When does engaging an interim manager for DORA make sense?

When DORA programmes are off-track, in-house capacity is missing, audits are imminent or organisational delivery is not landing. An interim manager brings regulatory experience, delivery pace and external authority — and works towards an audit-ready handover from day one.

§ Themes — Regulation

DORA compliance.

Implementation of the Digital Operational Resilience Act for financial entities — pragmatic, audit-ready, with a sense for proportionality. Drawn from live mandates.

Why DORA matters now

Since 17 January 2025, DORA has been binding across the EU. Supervisory authorities — BaFin in Germany and the audit associations in the savings-bank world — have ended the transition phase and are actively examining. Many institutions have implemented the formal requirements but struggle with operational effectiveness:

Third-party register exists, but criticality assessment is inconsistent.
Incident management process documented, but reporting paths unclear in the moment of truth.
Resilience tests carried out, but without structured lessons-learned.
Outsourcing contracts amended, but steering routines not embedded.
Reporting to executive and supervisory bodies not audit-ready.

This is exactly where an experienced interim manager adds value — with delivery pace, regulatory experience and the authority to lead across internal silo boundaries.

The five pillars in delivery

I. ICT risk management

Establishing and embedding an end-to-end ICT risk framework: identification, protection, detection, response, recovery. Integration with existing risk management and ISMS structures. Clear roles, reporting lines and KPIs.

II. ICT incident management

Classification, documentation and reporting of major ICT-related incidents. Establishing reporting paths, escalation routines and interfaces to the supervisory authority. Testing of reporting paths.

III. Digital resilience testing

Risk-based test programmes: vulnerability scans, penetration testing, threat-led penetration testing (TLPT) for the largest entities. Structured lessons-learned, tracking of remediation, evidence of effectiveness.

IV. ICT third-party risk

Building a complete information register, criticality assessment of providers, contractual amendments under Art. 30 DORA, steering routines, exit strategies. Specific focus: steering of critical providers such as Finanz Informatik in the savings-bank world.

V. Information sharing

Structured participation in information sharing on cyber threats and incidents — within associations, with ISACs and with supervisors.

What I deliver as interim for DORA

DORA maturity assessment

Structured stocktake along the five pillars — strengths, gaps, quick wins. Outcome: a prioritised roadmap with clear ownership and milestones.

Delivery in the line

I take on operational responsibility, not just advisory — as interim head of IT, COO or DORA programme owner. Steering of business areas, budget responsibility, people leadership.

Steering of outsourcing partners

From live mandates I bring practical experience in steering critical providers such as Finanz Informatik, external hosting and IT-service partners — including contract management, SLA steering and audit support.

Audit and examination support

Preparation and accompaniment of IT security audits, BaFin examinations and association audits. Production of audit-ready documentation, evidence and remediation tracking.

Handover to the line

The aim is always intact, self-sustaining permanent ownership — recruiting/coaching of the successor, documented processes, working steering routines.

Frequently asked questions

What is DORA?

DORA (Digital Operational Resilience Act, Regulation (EU) 2022/2554) is an EU regulation that has been binding for financial entities since 17 January 2025. It creates a unified framework for digital operational resilience and comprises five pillars.

Who is affected?

Around 22 categories of financial entities — banks, savings banks, insurers, investment firms, payment institutions, crypto-asset service providers and critical ICT third-party providers. Requirements are applied on a risk- and proportionality-based approach.

How quickly can a mandate start?

Usually within two to four weeks — depending on current availability and onboarding complexity.

What sector experience do you bring?

Over 15 years in financial services — banking (Barclays UK/Germany), data brokerage (CRIF Bürgel) and currently interim head of IT at a Sparkasse with DORA focus and Finanz Informatik outsourcing steering.

Discuss DORA maturity in 30 minutes

Free initial conversation, in confidence. We’ll cover starting point, examination roadmap and whether an interim mandate is the right lever.

Arrange a call →

Email: ov@olivervossinterim.de · Phone: +49 173 286 27 38

← Back to home