Digital Operational Resilience Act (DORA)
Financial institutions are a prime target for cyberattacks. According to the IBM X-Force Threat Intelligence Index, the finance industry has the second-highest frequency of cyber attacks (after manufacturing), with 18.5% of all cyber attacks targeted at financial and insurance organizations.
What Is the EU Digital Operational Resilience Act (DORA)?
In response to these threats, the European Union enacted the Digital Operational Resilience Act (DORA). Its goal is to help and encourage financial services organizations to improve their cybersecurity measures. The Act was introduced in 16 January 2023, and full oversight measures start on 17 January, 2025.
DORA provides a unified approach to manage and mitigate cyber threats and security incidents related to information and communication technology (ICT). It puts in place strict security requirements for financial entities and third-party service providers.
In this article:
Why Is DORA Needed?
Financial services are becoming increasingly digital, making it easier for cyber threats to disrupt financial transactions and markets. Traditional regulatory frameworks were created before the digital age, and do not have specific measures to address these threats. DORA aims to standardize cyber security (which the regulation calls “digital resilience”) across the European Union’s financial sector.
By setting a common standard, DORA will allow EU financial organizations to more easily withstand, respond to, and recover from cyberattacks and operational disruptions. The goal is to improve the stability of the overall financial system.
According to EU regulators, there is an urgent need for a framework to manage digital risks to financial institutions. The new DORA regulation has measures for strict cyber risk management, and guides financial organizations on ways to improve cyber defenses.
Who Is Affected by the DORA Regulation?
DORA applies to a broad spectrum of entities within the EU financial sector, including banks, insurance companies, investment firms, and payment service providers. It also encompasses critical financial market infrastructures like trading venues and central securities depositories.
This wide-reaching regulation ensures a high level of digital operational resilience across all financial services. The regulation extends to ICT third-party service providers, such as cloud computing services, which are integral to the financial sector’s operations.
The DORA Enforcement Timeline
The DORA regulation will be implemented in several phases, in order to give organizations time to align their operations with the new requirements:
- Public consultation: Between January 2023 and March 2024, legislators collected feedback on the legislation and performed public consultations.
- Release of policy products: Between January-July 2024, the EU is set to publish the “policy products”, official documents specifying DORA requirements.
- Full application of legislation: The legislation will go into effect with full oversight as of January 17, 2025.
Below is the official timeline as published by the European Insurance and Occupational Pensions Authority (EIOPA).
What Does DORA Cover?
The Digital Operational Resilience Act covers the following areas.
Important note: As of the time of this writing, the EU has not yet delivered full documentation on the DORA regulation and its specific requirements for organizations. Please consult the official EIOPA page for updates.
Information and Communication Technology (ICT) Risk Management
DORA mandates establishing comprehensive risk management frameworks to identify, assess, and mitigate ICT risks. This includes developing policies and procedures tailored to manage unique ICT threats effectively. Covered entities must conduct regular risk assessments, ensuring their risk management frameworks remain effective against emerging threats.
Entities are encouraged to adopt proactive measures, such as threat detection and analysis capabilities. This enhances incident prevention and ensures swift and efficient response mechanisms are in place, minimizing potential disruptions and financial losses.
ICT Third-Party Risk Management
Recognizing the significant role of third-party ICT service providers, DORA insists on rigorous risk management practices for these external partnerships. Entities must conduct thorough due diligence before engaging with third parties, assessing their operational resilience and ensuring they comply with DORA’s standards.
This includes establishing clear contractual arrangements, defining roles and responsibilities, and setting performance and compliance benchmarks. Such measures ensure third-party services do not introduce vulnerabilities into the financial sector.
ICT-Related Incidents
DORA requires financial entities to establish mechanisms for identifying, classifying, and managing ICT-related incidents. This includes setting up an incident reporting framework to ensure timely notification to relevant authorities, facilitating a coordinated response to significant incidents that may impact financial markets.
Entities are also required to document and analyze incidents to identify root causes and implement corrective measures. This continuous learning process enhances the sector’s defensive capabilities over time.
Digital Operational Resilience Testing
To verify the effectiveness of their ICT risk management strategies, entities must conduct regular testing of their digital operational resilience. This includes vulnerability assessments, penetration testing, and scenario-based exercises to simulate real-life cyberattacks and operational disruptions.
These tests help entities identify weaknesses in their defenses and adjust their risk management strategies accordingly. It also ensures that they are prepared to respond effectively to incidents, minimizing potential damage and disruption.
Information Sharing
DORA encourages entities to share information on cyber threats and vulnerabilities within the financial sector. This collaborative approach leverages collective knowledge and experience to enhance the sector’s overall defensive posture, preventing wider systemic impacts from individual incidents.
Participation in information-sharing platforms and adherence to confidentiality protocols are essential under DORA. These facilitate a trust-based environment for collaboration and mutual support.
Oversight of Critical Third-Party Providers
To ensure the resilience of critical third-party ICT service providers, DORA introduces a dedicated oversight framework. This includes establishing a list of critical providers, subject to enhanced regulatory scrutiny, and implementing measures to manage and monitor their compliance with DORA requirements.
This oversight mechanism ensures that critical services supporting the financial sector maintain high standards of digital operational resilience, mitigating risks associated with third-party dependencies.
DORA Compliance Checklist
Entities subject to the Digital Operational Resilience Act should start planning the following tasks.
Note: The following are general measures that are advisable for DORA compliance, but full details about its requirements will only be available in May, 2025.
Maintain a Business Continuity Plan
Entities must develop and regularly update a comprehensive business continuity plan (BCP) tailored to their operations. This plan outlines strategies to maintain or quickly resume critical functions in the event of ICT disruptions, ensuring minimal impact on financial stability. Regular testing and updating of the BCP can ensure it remains effective in managing new and evolving threats.
Regularly Test Your Systems and Controls
DORA requires regular testing of IT systems and security controls. This includes conducting vulnerability scans, penetration tests, and other assessments to identify weaknesses in an entity’s digital defenses. The results from these tests inform improvements and adjustments to security protocols, ensuring a strong defensive posture against evolving cyber threats.
Maintain an Incident Management Plan
Under DORA, entities are required to establish a detailed incident management plan. This plan outlines protocols for responding to ICT-related incidents, including escalation procedures, roles and responsibilities, and communication strategies.
Regular training and exercises ensure teams are well-prepared to implement the plan effectively during actual incidents. This reduces response times and mitigates potential impacts.
Protect Customer Data and Adhere to Relevant Regulations
DORA emphasizes the importance of protecting customer data, requiring entities to implement stringent data security measures. Periodic reviews and updates to data protection practices ensure compliance with evolving legal and regulatory requirements. This demonstrates an entity’s commitment to protecting sensitive information, building trust with customers.
Supervise Third-Party Service Providers
Entities must apply rigorous oversight and due diligence processes to third-party service providers and vendors. This includes assessing their operational resilience, compliance with DORA requirements, and potential risks they may introduce. Establishing clear agreements and ongoing monitoring of third-party performance ensures these relationships do not compromise the entity’s digital operational resilience.
How Aqua Helps Financial Institutes Meet the Standard
Learn How Aqua Helps Financial Institutes Meet the Standard
You’ll learn about:
- The similarities and differences between NIS 2 and DORA, how they share common goals, but focus on different aspects and scopes of application.
- How Aqua CNAPP capabilities align with the key pillars of DORA to help financial institutions meet the standards.
- How Aqua CNAPP complies with DORA and provides capabilities to identify, protect, detect, respond, and recover from ICT risks.