DORA Compliance and the DVMS Institute NIST Cybersecurity Framework Digital Value Management System®
Rick Lemieux – Co-Founder and Chief Product Officer of the DVMS Institute
The Digital Value Management System™ (DVMS) presents a robust and adaptive systems-based model that can help European companies effectively operationalize the capabilities required by the Digital Operational Resilience Act (DORA). As DORA becomes a central pillar of digital risk regulation for financial entities in the EU, organizations must move beyond ad hoc cybersecurity compliance efforts and establish a unified, measurable, and continuously improving operational resilience framework. The DVMS is uniquely positioned to support this transformation, aligning governance, risk management, cybersecurity, and business performance into a coherent model. It helps financial institutions embed digital operational resilience into their day-to-day operations, fulfill regulatory obligations, and respond dynamically to the evolving threat landscape.
DORA requires financial entities to develop and maintain robust capabilities across five key areas: ICT risk management, incident reporting, digital operational resilience testing, third-party risk management, and information sharing. These capabilities must be more than formal policies or procedures; they must be real, operationalized functions embedded within the business. This is where the DVMS provides unparalleled value. Built upon the systems-thinking philosophy and the Create–Protect–Deliver (CPD) Model, the DVMS approaches resilience not as a fixed outcome but as an emergent property of adaptive and well-aligned capabilities distributed across the organization.
At the core of DORA is the requirement to establish and maintain an integrated ICT risk management framework. This includes governance arrangements, policies, procedures, and tools that ensure the confidentiality, integrity, and availability of ICT systems and data. The DVMS addresses this head-on through its Z-X Model, which identifies the seven minimal viable capabilities required to manage digital business value: govern, assure, plan, design, change, execute, and innovate. These capabilities align directly with DORA’s requirement for risk-aware planning, robust change management, and structured governance. The “govern” and “assure” capabilities ensure that cybersecurity and ICT risk management are embedded strategically, with clear accountability and performance oversight. The DVMS helps organizations build a living governance model that continuously adapts based on risk signals, metrics, and stakeholder needs—key elements of DORA’s operational resilience mandate.
Beyond governance, DORA calls for companies to have a continuous risk assessment process incorporating identification, classification, and documentation of ICT risks and assets. This process must include risk scenario analysis, threat-led testing, and robust incident response preparedness. The DVMS supports this through its 3D Knowledge Model, which integrates team knowledge, collaboration, and strategic alignment across three axes—x, y, and z. This model encourages organizations to map the full context of risk by understanding how systems, teams, and strategic goals are interconnected. It helps identify blind spots and hidden dependencies, especially in complex and dynamic environments such as financial ecosystems. By applying tools like the Goal-Question-Metric (GQM) and QO-QM (Question-Outcome–Question Metric), organizations can build a continuous feedback loop that aligns measurement and improvement with strategic risk objectives. These capabilities are fundamental for DORA’s requirements around regular review and evaluation of ICT risk posture.
DORA also introduces a rigorous approach to ICT-related incident reporting. Entities must classify and report major ICT incidents to competent authorities using standardized templates and within specific timeframes. Operationalizing this requirement demands incident response plans in place and ensuring that the entire organization can recognize, escalate, analyze, and learn from incidents. The DVMS embeds this readiness through its CPD Model, which sees incident detection, response, and recovery as integrated elements of digital value delivery. Unlike siloed approaches that treat the incident response as a technical function, the DVMS reinforces that incidents are business events with strategic implications. Through its phased FastTrack implementation model, DVMS ensures that organizations stabilize foundational capabilities (e.g., monitoring, detection, escalation protocols) before layering on more advanced resilience practices such as predictive analytics or red team testing.
Digital operational resilience testing is another central pillar of DORA, requiring organizations to subject their systems to a range of assessments, including vulnerability assessments, penetration tests, and threat-led penetration testing (TLPT). Rather than treating testing as a periodic exercise, the DVMS supports a shift toward a continuous, learning-oriented posture through what it calls “being the menace.” This proactive mindset encourages organizations to think like attackers, simulate real-world threat scenarios, and apply systems thinking to anticipate weaknesses. Misuse cases, red-teaming, and scenario planning become not isolated activities but integral aspects of the organizational resilience lifecycle. The DVMS supports test plans’ development and alignment with actual system dependencies, business services, and stakeholder expectations. This directly supports DORA’s requirement to demonstrate a testing program that reflects the organization’s threat landscape and risk profile.
DORA places significant emphasis on ICT third-party risk management, requiring institutions to understand, monitor, and control risks arising from their dependency on external ICT providers. This includes maintaining an up-to-date register of providers, ensuring contractual safeguards, and conducting due diligence. The DVMS helps operationalize these requirements by encouraging organizations to view third-party risks through system interdependencies. The 3D Knowledge Model provides a method to map how third-party systems interact with internal capabilities and how those interactions affect business continuity. Moreover, the Z-X capability of “assure” helps ensure that third-party arrangements are compliant on paper and actively monitored, measured, and adapted based on performance, compliance status, and incident history. This real-time assurance is critical to DORA, which expects organizations to have control frameworks that extend beyond organizational boundaries.
The DVMS cultural model also supports DORA’s threat information sharing and collaboration promotion. Through fostering a questioning culture, the DVMS encourages openness, cross-functional learning, and the dismantling of silos. This is especially important in large financial institutions, where information-sharing barriers can stifle resilience. DVMS promotes formal and informal communication channels, empowering employees to surface risks, question assumptions, and contribute to a collective security posture. The integration of cultural awareness, trust, and shared accountability ensures that organizations are not only compliant with DORA’s collaboration ethos but able to contribute to industry-wide resilience efforts meaningfully.
Leadership accountability—a key component of DORA—is also embedded within the DVMS structure. The system insists that senior management be involved in shaping digital risk strategy, interpreting key metrics, and leading from the front. Tools like QO-QM help leadership articulate strategy-risk objectives, establish governance policies, and evaluate performance against expected outcomes. The DVMS doesn’t just push responsibility upward—it equips leadership with the overlay system, mental models, and cultural understanding needed to fulfill their roles as strategic stewards of operational resilience.
Moreover, the adaptability of the DVMS makes it particularly well-suited to the European regulatory environment, where financial institutions may face overlapping obligations from national regulators, European supervisory authorities, and international frameworks. Because DVMS is not a rigid methodology but a scalable overlay, it can be tailored to reflect DORA requirements alongside other standards such as ISO/IEC 27001, COBIT, or even the NIS2 Directive. This adaptability ensures that organizations develop a harmonized approach to digital resilience that meets DORA’s specific demands while remaining compatible with broader enterprise risk management practices.
The DVMS offers European financial institutions a robust, scalable, and forward-thinking path to operationalize the digital resilience capabilities mandated by DORA. Its layered architecture, emphasis on capabilities over compliance, and integration of systems thinking, strategic alignment, and cultural transformation make it an ideal model for embedding resilience into the fabric of digital operations. By adopting the DVMS, organizations can move from reactive, control-centric postures to proactive, strategic, and resilient enterprises that comply with DORA and are better equipped to navigate the digital future.
About the Author
Rick Lemieux
Co-Founder and Chief Product Officer of the DVMS Institute
Rick has 40+ years of passion and experience creating solutions to give organizations a competitive edge in their service markets. In 2015, Rick was identified as one of the top five IT Entrepreneurs in the State of Rhode Island by the TECH 10 awards for developing innovative training and mentoring solutions for boards, senior executives, and operational stakeholders.
DVMS Institute is a renowned provider of accredited (APMG International), Assured (NCSC-GCHQ-UK), and Recognized (DHS-CISA-NICCS-USA) NIST Cybersecurity Framework, Digital Value Management System® body of knowledge publications, certification trainings, assessment platforms and real-life desktop simulation trainings.
The Institute’s NIST Cybersecurity Framework Digital Value Management System® certified training programs teach businesses of any size, scale, or complexity the skills to build a Performance Driven Overlay System for Cyber Resilience capable of anticipating and mitigating the systemic risk digital businesses face today.
By embedding systemic risk management into strategic decision-making and aligning it with employee cultural values, organizations can build resilience—a dynamic capability to withstand digital business disruption and comply with any cybersecurity regulation (SEC, UK, DORA, NIS2, SAMA, SOCI, IMO, etc.) or maturity model mandates (HITRUST, CMMC, C2M2 etc.).
® DVMS Institute 2024 All Rights Reserved
