DORA – What is it and why should you care?

The Digital Operational Resilience Act (DORA) is an EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025. Its goal is to enhance the cyber resilience of the financial sector, ensuring that financial institutions, including banks, investment firms, and insurance companies, can withstand and recover from various types of digital disruptions and cyber threats.

What’s behind DORA?

In February 2016, the world experienced its first cyber bank heist, proving that systemic cybersecurity problems existed in the global financial system. The situation has only deteriorated since then.

The financial sector increasingly depends on digital systems and information. COVID-19 accelerated this trend, driving demand for online financial services and normalizing remote work. These changes created new vulnerabilities for attackers to exploit.

In April 2020, the Financial Stability Board cautioned that “a major cyber incident, if not properly contained, could seriously disrupt financial systems, including critical financial infrastructure, leading to broader financial stability implications.” Recent Russian cyberattacks against Ukraine demonstrate how digital system dependence poses growing threats to critical infrastructure. A cyberattack on financial institutions would inflict substantial economic damage and erode public confidence.

DORA aims to protect the European financial market’s integrity and stability by strengthening the cyber resilience of the entire financial system. Since the system is only as strong as its weakest component, success requires cooperation from all private institutions.

What are the main areas of DORA:

1. Scope and Applicability

DORA applies to a wide range of financial entities, including banks, investment firms, insurance companies, payment service providers, and critical third-party ICT service providers.

2. ICT Risk Management

Financial entities must establish robust ICT risk management frameworks to identify, assess, and manage ICT-related risks. They must ensure their ICT systems and tools are secure and resilient, and that they can maintain critical function continuity during disruptions.

3. Incident Reporting

Entities must report significant ICT-related incidents to relevant authorities to improve the financial sector’s monitoring and response capabilities. The reporting process is standardized to ensure consistency and efficiency in handling and analyzing incidents.

4. Testing and Cybersecurity

Regular testing of ICT systems and cybersecurity measures is mandated to ensure ongoing operational resilience. This includes conducting threat-led penetration testing to identify vulnerabilities and address them promptly.

5. Third-Party Risk Management

Financial institutions must manage risks associated with third-party ICT service providers, including cloud service providers. Requirements exist for overseeing and monitoring third-party providers to ensure they comply with operational resilience standards.

6. Governance and Oversight

Entities must have clear governance structures for ICT risk management, involving senior management and board-level oversight. Organizations need to ensure accountability and proper allocation of responsibilities.

7. Regulatory Coordination

DORA encourages cooperation and information sharing between national and European supervisory authorities to create a harmonized approach to digital operational resilience across the EU.

What happens if I fail to comply?

Financial institutions have until 17 January 2025 to achieve compliance. Organizations failing to meet the deadline face multiple sanctions, including steep penalties, bans on certain operations, or prohibitions against using specific third-party providers until compliance is assured. Beyond regulatory consequences, non-compliance would damage organizational reputation, market trust, and future business prospects, potentially threatening survival.

What to do?

Affected institutions must adopt a holistic cybersecurity approach encompassing cyber defenses to business continuity planning. This will likely increase operational costs initially but prevent costly damages later.

Steps for Organizations to Comply with DORA

1. Know the requirements for your organisation

Understand DORA’s full text and related guidelines. Identify applicable sections based on your organization’s profile.

2. Assess Security Posture

Evaluate your current security measures to identify weaknesses and areas for improvement.

3. Enhance third-party risk management

Ensure suppliers and service providers adhere to your cyber risk management standards through due diligence and regular audits.

4. Invest in cybersecurity training

Provide ongoing training for employees to stay updated on the latest cybersecurity practices and threats.

5. Implement robust incident response plans

Develop and regularly test comprehensive plans to handle cybersecurity incidents effectively.

6. Review and update IT infrastructure

Assess and upgrade your IT systems to ensure they meet DORA’s resilience and security requirements.

7. Stay informed

Keep up with updates to DORA, cybersecurity trends, and emerging threats to remain compliant.

8. Allocate resources appropriately

Ensure sufficient budget, personnel, and tools are dedicated to maintaining cybersecurity and compliance efforts.

9. Regularly review and update

Continuously monitor, review, and update your cybersecurity policies, procedures, and systems to maintain compliance and address new risks.

Conclusion

The regulation will establish a standardized and robust vendor risk management framework within the financial sector. Firms must ensure their suppliers and service providers, particularly those designated as critical third-party service providers, adhere to the same cyber risk management standards. This involves performing thorough due diligence, conducting regular audits, and potentially renegotiating contracts to incorporate DORA compliance clauses.

Although DORA introduces new and more defined requirements than previously existed, this development is unsurprising. European Supervisory Authorities have increasingly emphasized enhanced cybersecurity risk management practices within the financial sector for years.

While DORA represents a significant and necessary advancement for securing European financial systems, it introduces uncertainty and increased operational costs. Rebasoft’s team can assist in navigating this transition, offering security assessments to identify security gaps and advanced asset management solutions to strengthen cyber defenses.