(Why ISO 27001 or SOC 2 Won’t Save You)
There’s a myth doing the rounds in boardrooms and compliance meetings:
“We’ve already got ISO 27001 or SOC 2, so DORA is covered.”
It sounds reassuring. After all, those badges are hard-earned, respected, and recognised worldwide. But here’s the problem: it’s not true. And if your organisation is banking on them for the Digital Operational Resilience Act, you’re sitting on a regulatory time bomb.
Why This Myth Persists
Let’s be honest—ISO 27001 and SOC 2 have become shorthand for “we take security seriously.” Customers trust them. Auditors respect them. Regulators nod approvingly.
So when a new regulation like DORA lands, it’s tempting to breathe easy and assume those certificates tick the box.
It is true to say that the Digital Operational Resilience Act, does have considerable elements of both of these key regulations. But DORA goes far beyond these. DORA isn’t about “proving you’re secure.” It’s about proving you’re resilient—that when disruption hits (and it will), you can recover, keep services running, and protect financial stability. That’s a different ballgame.
And there’s a difference right? Any organisation can be secure at any point in time at which an auditor checks. But DORA seeks to address continuous resilience and the key cornerstone to that is tighter oversight continuous monitoring.
The Digital Operational Resilience Act Reality Check
Here’s the blunt truth:
- ISO 27001 and SOC 2 are voluntary. DORA is law.
- ISO 27001 and SOC 2 look at controls. DORA looks at governance, risk, and resilience.
- ISO 27001 and SOC 2 audit you once a year. DORA expects you to prove resilience continuously.
So no—your certificates doesn’t get you out of this one.
The Compliance Gaps That Will Catch You Out
Let’s get specific. These are the areas where relying on ISO or SOC 2 will leave you exposed under DORA:
- ICT Risk Beyond Security
ISO and SOC care about information security. DORA demands that you manage operational resilience—business continuity, recovery planning, and the ability to withstand major ICT shocks. - Incident Reporting
ISO doesn’t care how fast you notify regulators. DORA does. And the deadlines are tight. - Resilience Testing (DORT)
An annual audit doesn’t cut it. DORA wants advanced scenario testing, red teaming, and simulated cyber events. - Third-Party Oversight
It’s not enough to “vet the vendor.” DORA requires strict governance, contractual oversight, and concentration risk management across your entire ICT supply chain. - Continuous Monitoring
ISO gives you a snapshot in time. DORA expects a live feed—real-time assurance that controls are working, not just once a year. - Board Accountability
This is the kicker. Under DORA, executives and board members are personally responsible for resilience. They can’t delegate it away.
Why This Matters
Here’s the danger: if you believe ISO or SOC makes you compliant, you’ll underinvest in the very areas regulators care most about. That false sense of security will cost you—both in fines and in the chaos of a real-world cyber attack.
Remember: good security doesn’t guarantee resilience. You can tick every control box and still crumble under operational stress.
From Certification to Compliance
So, what should you do?
- Start with a gap analysis. Map your existing controls (ISO/SOC) against DORA’s requirements.
- Get serious about resilience testing. If you’ve never run a red team exercise, now’s the time.
- Strengthen your third-party oversight. Regulators will.
- Implement continuous monitoring. You need to know your controls are effective in real time, not once a year.
- Bring the board to the table. DORA makes this their responsibility.
ISO and SOC aren’t wasted effort—they’re solid foundations. But they’re not the finish line.
The Bottom Line
DORA raises the bar. It’s not about looking secure on paper—it’s about being resilient in reality and continuously.
So the question is: are you still treating ISO 27001 or SOC 2 as your safety net? Or are you ready to close the gaps regulators will actually hold you accountable for?
👉 Next Step: Our white paper outlines the real gaps between certification and DORA compliance—and how to close them before regulators come knocking. Download it now.
