DORA Compliance

Understand the requirements of the EU’s Digital Operational Resilience Act (DORA) and how to prepare

Text

The financial services industry is one of the most regulated markets in the world, and evolving cyberthreats require compliance with new and updated regulations. This resource will help you get up to speed on how to leverage your existing cybersecurity compliance initiatives to prepare for the requirements of DORA. 

What Is DORA (Digital Operational Resilience Act)?

Text

The Digital Operational Resilience Act, DORA, is one of the newest mandates governing how EU financial services organizations manage IT and cyber risks. Its goal  is to strengthen the resilience of those operating in the EU financial sector by streamlining and upgrading existing rules and bringing in new requirements to address cybersecurity gaps. Notably, it requires companies to enhance risk management, incident reporting processes, testing, and compliance related to critical third-party partners.

 

DORA's General Objectives

Objective One
Objective Two
Objective Three

What to Expect from the Digital Operational Resilience Act (DORA)

Cybersecurity for Business Continuity

At its heart, DORA is designed to ensure organizations can maintain business as usual in the event of a cyberattack . Having standardized requirements for increasingly linked entities and those in their extended supply chains will help the EU financial community achieve stronger overall cyber protection through better assessment, reporting, and communication of information communication technologies (ICT) risk. 

Extending NIS2 

It’s important to remember that DORA is not a Directive, it’s a Regulation. This means all EU Member States must prove compliance by Jan. 17, 2025, which the European Council has the power to enforce. DORA extends the Network and Information Security (NIS2) Directive, which specifies cybersecurity measures required for the protection of critical infrastructure.

DORA Requirements

Information Communication Technologies (ICT) Risk Management

  • Focus on internal governance and control processes for effective ICT risk management.
  • Ensure management team keeps abreast of risk levels.
  • Implement an internationally recognized information security management system.

Classification and Reporting of ICT-related Incidents

  • Detect, manage, and alert appropriate personnel of ICT-related incidents.
  • Classify incidents according to factors such as geographic scope and duration.

Digital Operational Resilience Testing

  • Evaluate readiness for managing cybersecurity incidents; spot flaws, shortcomings, and gaps in digital operational resilience; and swiftly put corrective measures in place.
  • Test critical ICT systems and applications annually.

Information and Intelligence Sharing Between Financial Entities

Enhance reliance through timely exchange of cyberthreat intelligence. This includes any indication of:

  • Compromise
  • Tactics, techniques, and procedures (TTP)
  • Cybersecurity alerts

Vendor Management

  • Adopt and regularly review an ICT third-party risk strategy.
  • Maintain a Register of Information outlining all contractual arrangements with ICT third-party service providers.
  • Adhere to guidelines for adding or ending ICT third-party service agreements, including risk assessment.
Text

 

Who Does DORA Impact?

DORA applies to any organization that manages, transfers, holds, insures, invests, creates, protects, or raises money as well as those that grade investments.  Examples include the following:

 
Image
bank-icon
Banks
 
Image
insurance-icon
Insurance & Reinsurance Firms
 
Image
trading-icon
Insurance & Reinsurance Firms
 
Image
audit-icon
Auditors & Audit Firms
 
Image
brokers-icon
Brokers
 
Image
trade-repositories-icon
Trade Repositories
 
Image
management-icon
Management Firms
 
Image
rating-icon
Credit Rating Agencies
 
Image
crypto-icon
Crypto-Asset Providers
 
Image
credit-institutions-icon
Credit Institutions
 
Image
crowdfunding-icon
Crowdfunding Services
Text

Third Parties Are Now Subject to Regulation

With DORA in place, a financial organization’s previously unregulated supply chain partners may now expect to fall under the supervision of regulators . This includes third-party vendors that supply ICT software, but not hardware . These include:

  • Brokers
  • Providers of Digital & Data Services
  • Crowdfunding Services
  • Providers of Software & Data Analytics
  • Data Centers

 

What Does DORA Mean for EU Financial Operations?

 

Building on Existing Compliance Initiatives

In many cases, financial organizations won’t have to start from square one to address the impact of DORA. You will have a lot of the building blocks in place due to operational requirements for NIS2, GDPR, PCI DSS, etc. Look at this as an opportunity to review what you already do and ensure those processes are up to date. Use this as the impetus to refresh your processing activities register and to re-engage and identify who can help you from each area of the business to assist with “The DORA Project.”

How Do DORA and GDPR Compare?

No doubt your organization already has documented security policies in place for GDPR, but these will need to be supplemented and updated for DORA . DORA requires a risk assessment for each major change in the network and information system infrastructure, in the processes, or procedures, affecting their functions, supporting processes, or information assets. In certain cases, this will align with Data Protection Impact Assessments (DPIAs) under GDPR and can serve as the initial risk assessment to determine if the change will require a DPIA to be conducted.

How to Prepare for DORA: Key Dates

The time to prepare for DORA compliance is now, despite what may seem like a long lead time. Below are the key dates as set forth in the articles of the regulation.

January 17, 2023
January 17, 2025
January 17, 2026

Impact and Cost of Non-Compliance

Financial Entities​ 

Although monetary penalties have not yet been set​, there is wording about “extensive fines” that will be imposed. Member States will lay down frameworks​, and DORA leaves the door open for potential criminal liability for non-compliance​. 

Critical ICT Third-Party Service Providers ​ 

Monetary penalties may be up to 1% of a service partner’s average daily worldwide turnover in the preceding business year​. These will be applied on a daily basis until compliance is achieved, for a maximum of six months. 

DORA Compliance: People, Process, and Technology

It’s easy for non-technical people to underestimate the impact of a regulation like DORA. One key advantage of the regulation is that it helps to raise awareness at the leadership level about the need for investment in projects and teams that will ensure compliance. People, processes, and technology all play a role when it comes to implementing and enforcing an operational resilience strategy.  

People
Process
Technology

DORA and Cybersecurity

Media
Image
data-security
Text

Working toward DORA compliance gives financial institutions and members of their third-party networks an excellent opportunity to take a fresh look at security vulnerabilities and everyday risk management practices. Addressing weak points can present a strategic advantage in an ever-challenging digital landscape and help address similar elements of multiple regulations.

Learn More About Cybersecurity Solutions          Download DORA Guide

How Fortra Solutions and Products Fit in the DORA Framework

Complying with DORA’s requirements will take time and careful planning. Understanding the existing state of your infrastructure allows you to assess risks and prioritize your remediation efforts with Fortra technology and services.

Mitigate Infrastructure and Software Risks Before They Become an Issue

Identify and address risks within your infrastructure, software, and web applications before an attacker can take advantage of them using Fortra solutions for:​

We Can Help with DORA Compliance

Contact the professionals at Fortra for a free 30-minute consultation on what solutions are best for your organization. We’ll help you determine what you need to do next to be in compliance with DORA.

 
Contact Us