The financial services industry is one of the most regulated markets in the world, and evolving cyberthreats require compliance with new and updated regulations. This resource will help you get up to speed on how to leverage your existing cybersecurity compliance initiatives to prepare for the requirements of DORA.
What Is DORA (Digital Operational Resilience Act)?
The Digital Operational Resilience Act, DORA, is one of the newest mandates governing how EU financial services organizations manage IT and cyber risks. Its goal is to strengthen the resilience of those operating in the EU financial sector by streamlining and upgrading existing rules and bringing in new requirements to address cybersecurity gaps. Notably, it requires companies to enhance risk management, incident reporting processes, testing, and compliance related to critical third-party partners.
DORA's General Objectives
What to Expect from the Digital Operational Resilience Act (DORA)
Cybersecurity for Business Continuity
At its heart, DORA is designed to ensure organizations can maintain business as usual in the event of a cyberattack . Having standardized requirements for increasingly linked entities and those in their extended supply chains will help the EU financial community achieve stronger overall cyber protection through better assessment, reporting, and communication of information communication technologies (ICT) risk.
It’s important to remember that DORA is not a Directive, it’s a Regulation. This means all EU Member States must prove compliance by Jan. 17, 2025, which the European Council has the power to enforce. DORA extends the Network and Information Security (NIS2) Directive, which specifies cybersecurity measures required for the protection of critical infrastructure.
Information Communication Technologies (ICT) Risk Management
- Focus on internal governance and control processes for effective ICT risk management.
- Ensure management team keeps abreast of risk levels.
- Implement an internationally recognized information security management system.
Classification and Reporting of ICT-related Incidents
- Detect, manage, and alert appropriate personnel of ICT-related incidents.
- Classify incidents according to factors such as geographic scope and duration.
Digital Operational Resilience Testing
- Evaluate readiness for managing cybersecurity incidents; spot flaws, shortcomings, and gaps in digital operational resilience; and swiftly put corrective measures in place.
- Test critical ICT systems and applications annually.
Information and Intelligence Sharing Between Financial Entities
Enhance reliance through timely exchange of cyberthreat intelligence. This includes any indication of:
- Tactics, techniques, and procedures (TTP)
- Cybersecurity alerts
- Adopt and regularly review an ICT third-party risk strategy.
- Maintain a Register of Information outlining all contractual arrangements with ICT third-party service providers.
- Adhere to guidelines for adding or ending ICT third-party service agreements, including risk assessment.
Who Does DORA Impact?
DORA applies to any organization that manages, transfers, holds, insures, invests, creates, protects, or raises money as well as those that grade investments. Examples include the following:
Insurance & Reinsurance Firms
Insurance & Reinsurance Firms
Auditors & Audit Firms
Credit Rating Agencies
Third Parties Are Now Subject to Regulation
With DORA in place, a financial organization’s previously unregulated supply chain partners may now expect to fall under the supervision of regulators . This includes third-party vendors that supply ICT software, but not hardware . These include:
- Providers of Digital & Data Services
- Crowdfunding Services
- Providers of Software & Data Analytics
- Data Centers
What Does DORA Mean for EU Financial Operations?
Building on Existing Compliance Initiatives
In many cases, financial organizations won’t have to start from square one to address the impact of DORA. You will have a lot of the building blocks in place due to operational requirements for NIS2, GDPR, PCI DSS, etc. Look at this as an opportunity to review what you already do and ensure those processes are up to date. Use this as the impetus to refresh your processing activities register and to re-engage and identify who can help you from each area of the business to assist with “The DORA Project.”
How Do DORA and GDPR Compare?
No doubt your organization already has documented security policies in place for GDPR, but these will need to be supplemented and updated for DORA . DORA requires a risk assessment for each major change in the network and information system infrastructure, in the processes, or procedures, affecting their functions, supporting processes, or information assets. In certain cases, this will align with Data Protection Impact Assessments (DPIAs) under GDPR and can serve as the initial risk assessment to determine if the change will require a DPIA to be conducted.
How to Prepare for DORA: Key Dates
The time to prepare for DORA compliance is now, despite what may seem like a long lead time. Below are the key dates as set forth in the articles of the regulation.
January 17, 2023
January 17, 2025
January 17, 2026
Impact and Cost of Non-Compliance
Although monetary penalties have not yet been set, there is wording about “extensive fines” that will be imposed. Member States will lay down frameworks, and DORA leaves the door open for potential criminal liability for non-compliance.
Critical ICT Third-Party Service Providers
Monetary penalties may be up to 1% of a service partner’s average daily worldwide turnover in the preceding business year. These will be applied on a daily basis until compliance is achieved, for a maximum of six months.
DORA Compliance: People, Process, and Technology
It’s easy for non-technical people to underestimate the impact of a regulation like DORA. One key advantage of the regulation is that it helps to raise awareness at the leadership level about the need for investment in projects and teams that will ensure compliance. People, processes, and technology all play a role when it comes to implementing and enforcing an operational resilience strategy.
DORA and Cybersecurity
Working toward DORA compliance gives financial institutions and members of their third-party networks an excellent opportunity to take a fresh look at security vulnerabilities and everyday risk management practices. Addressing weak points can present a strategic advantage in an ever-challenging digital landscape and help address similar elements of multiple regulations.
How Fortra Solutions and Products Fit in the DORA Framework
Complying with DORA’s requirements will take time and careful planning. Understanding the existing state of your infrastructure allows you to assess risks and prioritize your remediation efforts with Fortra technology and services.
We Can Help with DORA Compliance
Contact the professionals at Fortra for a free 30-minute consultation on what solutions are best for your organization. We’ll help you determine what you need to do next to be in compliance with DORA.