DORA Compliance

Understand the requirements of the EU’s Digital Operational Resilience Act (DORA) and how to prepare your organization with DORA cybersecurity and software solutions.

Contact Us Get the Guide

What Is DORA?

The Digital Operational Resilience Act (DORA) is one of the newest mandates governing how European Union (EU) financial services organizations manage IT and cyber risks. 

The Goal

The goal of DORA cybersecurity compliance is to strengthen the information and communication technology (ICT) security of those operating in the EU financial sector. It accomplishes this by streamlining and upgrading existing rules pertaining to digital operational resilience and introducing new requirements to address cybersecurity gaps. Notably, it requires companies to enhance risk management, incident reporting processes, testing, and compliance related to critical third-party partners.

Reliance on ICT Technologies

As EU financial entities (FEs) increase their reliance on ICT technologies, it has become necessary to increase security scrutiny on the ICT third-party service providers (ICT TPPs) that support them. As third parties, ICT vendors play a vital role in the prompt and secure delivery of financial services, which in turn impacts market forces across various industries and interdependent economies. 

Addressing Supply Chain Risk

DORA seeks to reduce the risk of supply chain attacks and increase the cybersecurity of the EU’s financial sector by enhancing the security and operational resilience of ICT vendors through new and robust legislation. 

Get the Guide

 

DORA's General Objectives

icon

Objective One

Reduce the risk of financial disruption and instability within the EU's financial sector by increasing the digital operational resilience and cybersecurity of its information and communication service providers.

icon

Objective Two

Reduce the administrative burden of EU financial service providers assuming ICT security risk and increase supervisory effectiveness.

icon

Objective Three

Increase consumer and investor protection for those participating in financial affairs regulated by the European Union.

DORA Compliance

Is DORA Compliance Mandatory?

Yes, compliance with DORA is mandatory for all financial institutions operating within the European Union, and their critical third-party information and communication technology providers (CTTPs).

DORA Compliance Deadlines

All applicable entities must adhere to DORA legislation by January 17th, 2025. As noted in a public statement issued by the European Supervisory Authorities (ESAs) on December 4, 2024, “DORA does not provide for a transitional period” so “financial entities are expected to identify and address in a timely manner gaps between their internal setups and the DORA requirements.” 

Below is a list of key dates for DORA compliance:  

calendar

January 17, 2023

Article 64 states DORA is now in effect.

calendar

January 17, 2025

Article 64 states DORA requirements will be enforced.

calendar

April 30, 2025

The ESAs will collect from competent authorities the information necessary for the assessment of criticality criteria in relation to ICT services provided

calendar

January 17, 2026

Article 58 states the European Commission will review the appropriateness of the strengthened requirements.

Consequences and Penalties of DORA Non-Compliance

Each EU member state holds the authority to enforce DORA within its own jurisdiction. The penalties of DORA non-compliance include:

  • Fines of up to 2% of a company's total annual worldwide turnover
  • Individual fines up to 1 million euros
  • Up to 5 million euros in fines for ciritcal third-party providers (CTTPs)

Additional potential penalties include suspension of services, mandatory remedial measures, audits, and public notices.

Who Needs to Comply with DORA?

Financial Entities (FEs)

DORA applies to any organization that manages, transfers, holds, insures, invests, creates, protects, or raises money as well as those that grade investments. Examples include the following:

 
bank-icon

Banks

 
insurance-icon

Insurance & Reinsurance Firms

 
credit-institutions-icon

Credit Institutions

 
audit-icon

Auditors & Audit Firms

 
brokers-icon

Brokers

 
trade-repositories-icon

Trade Repositories

 
management-icon

Management Firms

 
rating-icon

Credit Rating Agencies

 
crypto-icon

Crypto-Asset Providers

 
crowdfunding-icon

Crowdfunding Services

Third Parties Are Now Subject to Regulation

With DORA in place, a financial organization’s previously unregulated supply chain partners may now expect to fall under the supervision of regulators. This includes third-party vendors that supply ICT software, but not hardware . These include:

  • Brokers
  • Providers of Digital & Data Services
  • Crowdfunding Services
  • Providers of Software & Data Analytics
  • Data Centers

DORA and Cybersecurity

Working toward DORA compliance gives financial institutions and members of their third-party networks an excellent opportunity to take a fresh look at security vulnerabilities and everyday risk management practices. Addressing weak points can present a strategic advantage in an ever-challenging digital landscape and help address similar elements of multiple regulations. 

At its heart, DORA is designed to ensure that the EU’s financial services organizations can maintain business as usual in the event of a cyberattack. Standardized requirements for increasingly linked entities (and those in their extended supply chains) will help the EU financial community achieve stronger overall cyber protection through better assessment, reporting, and communication of information communication technologies risk. This, in turn, will reduce the risk of attacks which result in downtime, lost business, and financial loss.

Learn More About Cybersecurity Solutions

Download DORA Guide

DORA Requirements

DORA's five fundamental pillars address the following cybersecurity measures:

1. Information Communication Technologies (ICT) Risk Management

Under DORA, financial institutions in the EU are required to assess the risk of cyberattacks.

  • Focus on internal governance and control processes for effective ICT risk management.
  • Ensure management team keeps abreast of risk levels.
  • Implement an internationally recognized information security management system.

2. Classification and Reporting of ICT-related Incidents

Financial institutions are required to notify authorities of any significant cybersecurity incidents as soon as possible.

  • Detect, manage, and alert appropriate personnel of ICT-related incidents.
  • Classify incidents according to factors such as geogrpahic scope and duration.

3. Digital Operation Resilience Testing

ICT systems must regularly be tested by financial institutions to identify vulnerabilities and ensure readiness against a cyberattack.

  • Evaluate readiness for managing cybersecurity incidents; spot flaws, shortcomings, and gaps in digital operational resilience; and swiftly put corrective measures in place.
  • Test critical ICT systems and applications annually. 

4. Information and Intelligence Sharing Between Financial Entities

Under DORA, financial organizations are encouraged to share threat intelligence and cybersecurity best practices among themselves to increase the individual and collective security resilience of EU member states.

  • Enhance reliance through timely exchange of cyberthreat intelligence.
  • Threat intelligence includes any indication of compromise; tactics, techniques, and procedures (TTP); or cybersecurity alerts.

5. Third-Party Risk Management

DORA requires EU financial services providers to assume and manage the risk incurred by their CTTPs.

  • Adopt and regularly review your ICT third-party risk strategy.
  • Maintain a Register of Information outlining all contractual arrangements with ICT third-party service providers.
  • Adhere to guidelines for adding or ending ICT third-party service agreements, including risk assessment.

Key DORA Deliverables for 2025

DORA requires the following from financial entities (FEs) by January 17, 2025:

1. An ICT risk management framework

This should identify all ICT supported business functions and their associated risks.

2. Continuous control and monitoring of ICT tools

This ensures that critical protections are ongoing and that entities receive early warning of threats.

3. Advanced testing of digital operational resilience

Entities are also required to create a threat-led approach to testing.

4. Provisions for third-party risk management

  • ICT third-party service provider (TPP) contracts must align with DORA.
  • FEs must maintain a "register of information" on all ICT TPPs.
  • Have a risk concentration management process in place.

5. A reporting and incident classification framework

This provides the vehicle for timely and accurate reporting of significant cybersecurity incidents to authorities.

6. A clearly defined governance structure

The ultimate responsibility for ICT risk management falls on top executives.

DORA Deliverables for Critical Third-Party ICT Providers (CTTPs)

Under DORA, ICT third-party service providers (TPPs) must be ready to support the following FE obligations by the January 17, 2025 deadline. The extent to which ICTs must adhere to the requirements below will vary depending on how critical or important the FE function they support — whether or not they qualify as CTTPs. Here are the ways in which DORA will place mandates on FEs that also place a burden on their ICTs:

  1. Ensure all ICT TPP contracts are DORA compliant.
  2. Maintain a “register of information.”
  3. Establish a process for risk concentration management.
  4. Annually test both business continuity plans and disaster recovery plans.
  5. FEs will need to identify their overall ICT strategy and justify their procurement approach. 
  6. Adopt an ICT TPP risk management strategy.
  7. Document all ICT TPP-dependent processes.
  8. Perform a threat-led penetration test of key systems at least every three years.  

In many cases, financial organizations will not have to start from square one to address the impact of DORA. They may already have a lot of the building blocks baked in due to operational requirements for NIS2, GDPR, PCI DSS, and other compliance standards. Consider a preliminary audit to see how many DORA-compliant measures your financial entity already has in place, then lean on our arsenal of strategic solutions to address the gaps.

How to Prepare for DORA in 5 Steps

It’s easy for non-technical people to underestimate the impact of a regulation like DORA. One key advantage of the regulation is that it helps to raise awareness at the leadership level about the need for investment in projects and teams that will ensure compliance. People, processes, and technology all play a role when it comes to implementing and enforcing an operational resilience strategy.  

5 Steps for Financial Entities (FEs)

The EU’s financial services sector can prepare for DORA compliance in the following ways:

  1. Identify which ICT TPPs provide critical and important functions.
  2. Alter existing ICT TPP contracts to comply with DORA policies and ensure all contracts leverage DORA-compliant verbiage going forward.
  3. Audit vendor onboarding policies to ensure all future partners adhere to DORA measures.
  4. Align current incident response and business continuity playbooks to conform with DORA.
  5. Train top-level executives in the awareness and seriousness of ICT risks.  

5 Steps for Information and Technology Third-Party Service Providers (ICT TPPs)

ICTs providing services to financial entities within the EU can also prepare by doing the following:

  1. Overhaul all current and future contracts to meet DORA provisions.
  2. Ready data for FE’s forthcoming “register(s) of information.”
  3. Ensure internal policies and procedures are altered to reflect DORA changes, including the areas of asset management, encryption, cryptographic controls, data security, patch management, and vulnerability management.
  4. Put incident reporting mechanisms in place that facilitate adherence to DORA’s requirements for prompt notification in the event of a significant cyber incident.
  5. Establish separate onboarding and offboarding strategies for working with a DORA-compliant FE. 

3 Pillars of Preparation: People, Process, and Technology

It’s easy for non-technical people to underestimate the impact of a regulation like DORA. One key advantage of the regulation is that it helps to raise awareness at the leadership level about the need for investment in projects and teams that will ensure compliance. People, processes, and technology all play a role when it comes to implementing and enforcing an operational resilience strategy.  

People

Appoint a champion to oversee DORA compliance from the top.

Clearly define roles and responsibilities.

Educate employees on the new process​.

DORA FAQs

DORA is both an EU Directive and an EU Regulation, making it unique. An EU Directive legislates goals that all EU member states must achieve but leaves the specific implementation of such up to the member states. An EU Regulation is a binding legislative act that applies directly across the entire EU. DORA is considered both a Directive and a Regulation because while it establishes broad, EU-wide laws (Regulation), it also leaves much of the implementation up to the member states (Directive).  

A CTPP, under DORA, is “Critical Third-Party Provider.” This is an ICT TPP that has been established to provide critical services to a financial entity within the EU and is therefore subject to DORA regulations. Not all ICT TPPs are CTPPs.  

The ESAs will collect information from FEs for the designation of which ICT TPPs qualify as CTPPs by April 30, 2025. As not by the European Banking Authority, FEs will leverage a set of Implementing Technical Standards in their submission of the “register(s) of information” due on April 30 to be used for determining CTTP status. 

No doubt your organization already has documented security policies in place for GDPR, but these will need to be supplemented and updated for DORA. DORA requires a risk assessment for each major change in the network and information system infrastructure. That entails assessing the processes and procedures affecting their functions, supporting processes, or information assets. In certain cases, this will align with Data Protection Impact Assessments (DPIAs) under GDPR and can serve as the initial risk assessment to determine if the change will require a DPIA to be conducted. 

DORA is considered a “lex specialis” to the EU’s Network and Information Systems Directive 2 (NIS2). This means that in cases to which DORA applies — i.e., in cases pertaining to Europe’s financial sector and its critical ICTs, which are under DORA’s jurisdiction — DORA’s specific policies take precedence over NIS2’s more general ones. 

DORA Security Solutions from Fortra

Complying with DORA’s requirements will take time and careful planning. Understanding the existing state of your infrastructure allows you to assess risks and prioritize your remediation efforts with Fortra technology and services.

Working toward DORA compliance gives EU financial entities, and their third-party ICTs, an excellent opportunity to take a fresh look at security vulnerabilities and everyday risk management practices. Fortra offers a strong suite of solutions designed to help financial entities and third-party ICTs maintain DORA cybersecurity compliance. They include: 

Identifying security weak points can present a strategic advantage in an ever-challenging digital landscape and help address similar elements of multiple regulations. Not least of all, addressing these issues provides FEs and ICTs the opportunity to be DORA-compliant and continue operating under EU policy in the coming year and beyond. 

Fortra Can Help with DORA Compliance

Contact the professionals at Fortra for a free 30-minute consultation on what solutions are best for your organization. We’ll help you determine what you need to do next to be in compliance with DORA.

 
Contact Us
Learn More About Cybersecurity Solutions from Fortra

More DORA Resources