What is DORA? The Digital Operational Resilience Act
Adopted January 16, 2023, and scheduled to go into effect January 17, 2025, the Digital Operational Resilience Act (DORA) is a new EU regulation intended to ensure financial sector organizations are resilient in the face of minor or catastrophic disruptions, like cyberattacks. The regulatory framework requires organizations to show they can withstand, respond to, and recover from all types of data, communication, and technology-related disruptions and threats. Rules include protection, detection, containment, recovery and repair capabilities.
In this article, you'll find:
- DORA Requirements
- Which Organizations are Impacted by DORA?
- What are the DORA Compliance Requirements?
- The 5 Pillars of DORA Regulation
- Staying Compliant: What Does DORA Mean for Your Organization?
- What are the Biggest Challenges?
- Important DORA Compliance Dates and Timelines
The law applies to over 20 different types of financial entities such as banks, insurers, and investment firms and the third parties that interact with them. The rules also cover all information and communication technologies (ICT) third-party service providers. Just as the GDPR coordinates data privacy regulation, DORA is designed to consolidate and upgrade cyber resilience, ICT risk and cyber risk management in financial services.
DORA Requirements
- Evaluating current ICT frameworks.
- Enhancing cybersecurity measures.
- Establishing governance structures that support the ongoing maintenance of digital operational resilience.
DORA’s rigorous requirements and structured approach will help the financial sector fortify itself against complex digital risks and cybersecurity threats, ensuring a stable, resilient, and secure financial environment across the EU. Integrating these requirements into your organization’s framework prepares it for current digital challenges and builds a foundation for adapting to future technological advancements.
What is ICT risk management?
ICT risk management is not a new concept. However, DORA’s sweeping mandates require financial entities to conduct thorough and extensive revisions to their current practices and frameworks. However, the act doesn’t just mandate comprehensive revisions to ICT risk management practices; it also intensifies the accountability of a financial institution’s internal management bodies tasked with the pivotal role of crafting and endorsing the company’s strategy for digital operational resilience. The strategy must also be supported by clearly defined ICT disruption risk tolerances, key performance indicators (KPIs), and risk metrics that align with DORA’s enhanced ICT security standards.
In the aftermath of a severe business disruption, DORA requires financial entities to conduct rigorous business-impact analyses to:
- Help them understand the potential repercussions of future ICT disruptions.
- Guide them in prioritizing remediation efforts to address identified vulnerabilities.
This proactive approach ensures financial entities are prepared to handle disruptions and are capable of continuing operations with minimal impact or downtime.
Enhancing Cybersecurity Measures
DORA mandates cybersecurity protection measures including policies around the following:
- IAM (Identity and Access Management)
- Anomaly Detection
- Malware Scanning
- Threat Response
- SIEM and SOAR
- Patch Management
- Data Reporting and Insights
Cyber resiliency best practices covering these cybersecurity protection measures and more to enable financial organizations to prepare in the event of a cyber incident, minimizing downtime and the impact of a cyberattack.
Digital Operational Resilience
Further emphasizing the need for transparency and accountability, DORA mandates the creation of a robust communication strategy within each organization, including assigning a dedicated point person responsible for managing and reporting on ICT-related incidents. These clear lines of communication are essential for timely reporting and response, reducing the potential impact of any ICT issues on the entity's operations.
Moreover, a deep understanding of the interconnections between an entity's ICT assets, processes, and systems is crucial. DORA requires financial institutions and providers to undertake comprehensive mapping of these components to identify critical vulnerabilities and enhance overall operational resilience in the event of an incident or breach. The best practice of developing recovery playbooks and tabletop exercises clarifies the process across departments and builds on the interconnections mapping for increased business resiliency.
They should also engage with "critical" ICT service providers to ensure that they, too, are preparing for the changes and understand their roles in supporting financial institutions under the new regulatory environment.
Which Organizations are Impacted by DORA?
DORA doesn’t only apply to banks and financial institutions. It targets the entire EU financial sector, including critical suppliers and vendors like tech managers and payment service providers.
Key industries and entities impacted by DORA regulations include:
- Banks. As core financial institutions, banks must comply with stringent ICT and security risk management practices under DORA.
- Insurance Companies. Insurance providers, including reinsurance firms, must ensure their digital processes and data handling adequately defend against disruptions and cyber threats.
- Investment Firms. Given their high reliance on digital technologies for market operations, companies dealing in securities trading and investments are also covered by DORA.
- Payment Services Providers. Firms that provide payment systems and services must safeguard their operations against ICT threats to maintain financial transaction trust and functionality.
- Crypto-Asset Service Providers. As the financial landscape evolves, digital asset and cryptocurrencies service entities are also expected to adhere to these regulations.
- Credit Institutions. This includes a variety of lending institutions outside traditional banks, such as credit unions and mortgage lenders.
- Critical Third-party Providers. Cloud computing services and other crucial ICT service providers essential to the operations of financial entities will be required to comply with DORA to ensure the financial sector's operational resilience is not compromised by external dependencies.
- Crowdfunding service providers.
- Credit rating agencies.
Article 2(3) of DORA exempts certain entities due to their limited size or significance, including:
- Managers of alternative investment funds.
- Specific insurance and reinsurance undertakings.
- Small-scale institutions operating pension schemes for 15 or fewer members.
- Small insurance intermediaries with fewer than 10 employees and with a balance sheet or annual turnover not exceeding 2 million euros.
- Post office giro institutions (POGI).
Member states can, at their discretion, also exempt specific national credit or investment entities.
What are the DORA Compliance Requirements?
DORA is a highly significant and comprehensive regulatory initiative that lays out a precise framework for addressing the increasing complexity and connectivity of digital systems within the EU’s financial industry. By setting a unified standard across member states, it ensures all entities within the financial sector, including banks, insurance companies, investment firms, and payment service providers, are adequately equipped to manage and mitigate risks associated with their ICT systems and services.
A key focus area under DORA is enhancing cybersecurity measures. Financial institutions must implement robust cybersecurity policies and controls that prevent, detect, and respond to a wide range of cyber threats, including continuous monitoring and testing of their cyber defenses as well as quick recovery and response mechanisms to minimize potential cyber incident impacts.
Data protection, is also highly scrutinized under DORA, with its regulations mandating financial entities establish comprehensive data governance frameworks that ensure data integrity, confidentiality, and availability. This includes implementing zero trust security measures to protect sensitive customer and financial data against unauthorized access, data breaches, and losses, thereby reinforcing trust in the financial sector’s digital operations.
Just as blueprints provide exact building specifications or sheet music leaves little room for improvisation, DORA is notably prescriptive, containing specific instructions, criteria, and templates for compliance. This detail-oriented approach indicates regulators intend to take a hands-on role in its oversight and enforcement.
DORA goes beyond standardizing resilience practices across the financial sector. It also ensures financial institutions are consistently prepared to handle the challenges the digital landscape poses, ultimately safeguarding the sector’s stability and the broader economic environment. Its essence can be distilled into five core pillars that address various domains or aspects of ICT and cybersecurity.
The 5 Pillars of DORA Regulation
DORA’s five main “pillars of operational resilience” are:
- ICT risk management is a set of key principles and requirements for an ICT risk management framework.
- ICT-related incident reporting aims to harmonize and streamline reporting.
- Digital operational resilience testing subjects financial institutions to basic and advanced testing.
- ICT third-party risk uses principle-based rules to monitor third-party risk, contractual provisions, and oversight frameworks.
- Information sharing covers voluntary information and intelligence exchange on cyber threats.
Let’s take a closer look at each pillar and how it functions.
Pillar 1: ICT Risk Management
ICT risk management under DORA involves wide-ranging principles and requirements that go much further than previous standards. It establishes a formal ICT risk management framework that mandates regular risk assessments, thorough identification, well-defined risk mitigation strategies, and continuous monitoring. Unlike pre-DORA practices, which vary in rigor and scope, DORA sets a uniform standard across the EU, ensuring all financial entities have a consistent approach to managing ICT risks. For example, banks must now periodically test their cybersecurity defenses and update their risk mitigation strategies based on emerging threats. They must implement cybersecurity protection measures. Including policies around IAM (Identity and Access Management), Anomaly Detection, Malware Scanning, Threat Response, Data Insights, SIEM, SOAR and patch management. Most institutions will need to review their governance arrangements, policies, risk assessment, control, and mapping activities to ensure they align with DORA’s specific requirements.
DORA clearly establishes that an entity’s management body is responsible for ICT management. This includes board members, executives, and senior managers. They must establish and implement risk management strategies. Failure to comply could lead to personal accountability.
Pillar 2: ICT-related Incident Reporting
DORA compels organizations to establish a cohesive process for detecting, managing and duly notifying of significant cyber incidents. It streamlines ICT-related incident reporting by introducing harmonized reporting requirements. In short it compels organizations to establish a cohesive process for detecting, managing and duly notifying significant cyber incidents. This ensures all financial institutions report incidents in a consistent manner, which, in turn, facilitates better data collection and regulatory oversight. Broader than GDPR, it covers both data breaches and ICT incidents.
Where previous reporting standards often varied between jurisdictions, leading to inefficiencies and gaps in regulatory knowledge, under DORA, all entities must adhere to standardized conventions. For instance, a payment service provider experiencing a data breach must now follow specific protocols to report the incident to regulators, ensuring timely and uniform responses across the sector.
Pillar 3: Digital Operational Resilience Testing
In a step up from previous requirements, which often lacked specificity or uniform standards, financial institutions must now engage in both basic and advanced resilience testing. This testing includes regular vulnerability assessments and penetration tests designed to identify and address potential weaknesses in digital systems. An example would be a securities firm conducting annual advanced scenario-based testing to simulate a sophisticated cyberattack with the goal of better understanding and improving its response strategies.
Pillar 4: ICT Third-party Risk
This pillar introduces principle-based rules for monitoring and managing risks associated with external service providers. This is more comprehensive than previous standards, which might not have systematically covered third-party risks. DORA requires financial institutions to implement rigorous oversight frameworks and include specific contractual provisions to ensure third-party compliance with DORA standards. For instance, a bank using an outside cloud service provider must now ensure the provider meets DORA’s operational resilience requirements and regularly reviews these arrangements.
DORA requires entities to conduct thorough third-party service provider assessments, map their dependencies, ensure security and integrity including arrangements for clear exit strategies. Meaningful plans must be in place for how to transition data, applications, and services from a cloud computing environment back to on-premises or to another cloud provider. Important to note that entities will have the authority to prevent providers from making contracts with those who fail to comply with DORA.
Pillar 5: Information Sharing
This pillar marks a considerable shift from standard procedure, encouraging the voluntary exchange of information and intelligence about cyber threats among financial entities. Unlike earlier practices that tended to be less structured and more isolated, this collaborative approach facilitates sharing through designated channels, enhancing collective digital resilience. For example, financial institutions can now participate in a shared platform—what DORA refers to as a “trusted community of financial entities”— where they report and discuss cyber threat indicators, helping the entire sector prepare better for potential cyber incidents.
Staying Compliant: What Does DORA Mean for Your Organization?
Adhering to DORA’s stringent standards, organizations benefit by:
- Avoiding potential penalties.
- Strengthening their operational resilience against ICT threats.
- Gaining greater trust from customers and stakeholders.
- A stronger reputation and competitive advantage in the financial market.
Compliance with DORA also indicates a commitment to being part of a unified approach that facilitates smoother operations and interactions within the EU financial market and with regulatory bodies.
DORA’s impact is certain to be profound, necessitating a comprehensive overhaul of a financial organization’s current ICT systems and governance. To prepare for the transition, institutions must adopt stringent measures for managing ICT risks, including developing robust risk management frameworks, detailed incident reporting procedures, and rigorous resilience testing. If it’s to be effective, this monumental shift will require initial changes and a sustained organizational commitment to continuous improvement and adaptation.
As businesses enhance their cybersecurity measures and operational resilience, they naturally align with DORA's goals, promoting a safer financial environment.
The European Supervisory Authorities (ESAs), made up of the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA), will play an integral role in this transition, ensuring financial institutions across the EU uniformly apply DORA’s standards. By overseeing the implementation, providing guidelines, and monitoring compliance, the ESAs will help maintain the EU’s financial system’s integrity and resilience, with their oversight ensuring the sector meets required standards and embraces the principles of digital resilience as fundamental to operations.
To ensure compliance, financial institutions should plan to integrate these new requirements into daily operations:
- Start with a thorough assessment of existing ICT infrastructures and practices against DORA’s requirements, extending to the assessment of third-party service providers to ensure all associated risks are managed appropriately.
- Routine employee training and awareness programs ensure everyone understands their role in maintaining cybersecurity and resilience. It’s also worth considering establishing dedicated teams or working with external experts to oversee the implementation process.
- Regular audits and resilience testing continuously identify gaps and areas for improvement.
Fostering a culture of resilience and maintaining open communication with the ESAs and other regulatory bodies will allow financial entities to remain agile in their compliance efforts. By integrating it as an ongoing process, institutions can stay abreast of evolving regulations and best practices while securing the benefits of the interconnected nature of impact, oversight, and compliance within DORA’s framework.
What are the Biggest Challenges?
For organizations, the greatest challenge to complying with DORA is most likely having to extensively overhaul their existing ICT frameworks to meet the act’s stringent new regulations, including:
- Upgrading cybersecurity measures.
- Establishing comprehensive incident reporting systems.
- Integrating robust third-party oversight mechanisms.
For many entities, particularly smaller ones, these demands could prove resource-intensive, involving significant financial and operational adjustments.
Businesses were given 24 months to address these challenges using a phased approach to compliance, prioritizing the most critical elements first and gradually expanding their resilience measures. Investing in training and development will ensure all employees understand the new requirements. Additionally, it could be beneficial to seek external expertise, collaborating with specialized cybersecurity and compliance professionals to develop tailored strategies and solutions. By adopting a strategic, step-by-step approach, organizations can effectively meet DORA's demands, ensuring their operations are both compliant and resilient.
Important DORA Compliance Dates and Timelines
DORA goes into effect on January 17, 2025. All qualifying financial entities will need to have available by that data a comprehensive register of their contractual arrangements with ICT third-party service providers. These registers will allow:
- Financial organizations to monitor their ICT third-party risk.
- EU authorities to supervise ICT and third-party risk management at the financial organizations.
- The ESAs to designate critical ICT third-party service providers subject to EU-level oversight.
To help financial organizations with the preparation and submission of the DORA registers of information on their ICT third-party service providers, the ESAs and other authorities will conduct dry-run exercises on a best-effort basis in 2024:
- April 24, 2024: Introductory workshop for the industry.
- June 24, 2024: ESAs workshops with participating entities and competent authorities.
- August 24, 2024: Registers of information collected from participating entities through their competent authorities.
- October 24, 2024: Data cleaning and quality checks end.
- November 24, 2024: ESAs “lessons learned” workshop on data quality.
- December 24, 2024: Publication of aggregated data quality report.
With years of experience supporting data security requirements for the financial sector, Arctera is well-equipped to meet DORA’s new strict security requirements. We deliver secure, dependable, and scalable software and hardware systems that ensure business-critical systems run efficiently and help financial entities maintain compliance.
Contact us online to learn more about DORA compliance and how we can help your organization.
About Arctera
Arctera helps organizations around the world thrive by ensuring they can trust, access, and illuminate their data from creation to retirement. Created in 2024 from Veritas Technologies, an industry leader in secure multi-cloud data resilience, Arctera comprises three business units: Data Compliance, Data Protection and Data Resilience. Arctera provides tens of thousands of customers worldwide, including 70% of the Fortune 100, with market-leading solutions that help them to manage one of their most valuable assets: data.
Learn more at www.arctera.io
Follow us on X @arcteraio