Adopted January 16, 2023, and scheduled to go into effect January 17, 2025, the Digital Operational Resilience Act (DORA) is a new EU regulation intended to ensure financial sector organizations are resilient in the face of minor or catastrophic disruptions, like cyberattacks. The regulatory framework requires organizations to show they can withstand, respond to, and recover from all types of data, communication, and technology-related disruptions and threats. Rules include protection, detection, containment, recovery and repair capabilities.
The law applies to over 20 different types of financial entities such as banks, insurers, and investment firms and the third parties that interact with them. The rules also cover all information and communication technologies (ICT) third-party service providers. Just as the GDPR coordinates data privacy regulation, DORA is designed to consolidate and upgrade cyber resilience, ICT risk and cyber risk management in financial services.
DORA’s rigorous requirements and structured approach will help the financial sector fortify itself against complex digital risks and cybersecurity threats, ensuring a stable, resilient, and secure financial environment across the EU. Integrating these requirements into your organization’s framework prepares it for current digital challenges and builds a foundation for adapting to future technological advancements.
ICT risk management is not a new concept. However, DORA’s sweeping mandates require financial entities to conduct thorough and extensive revisions to their current practices and frameworks. However, the act doesn’t just mandate comprehensive revisions to ICT risk management practices; it also intensifies the accountability of a financial institution’s internal management bodies tasked with the pivotal role of crafting and endorsing the company’s strategy for digital operational resilience. The strategy must also be supported by clearly defined ICT disruption risk tolerances, key performance indicators (KPIs), and risk metrics that align with DORA’s enhanced ICT security standards.
In the aftermath of a severe business disruption, DORA requires financial entities to conduct rigorous business-impact analyses to:
This proactive approach ensures financial entities are prepared to handle disruptions and are capable of continuing operations with minimal impact or downtime.
DORA mandates cybersecurity protection measures including policies around the following:
Cyber resiliency best practices covering these cybersecurity protection measures and more to enable financial organizations to prepare in the event of a cyber incident, minimizing downtime and the impact of a cyberattack.
Further emphasizing the need for transparency and accountability, DORA mandates the creation of a robust communication strategy within each organization, including assigning a dedicated point person responsible for managing and reporting on ICT-related incidents. These clear lines of communication are essential for timely reporting and response, reducing the potential impact of any ICT issues on the entity's operations.
Moreover, a deep understanding of the interconnections between an entity's ICT assets, processes, and systems is crucial. DORA requires financial institutions and providers to undertake comprehensive mapping of these components to identify critical vulnerabilities and enhance overall operational resilience in the event of an incident or breach. The best practice of developing recovery playbooks and tabletop exercises clarifies the process across departments and builds on the interconnections mapping for increased business resiliency.
They should also engage with "critical" ICT service providers to ensure that they, too, are preparing for the changes and understand their roles in supporting financial institutions under the new regulatory environment.
DORA doesn’t only apply to banks and financial institutions. It targets the entire EU financial sector, including critical suppliers and vendors like tech managers and payment service providers.
Key industries and entities impacted by DORA regulations include:
Article 2(3) of DORA exempts certain entities due to their limited size or significance, including:
Member states can, at their discretion, also exempt specific national credit or investment entities.
DORA is a highly significant and comprehensive regulatory initiative that lays out a precise framework for addressing the increasing complexity and connectivity of digital systems within the EU’s financial industry. By setting a unified standard across member states, it ensures all entities within the financial sector, including banks, insurance companies, investment firms, and payment service providers, are adequately equipped to manage and mitigate risks associated with their ICT systems and services.
A key focus area under DORA is enhancing cybersecurity measures. Financial institutions must implement robust cybersecurity policies and controls that prevent, detect, and respond to a wide range of cyber threats, including continuous monitoring and testing of their cyber defenses as well as quick recovery and response mechanisms to minimize potential cyber incident impacts.
Data protection, is also highly scrutinized under DORA, with its regulations mandating financial entities establish comprehensive data governance frameworks that ensure data integrity, confidentiality, and availability. This includes implementing zero trust security measures to protect sensitive customer and financial data against unauthorized access, data breaches, and losses, thereby reinforcing trust in the financial sector’s digital operations.
Just as blueprints provide exact building specifications or sheet music leaves little room for improvisation, DORA is notably prescriptive, containing specific instructions, criteria, and templates for compliance. This detail-oriented approach indicates regulators intend to take a hands-on role in its oversight and enforcement.
DORA goes beyond standardizing resilience practices across the financial sector. It also ensures financial institutions are consistently prepared to handle the challenges the digital landscape poses, ultimately safeguarding the sector’s stability and the broader economic environment. Its essence can be distilled into five core pillars that address various domains or aspects of ICT and cybersecurity.
DORA’s five main “pillars of operational resilience” are:
Let’s take a closer look at each pillar and how it functions.
Pillar 1: ICT Risk Management:
ICT risk management under DORA involves wide-ranging principles and requirements that go much further than previous standards. It establishes a formal ICT risk management framework that mandates regular risk assessments, thorough identification, well-defined risk mitigation strategies, and continuous monitoring. Unlike pre-DORA practices, which vary in rigor and scope, DORA sets a uniform standard across the EU, ensuring all financial entities have a consistent approach to managing ICT risks. For example, banks must now periodically test their cybersecurity defenses and update their risk mitigation strategies based on emerging threats. They must implement cybersecurity protection measures. Including policies around IAM (Identity and Access Management), Anomaly Detection, Malware Scanning, Threat Response, Data Insights, SIEM, SOAR and patch management. Most institutions will need to review their governance arrangements, policies, risk assessment, control, and mapping activities to ensure they align with DORA’s specific requirements.
DORA clearly establishes that an entity’s management body is responsible for ICT management. This includes board members, executives, and senior managers. They must establish and implement risk management strategies. Failure to comply could lead to personal accountability.
Pillar 2: ICT-related Incident Reporting:
DORA compels organizations to establish a cohesive process for detecting, managing and duly notifying of significant cyber incidents. It streamlines ICT-related incident reporting by introducing harmonized reporting requirements. In short it compels organizations to establish a cohesive process for detecting, managing and duly notifying significant cyber incidents. This ensures all financial institutions report incidents in a consistent manner, which, in turn, facilitates better data collection and regulatory oversight. Broader than GDPR, it covers both data breaches and ICT incidents.
Where previous reporting standards often varied between jurisdictions, leading to inefficiencies and gaps in regulatory knowledge, under DORA, all entities must adhere to standardized conventions. For instance, a payment service provider experiencing a data breach must now follow specific protocols to report the incident to regulators, ensuring timely and uniform responses across the sector.
Pillar 3: Digital Operational Resilience Testing:
In a step up from previous requirements, which often lacked specificity or uniform standards, financial institutions must now engage in both basic and advanced resilience testing. This testing includes regular vulnerability assessments and penetration tests designed to identify and address potential weaknesses in digital systems. An example would be a securities firm conducting annual advanced scenario-based testing to simulate a sophisticated cyberattack with the goal of better understanding and improving its response strategies.
Pillar 4: ICT Third-party Risk:
This pillar introduces principle-based rules for monitoring and managing risks associated with external service providers. This is more comprehensive than previous standards, which might not have systematically covered third-party risks. DORA requires financial institutions to implement rigorous oversight frameworks and include specific contractual provisions to ensure third-party compliance with DORA standards. For instance, a bank using an outside cloud service provider must now ensure the provider meets DORA’s operational resilience requirements and regularly reviews these arrangements.
DORA requires entities to conduct thorough third-party service provider assessments, map their dependencies, ensure security and integrity including arrangements for clear exit strategies. Meaningful plans must be in place for how to transition data, applications, and services from a cloud computing environment back to on-premises or to another cloud provider. Important to note that Entities will have the authority to prevent providers from making contracts with those who fail to comply with DORA.
Pillar 5: Information Sharing:
This pillar marks a considerable shift from standard procedure, encouraging the voluntary exchange of information and intelligence about cyber threats among financial entities. Unlike earlier practices that tended to be less structured and more isolated, this collaborative approach facilitates sharing through designated channels, enhancing collective digital resilience. For example, financial institutions can now participate in a shared platform—what DORA refers to as a “trusted community of financial entities”— where they report and discuss cyber threat indicators, helping the entire sector prepare better for potential cyber incidents.
Adhering to DORA’s stringent standards, organizations benefit by:
Compliance with DORA also indicates a commitment to being part of a unified approach that facilitates smoother operations and interactions within the EU financial market and with regulatory bodies.
DORA’s impact is certain to be profound, necessitating a comprehensive overhaul of a financial organization’s current ICT systems and governance. To prepare for the transition, institutions must adopt stringent measures for managing ICT risks, including developing robust risk management frameworks, detailed incident reporting procedures, and rigorous resilience testing. If it’s to be effective, this monumental shift will require initial changes and a sustained organizational commitment to continuous improvement and adaptation.
As businesses enhance their cybersecurity measures and operational resilience, they naturally align with DORA's goals, promoting a safer financial environment.
The European Supervisory Authorities (ESAs), made up of the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA), will play an integral role in this transition, ensuring financial institutions across the EU uniformly apply DORA’s standards. By overseeing the implementation, providing guidelines, and monitoring compliance, the ESAs will help maintain the EU’s financial system’s integrity and resilience, with their oversight ensuring the sector meets required standards and embraces the principles of digital resilience as fundamental to operations.
To ensure compliance, financial institutions should plan to integrate these new requirements into daily operations:
Fostering a culture of resilience and maintaining open communication with the ESAs and other regulatory bodies will allow financial entities to remain agile in their compliance efforts. By integrating it as an ongoing process, institutions can stay abreast of evolving regulations and best practices while securing the benefits of the interconnected nature of impact, oversight, and compliance within DORA’s framework.
For organizations, the greatest challenge to complying with DORA is most likely having to extensively overhaul their existing ICT frameworks to meet the act’s stringent new regulations, including:
For many entities, particularly smaller ones, these demands could prove resource-intensive, involving significant financial and operational adjustments.
Businesses were given 24 months to address these challenges using a phased approach to compliance, prioritizing the most critical elements first and gradually expanding their resilience measures. Investing in training and development will ensure all employees understand the new requirements. Additionally, it could be beneficial to seek external expertise, collaborating with specialized cybersecurity and compliance professionals to develop tailored strategies and solutions. By adopting a strategic, step-by-step approach, organizations can effectively meet DORA's demands, ensuring their operations are both compliant and resilient.
DORA goes into effect on January 17, 2025. All qualifying financial entities will need to have available by that data a comprehensive register of their contractual arrangements with ICT third-party service providers. These registers will allow:
To help financial organizations with the preparation and submission of the DORA registers of information on their ICT third-party service providers, the ESAs and other authorities will conduct dry-run exercises on a best-effort basis in 2024:
With years of experience supporting data security requirements for the financial sector, Veritas is well-equipped to meet DORA’s new strict security requirements. We deliver secure, dependable, and scalable software and hardware systems that ensure business-critical systems run efficiently and help financial entities maintain compliance.
Contact us online to learn more about DORA compliance and how we can help your organization.