    Focussed on ensuring everything continues to run smoothly, Rebecca collaborates across teams and with clients to manage budgets, reporting, and all things finance.


    [email protected]
    0203 811 8727
    Meet The Team
    Our Approach
    Our Heritage
    Our Locations
    Values & Ethos
    GRC Solutions
    Consultancy
    Compliance & Certification
    News
    Case Studies
    Contact
    Book A Demo
    Cookies
    Privacy Policy

    Proud To Partner With

    © Cyber Risk Management Group Limited. All Rights Reserved.

    Cyber Security Looking Ahead to 2026: What Organisations Need to Be Ready For

    As cyber security continues to mature as both a discipline and an industry, the challenges facing organisations are shifting from awareness to execution, accountability, and sustainability.

    Looking ahead to 2026, cyber security is no longer operating at the edges of the business. It is influencing procurement decisions, regulatory expectations, boardroom conversations, and even the professional standards applied to those working within it.

    But this next phase of cyber maturity does not have a single, universal answer.

    Organisations are experiencing these challenges differently, depending on their size, sector, regulatory exposure, and risk appetite. Likewise, practitioners across cyber security, risk, assurance, and governance bring different lenses to the same evolving problem set.

    To explore what this means in practice, we asked members of the CRMG team to share their perspectives on where organisations are struggling today and what they should be considering as cyber risk continues to scale through 2026.

    From the operationalisation of frameworks to measuring maturity, the professionalisation of cyber roles, third-party risk management and the emerging role of AI assurance, these viewpoints are not intended to present a single definitive roadmap. Instead, they reflect the real-world tensions, trade-offs, and questions organisations are already grappling with.

    From Frameworks to Reality: The Operationalisation Gap

    One of the most persistent challenges organisations face is not a lack of frameworks, standards, or guidance – but the ability to operationalise them effectively, particularly beyond the organisation’s boundaries.

    Andrew highlights how third-party risk management remains a weak point for many organisations, especially when commercial pressure overrides security intent:

    “Some organisations struggle to implement third-party risk management effectively because due diligence is treated as a one-off onboarding formality, expedited due to pressure from procurement and business owners who are keen to onboard suppliers swiftly. Commercial timelines and delivery urgency put pressure on teams to rush key stages such as triaging suppliers or security assessments and cut corners. This can lead to reduced scrutiny, reliance on self-attestations alone, or acceptance of unresolved security gaps to avoid delaying contracts.”

    This challenge is often rooted in mindset. When third-party risk is framed as a hurdle to overcome rather than an ongoing business risk, meaningful assurance quickly erodes:

    “This occurs when third-party risk is viewed as an initial ‘checkbox exercise’ rather than an ongoing business risk that can evolve over time. This results in organisations entering relationships with limited visibility of actual control maturity and little leverage once contracts are signed.”

    As regulatory scrutiny increases and supply chains become more interconnected, this approach is becoming increasingly unsustainable. Andrew points to a more integrated path forward – one that aligns commercial objectives with security outcomes:

    “Organisations can address this by aligning procurement incentives with risk outcomes, including minimum security and resilience requirements in contracts before granting access or sharing data, and embedding ongoing monitoring and assurance throughout the supplier lifecycle.”

    In 2026, organisations that fail to embed this thinking into procurement and supplier governance are likely to find themselves exposed not just operationally, but also reputationally and regulatorily.

    Maturity Is Built on Measurement, Not Maturity Models

    While third-party risk highlights execution gaps, Dan’s perspective refocuses the discussion on foundations. As cyber security programmes grow in scope and complexity, maturity is less about adopting the latest tool or framework and more about establishing repeatable, measurable control environments.

    Dan’s advice to organisations looking to mature their cyber security posture is clear:

    “Ensure you establish strong foundations of control and measurement which will enable you to define, implement and measure incremental improvement.”

    For organisations still early in this journey, he outlines a pragmatic and scalable approach:

    “Start by establishing a control library that works for the scale and complexity of your organisation.”

    “Use one of the established recognised frameworks (NIST CSF, ISO, ISF SOGP etc.) as the basis for your library and augment and configure controls as needed – but keep it as simple as possible.”

    However, controls alone are not enough. Ownership, engagement, and governance are what turn documentation into operational resilience:

    “Define clear ownership of controls and engage proactively with stakeholders to ensure owners are ‘bought in’ to the approach.”

    Measurement then becomes the enabler of informed decision-making:

    “Define measures for the key subset of controls you need to monitor on a regular basis.”

    “Establish a framework for assessment of actual performance against the control baseline.”

    Crucially, Dan stresses sustainability, a theme that will only grow in importance as cyber programmes expand:

    “Implement control maintenance, monitoring and assessment processes that you’re equipped to handle. Consider assessing a subset of controls on a quarterly basis to minimise the burden on contributors.”

    And finally, maturity must connect back to leadership and business outcomes:

    “Establish cadence with senior management using a style and terms that they can become familiar with and support – with investment in improvement linked to business outcomes.”

    By 2026, organisations that cannot clearly demonstrate how cyber controls perform and how that performance links to risk and value will struggle to justify investment or regulatory confidence.

    The Role of AI in Cyber Security, Assurance and Risk Management

    CRMG Co-Founder Simon adds another dimension to the conversation – one that many organisations are actively exploring, often with a mixture of optimism and uncertainty: the role of artificial intelligence in cyber security, assurance, and risk management.

    “Like many, I have mixed emotions about AI. There’s excitement around its potential and what it could mean for CRMG, alongside a sense of FOMO. At the same time, I worry about inflated claims that position AI as the answer to our cyber security woes, and about what it’s really doing at a time when integrity already feels in short supply. AI can help streamline the mechanistic elements of cyber-related audit, assurance, and risk management without significant controversy. Things like minute-taking (subject to straightforward verification), audit interview support, and creating templated reports based on clear, bucketed and verified content are sensible use cases.”

    However, when it comes to risk judgement and prioritisation, Simon is clear that AI remains no substitute for human experience.

    “Risk contextualisation is an area where AI is currently no replacement for a seasoned risk practitioner or an engaged business stakeholder. Business context and potential impact aren’t static, and they’re critical in turning a control weakness into a prioritised risk. That’s a dimension AI will struggle with, unless it has access to large, verified data sets around impact and loss trends over time.”

    He also highlights the need for caution when using AI to draw conclusions about control effectiveness.

    “AI’s ability to infer the extent of control implementation from operational data should always be treated with care and must be verified. While it may be able to spot trends a human would struggle to identify, this is closer to advanced data analytics than something entirely new. The key is access to large, reliable data sets and proven techniques.”

    For Simon, the most important mindset shift is how AI is positioned within organisations.

    “Think of AI as a novice that needs nurturing, support, and challenge. It should never be relied upon alone. The conundrum is that AI used in assurance has to be assured. The AI used to assure the AI that is used to assure also has to be assured!”

    Simon is clear that his views are not fixed, and recognises the challenge ahead.

    “In a world where Shadow AI risks becoming the new Shadow IT, that’s a lot easier said than done. The upside is that there are some very big brains working in this space and we’ll need them.”

     

    The Professionalisation of Cyber Security: A Shift Few Are Talking About

    While operational maturity and governance dominate many cyber discussions, CRMG Co-Founder Nick Frost highlights a more structural change beginning to surface – one that could reshape the industry itself.

    Looking ahead to 2026, he points to the growing momentum behind licensing parts of the cybersecurity profession:

    “One of the most significant shifts beginning to surface in 2026 is the move towards licensing parts of the cybersecurity profession. Whilst countries – such as Singapore, Ghana, Malaysia – have started movements in this area, it is still at an early stage.”

    The rationale behind this shift is becoming increasingly difficult to ignore (need to check below – does it make sense as I don’t want to edit too much of Nicks response but not sure if my editing is making it not make sense):

    “Professions that are subjected to licensing for a reason – when poor decisions or sloppy workmanship might result in widespread harm. Cybersecurity now sits squarely in that category.”

    As cyber roles continue to influence critical infrastructure, public trust, and national resilience, expectations around accountability are rising:

    “Cyber roles increasingly influence public trust, critical infrastructure, the health of individuals, and even national resilience. Yet you could argue that entry standards and accountability remain relatively low.”

    Licensing is not about restricting the profession wholesale, but about recognising the risk attached to certain roles:

    “Licensing won’t apply to every cyber role overnight, but for certain critical positions it offers a clear way to raise minimum standards, improve consistency, and introduce real accountability.”

    Nick’s conclusion reflects a broader trajectory facing the industry:

    “As cyber risk continues to scale, regulation will inevitably follow, and licensing is a natural next step in the professionalisation of cybersecurity.”

    By 2026, this shift could have profound implications – not just for practitioners, but for organisations hiring, governing, and relying on cyber expertise

    Looking Ahead

    Taken together, these perspectives point to a cyber security landscape that is becoming more embedded, more accountable, and more business critical.

    The organisations best positioned for 2026 will be those that:

    • Treat cyber risk – including third-party risk as a living business issue
    • Build maturity through clear controls, ownership, and measurement
    • Prepare for greater scrutiny not just of systems, but of people and professional standards.

    Cyber security is no longer just about defending systems. It is about consistently and credibly demonstrating trust, resilience, and responsibility.

    Retail’s Greatest Vulnerability: Why Cyber Security Must Start with People

    The UK retail sector is undergoing a rapid digital transformation, transitioning from omnichannel customer experiences to AI-driven supply chains. But as retailers digitise, they expose themselves to a growing threat: cyber crime.

    Cyber security in retail is no longer about just protecting payment terminals or e-commerce platforms. It’s about ensuring business continuity, safeguarding brand trust, and defending the people behind the systems. If retail boards continue to treat cyber security as an IT overhead or compliance requirement, they will leave their organisation exposed and in danger of being exploited by cyber criminals.

    Recent events have made this painfully clear.

    A Sector Under Siege: The M&S Breach

    In April 2025, Marks & Spencer became the latest UK retailer to suffer a major ransomware attack. What began as a compromise via a third-party help desk escalated into operational paralysis: online orders failed, loyalty cards stopped working, contactless payments collapsed, and frontline staff reverted to pen and paper. For a business of M&S’s scale and heritage, this wasn’t just a technical failure – it was a commercial crisis.

    The numbers are staggering: £300 million in lost sales, nearly £1 billion wiped from its market value, and significant reputational damage at a critical moment in trading. The implications extended beyond M&S; customers were also affected. Suppliers faced delayed payments. The media spotlight intensified.

    The breach, reportedly linked to the hacking group Scattered Spider – also associated with attacks on Harrods and Co-op, highlighted a fundamental truth: no matter how sophisticated your infrastructure, attackers target people, not just machines.

    Cyber Crime is Human-Centred and So Must Be Defence

    The BBC’s Panorama documentary Fighting Cyber Criminals aired in July 2025, shedding national light on the scale and shape of the UK’s cyber threat landscape. One key message stood out: most cyber incidents aren’t the result of highly technical exploits, instead, they start with people making mistakes.

    “It’s refreshing to see a view of cyber that isn’t about technically skilled criminals doing wizzy technical things to break into organisations. It highlighted that cyber criminals often don’t have deep technical skill and instead use skills in deception to fool helpdesks (people) to give them passwords.”

    Phishing. Social engineering. Manipulating support desks. Abusing shared credentials. These tactics bypass traditional defences by preying on the instincts and workloads of real people: overworked contact centre staff, distracted store managers, and under-trained suppliers.

    For retail, this is critical. The sector’s frontline workforce is large, decentralised, and customer-facing. Seasonal and part-time contracts are standard. Supply chains are vast, multi-tiered, and often operate with minimal security scrutiny. These are not just operational characteristics, they’re security vulnerabilities.

    “ Cyber criminals have learnt how to exploit people for their profits. To beat them we need to be prepared to invest in our people and organisational culture to reduce the opportunity available to the criminals.”

    Beyond the Firewall: Rethinking Cyber Resilience in Retail

    The retail environment presents unique challenges for cyber defence:

    • High transaction volume: Large volumes of customer data and payment details make retailers prime targets for data exfiltration and fraud.
    • Supply chain complexity: Third-party risk is amplified through the involvement of multiple suppliers, logistics providers, and technology vendors.
    • Legacy systems and POS infrastructure: Many retailers still operate on ageing platforms with known vulnerabilities.
    • Public-facing digital assets, such as e-commerce, apps, and loyalty programs, increase exposure.
    • High staff turnover: Frequent onboarding and offboarding increases the chance of misconfigurations or account misuse.

    Defending this environment requires more than upgraded firewalls. Tom Everard, Director Risk Services recommends:

    “Creating a security culture programme in which security awareness and training are just two tools of many used to drive improvements in security behaviour. Apply a human risk management approach whereby data on actual behavioural risk helps to prioritise resource allocation to address those risks that matter most.”

    The Regulatory Lens: More Pressure, But Also a Roadmap

    Regulators have taken note. The retail sector is increasingly in scope of new cyber resilience rules designed to protect not only business operations, but national infrastructure and consumer safety.

    • NIS2, which extends obligations across key sectors in Europe, now includes digital services and supply chain operators, pulling large retailers and platforms into scope.
    • DORA may appear finance-focused, but its approach to operational resilience and risk governance is being mirrored across other sectors.
    • The UK Government’s cyber strategy, along with increased involvement from the Information Commissioner’s Office (ICO), is likely to result in tighter requirements for breach notification, supply chain assurance, and leadership accountability.

    What’s significant is that all these frameworks recognise one thing: cyber security is no longer just about technical controls. It’s about governance, culture, and operational maturity. In other words, it starts with people.

    Board-Level Accountability is Now Non-Negotiable

    In the aftermath of the M&S attack, company Chair Archie Norman called for mandatory incident reporting laws. His comments reflect a growing expectation: leadership must understand and oversee cyber risk, not simply delegate it.

    This requires better communication between technical teams and boards. Retail executives should be asking:

    • Where is our most significant exposure to human error?
    • How resilient are our operations to ransomware or outages?
    • What’s our single point of failure – whether it’s tech, supplier, or person?
    • How do we monitor and reduce cyber risk across our stores, apps, and supply chain?
    • When was our last cross-functional incident simulation?

    Boards must go beyond “Are we secure?” and start asking, “How prepared are we to recover?” Because in retail, minutes of downtime can translate into millions lost and erode trust.

    What Good Looks Like in Practice

    We can look to the successful application of safety culture in organisations with hazardous work environments like transport and oil and gas to see how the culture approach is able to shift human behaviour. Academic research into safety behaviour began in the 1950s and 60s with subsequent analysis of disasters like Chernobyl, Space Shuttle Challenger, Hillsborough, and numerous rail accidents. This eventually led to safety culture programmes being introduced in the late 1990s/early 2000s with remarkable results. 2016 was the first year in which there were no fatalities of rail workers on the UK rail network. A similar approach is now recognised as being needed to drive the right security behaviours in organisations and businesses.

     

     

    Final Thought: From Risk to Resilience

    Retail is fast-paced, competitive, and customer-driven. That won’t change. But in an environment where cyber attackers operate 24/7 and every retailer is a target, resilience must be built in, not bolted on.

    That means rethinking cyber security not just as a technical discipline, but as a human one. Because the weakest link in your security posture is, and will always be, people. But with the proper training, culture, and governance, they can also be your first and best line of defence.

    For retail boards, the message is clear: Cyber security isn’t about fear – it’s about business continuity, customer trust, and staying competitive. And it needs to start at the top.