We may earn affiliate commissions for the recommended products. Learn more.

What is the Digital Operational Resilience Act (DORA)?


The European Union (EU) has issued the Digital Operational Resilience Act (DORA) to protect the financial industry from cyberattacks. Banks, credit institutions, investment firms, and other financial entities must comply with DORA beginning on January 17, 2025.

Among other requirements, DORA demands that organizations have backup plans in case a cyberattack disrupts their day-to-day operations. Financial institutions intersect with every other business sector, making their “uptime” crucial in maintaining a healthy economy.

So, with DORA in effect, your organization is expected to have a risk-management framework, monitor third-party providers, conduct operational resilience testing, and report major incidents. This regulation presents an opportunity to enhance your organization’s cybersecurity infrastructure, potentially enabling you to become an industry leader in digital operational resilience and cyber risk management.

Is your team prepared to handle ICT-related incidents and operational disruptions? Will complying with DORA require a change in resource allocation?

This article covers everything you need to know about DORA, focusing on how it will affect your organization and how you can prepare for the regulation’s requirements. Keep reading to find out more.

Who does DORA apply to?

Will your organization be affected by DORA? The regulation applies to all EU “financial institutions” and critical third-party ICT service providers. You’ll find a more detailed list below.

Financial institutions within the EU

The following is a list of entities categorized as “financial institutions” by DORA:

  • Credit institutions
  • Payment institutions
  • Account information service providers
  • Electronic money institutions
  • Investment firms
  • Crypto-asset service providers and issuers of asset-referenced tokens
  • Central securities depositories
  • Central counterparts
  • Trading venues
  • Trade repositories
  • Management companies
  • Managers of alternative investment funds
  • Data reporting service providers
  • Insurance and reinsurance undertakings
  • Insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries
  • Institutions for occupational retirement provision with more than 15 members (IORPs or pensions)
  • Credit rating agencies
  • Administrators of critical benchmarks
  • Crowdfunding service providers

Given its coverage, DORA will affect companies such as Deutsche Bank AG, AXA SA, ING Groep N.V., PayPal, Wise (formerly TransferWise), Revolut, GoFundMe, and many other financial institutions.

Pro tip

Getting DORA compliant takes a lot of time and effort across your whole organization. Use CyberUpgrade to get DORA compliance in 2 months. You'll get a powerful compliance platform + a dedicated team of experienced CISOs.

Critical ICT third-party providers

Information and Communication Technology (ICT) providers support the EU’s finance sector by providing essential services such as cloud computing, data analytics, payment processing, and more.

As such, the EU also expects DORA compliance from these providers to prevent service interruptions from finance entities. DORA will apply even to large organizations like Microsoft, IBM, Accenture, and Vodafone.

Regulators and supervisory authorities

The implementation of DORA also requires the involvement of several supervisory and regulatory bodies. A set of policy products, including technical standards and guidelines, are being prepared by the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA).

What are DORA’s key objectives?

DORA’s key objectives aim to ensure operational continuity within the financial sector in the face of significant security incidents, thus safeguarding the stability of the broader financial system.

More specifically, DORA aims to achieve the following goals:

🧑‍💻 Improving operational resilience

One of the primary goals under DORA is to withstand, respond to, and recover from operational disruptions, regardless of cause. The regulation imposes stringent requirements for business continuity planning, fostering a culture of preparedness and adaptability among financial institutions.

⚔️ Strengthening cybersecurity

Another crucial objective of DORA is the implementation of comprehensive cybersecurity frameworks that encompass measures for threat detection, prevention, and response. By taking a proactive stance on cybersecurity, organizations can avoid the financial, reputational, and operational damages that arise from cyber threats.

🔑 Creating an effective risk management system

Lastly, with DORA in effect, risk management systems must be tailored to the rapidly changing cybersecurity landscape. With cybercrime on the rise, it’s essential to have an effective, well-documented risk management framework in place. This will enable financial entities to identify, assess, and mitigate risks to their operations.

How does DORA relate to NIS2?

The EU’s cybersecurity strategy involves both DORA and NIS2, a directive that promotes enhanced cybersecurity across critical sectors in the EU. But how does one affect the other?

The primary difference between the two texts is scope. NIS2 covers more sectors (such as energy, food production, and waste management), whereas DORA focuses on the financial sector.

So, if an entity is affected by both legislations, DORA takes precedence over NIS2 since it is sector-specific. However, this does not mean NIS2 obligations no longer apply to organizations affected by both.

NIS2 initially took effect with enforceability and compliance requirements on October 17, 2024, whereas the Council of the European Union and the EU Parliament set DORA’s official enforcement start date for January 17, 2025. Like NIS2, DORA has specific compliance requirements to reduce cyber risks and ensure resilience in operations. We go into detail below.

Essential DORA compliance requirements

Achieving operational resilience requires compliance with the requirements mandated by DORA. The regulation refers to five key pillars, each targeting a crucial element of operational resilience in the digital age.

ICT risk management

A comprehensive and well-documented ICT risk management framework is essential for DORA compliance and business continuity. This level of preparation allows for prompt responses to cybersecurity risks and other threats.

More specifically, DORA asks organizations to:

  • Perform vulnerability identification to systematically identify weaknesses in their ICT infrastructure.
  • Conduct threat analysis to assess various threats and prioritize risk reduction and management based on their potential impact.
  • Deploy a range of security measures to safeguard ICT systems against cyber threats.
  • Define an incident response plan to address potential security breaches and system failures.
  • Develop comprehensive business continuity plans that ensure critical operations can continue despite disruptions.
  • Conduct training for personnel to promote risk awareness and foster a culture of cybersecurity prioritization.
  • Review strategies, policies, and processes regularly to ensure they are adapting to evolving threats and technologies.

A dedicated ICT risk management function is one significant operational and structural change that DORA requires. This function's specific structure or form is not stipulated within the regulation, but it must include regular reporting to the board. Given the increasingly direct and personal responsibility placed on executives, the chief officers or company management will be obligated to know the state of their organization’s ICT risk management and the overall risk posture. DORA aims to apply these requirements proportionately, depending on a given organization or entity's size, complexity, and risk profile. However, it’s important to note that the proportionality of this requirement does not mean that any organizations will be exempt.

Incident monitoring and reporting

Under DORA, financial entities must record and report ICT-related threats and incidents. To support this, organizations must have the appropriate procedures to enable consistent and secure incident management.

There must also be protocols for communicating incidents to affected clients and other stakeholders. This helps establish transparency and maintain trust in the finance entity.

DORA specifies a maximum reporting timeframe of 24 hours from when an incident is detected. Reports need to include detailed information on the nature of the incident, its impact on the organization, and any potential risks to clients or the financial system at large. Incidents should also be classified based on severity and impact so regulators can prioritize reports appropriately.

Operational resilience testing

Institutions must regularly test their operational resilience to confirm that the systems work. You must employ several kinds of testing to cover all of your bases. These include:

  • Vulnerability assessments and scans - Evaluations to identify, measure, and assign a priority to vulnerabilities in applications, systems, and network infrastructure.
  • Open source analyses - Audits or examinations of open-source software components to ensure licensing compliance and identify any potential security risks.
  • Network security assessments - Evaluation of network infrastructure to determine exploitable weaknesses or defects in architecture, protocol, or deployment configuration.
  • Gap analyses - Comparing current security protocols, systems, and processes with regulatory requirements or industry/sector best practices to highlight areas for improvement or remediation.
  • Physical security reviews - Examining building, infrastructure, and physical protections for IT assets. These may include environmental controls, surveillance equipment and protocols, and physical access controls.
  • Source code reviews - Audits, examinations, and tests of application source code for bugs, flaws, and vulnerabilities. This testing can be manual and done by humans or automated and done by systems.
  • Scenario-based tests - Simulations of plausible identified threat situations to test the organization’s resilience and response capabilities.
  • Performance tests - Evaluating and benchmarking system and application performance under plausible stress conditions such as high-traffic or distributed denial-of-service (DDoS) attacks.
  • End-to-end tests - Complete, real-world-based simulations that validate the function of an entire system within the organization or an organizational unit.
  • Penetration tests - Planned, simulated cyberattacks, usually with the approval of management or some subset. These can test for social engineering weaknesses or exploitation of staff in addition to infrastructure and systems.

There are also ESMA guidelines for advanced threat-led penetration testing to standardize this specific, sometimes controversial test protocol concerning DORA and other EU directives.

Managing third-party risks

Under DORA, the onus is on financial entities to manage ICT third-party risks as part of their own risk management framework. Management strategies include:

  • Due diligence: Organizations must conduct due diligence on third-party providers and ensure the vendor complies with DORA’s requirements.
  • Risk assessment: Financial institutions must identify and evaluate the risks associated with the third-party providers they transact with.
  • Clearly defined contractual obligations: Third-party agreements must outline the roles, responsibilities, and expectations concerning operational resilience. This means contracts must specify performance metrics, compliance requirements, incident reporting protocols, and other relevant information.
  • Regular monitoring: Third-party providers must undergo regular monitoring for performance and security. This monitoring may include regular audits to ensure compliance with DORA’s standards.

The Oversight Framework

The responsibility of third-party risk management doesn’t just fall under individual entities. With DORA in effect, third-party ICT providers will be subject to an oversight framework that falls under the direct supervision of EU financial authorities.

This monitoring aims to identify the risks posed to customers and confirm that these providers conduct risk management according to DORA standards. The joint European Supervisory Authorities–the EBA, EIOPA, and ESMA–published a draft Regulatory Technical Standards (RTS) in July 2024 specifying the required elements of the risk management framework. Among other things, these documents covered the standard forms, templates, and procedures for financial entities to report a major incident and notify a significant cyber threat.

Information sharing and threat intelligence

DORA encourages financial institutions to “exchange cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures,” as well as “cyber security alerts and configuration tools.” The goal here is to raise situational awareness of cyber threats to prevent future security incidents.

Incident reporting plays a significant role in this information exchange. By properly identifying, assessing, categorizing, and reporting incidents, organizations help regulators monitor trends in cybercrime and other cyber threats.

CyberUgrade solutions to help organizations achieve DORA requirements

Conducting cybersecurity infrastructure assessments, developing policies, and assessing third-party providers – the list of responsibilities is daunting for organizations affected by DORA. With the regulation coming into effect in January 2025, it’s more crucial than ever to begin reinforcing your operational resilience.

CyberUpgrade is an expert at providing compliance solutions for DORA, NIS2, and ISO 27001 certification. Using CISO Copilot and CoreGuardian monitoring dashboard, CyberUpgrade can fast-track your DORA compliance preparation. No need for a dedicated cybersecurity team, or prior cybersec/compliance knowledge.

CyberUpgrade can make DORA compliance straightforward and efficient by helping you with the following:

  • Development of a comprehensive risk management framework for the identification, protection, prevention, detection, and recovery of ICT-related issues
  • Standardization of incident classification and automation of the incident reporting process to ensure timely and EU standard-compliant reports
  • Technical testing services, including large-scale, threat-led tests conducted by independent testers
  • Information and intelligence sharing, with up-to-date guidelines on managing cyber threats and vulnerabilities

Streamline your DORA compliance process today by booking a demo with CyberUpgrade.

FAQ

Leave a Reply

Your email address will not be published. Required fields are markedmarked