Companies in Kazakhstan, Uzbekistan, Georgia, and Kyrgyzstan are increasingly working with European banks, fintech partners, and marketplaces—which means they are facing DORA’s requirements for digital operational resilience. The good news is that you don’t need to reinvent the wheel to align with DORA. Two practical standards—ISO 22301 and ISO/IEC 27035—cover much of what the regulator expects through clear processes and defined roles.
What DORA expects from businesses—in plain language
DORA (the Digital Operational Resilience Act) focuses not on “paper security,” but on a company’s ability to withstand IT outages and cyber incidents, recover quickly, and manage risks across its suppliers. In practice, they typically check whether you:
- have a controlled model for ICT risk management and business continuity;
- can detect, classify, and investigate incidents;
- run tests and exercises;
- oversee critical suppliers (cloud providers, outsourcing vendors, data centers).
If you think of a business as an airline, DORA wants to see not only seat belts (policies), but also crew training, checklists, black boxes, and regular aircraft inspections.
ISO 22301: the backbone of business continuity for DORA compliance
ISO 22301 builds a Business Continuity Management System (BCMS): from risk analysis and BIA to recovery plans and regular exercises. This directly helps meet DORA’s expectations for resilience and service recovery.
Before implementing procedures, it’s important to define exactly what you are protecting and how much downtime is acceptable. In ISO 22301, this is formalized through key artifacts:
- BIA (Business Impact Analysis): which processes are critical, what dependencies exist (people, IT, suppliers), and what the impact of downtime is;
- RTO/RPO: target recovery time and the maximum acceptable data loss;
- continuity strategies: redundancy, alternative sites, manual workarounds;
- response and recovery plans: who does what, in what sequence, and how to communicate with customers and partners;
- exercises and tests: so the plan works in real life, not just in a slide deck.
After that, you have a structured foundation for business continuity training—and for demonstrating maturity to partners and auditors.
Learn more about the standard’s structure and practical use here..
ISO/IEC 27035: bringing order to cyber incident response
If ISO 22301 answers the question “how do we keep operating when everything breaks,” then ISO/IEC 27035 answers “how do we handle an incident properly and learn from it.” This is critical for DORA because the regulator expects discipline: detection → assessment → response → recovery → improvement.
The standard helps build an information security incident management system where there’s no chaos of chats and calls to “someone in IT,” but instead clear roles, criteria, and metrics. Such a system typically includes:
- rules for detecting and logging events (SOC/logging/service desk);
- classification and prioritization (what counts as a serious incident);
- response scenarios (ransomware, data leak, account compromise, DDoS);
- communications and escalation (management, legal, PR, partners);
- post-incident review: root causes, lessons learned, corrective actions.
And yes—this is the kind of incident management that saves money and nerves: the faster you contain the issue, the less downtime and reputational damage you face.
ISO/IEC 27035 implementation in practice: more details here.
How ISO 22301 and ISO 27035 together help meet DORA’s key operational resilience requirements
Individually, each standard is strong—but together they create a powerful “resilience + response” combination:
- ISO 22301 defines critical services, acceptable downtime, and recovery scenarios.
- ISO/IEC 27035 provides the mechanism for responding to cyber incidents, which often triggers business continuity plans.
- DORA requires regular readiness checks—both standards rely on exercises, tests, and a continuous improvement cycle.
After implementation, the company gains a “common language” across business, IT, and security—and fewer situations where one team sees an incident as “minor,” while another is already losing customers.
A quick implementation plan for companies in the region
To avoid drowning in documentation, start pragmatically. The System Management team usually recommends this route:
- run a short gap analysis against DORA and your current practices;
- map critical services and dependencies (BIA, RTO/RPO);
- launch an incident response process: roles, classification, playbooks;
- link incident response to recovery plans (who triggers BCP/DR and when);
- run a tabletop exercise and document improvements.
This delivers fast results: even a single well-run exercise often reveals bottlenecks better than months of discussion.
If you work with EU financial partners or want to prepare in advance for customer and auditor requests, System Management can help set up the processes, deliver training, and build the evidence base for assessment.