In brief
- Financial entities have until 17 January 2025 to ensure compliance with the EU’s Digital Operational Resilience Act (DORA). The new regulation covers requirements toward digital operational resilience testing, Information and Communications Technology (ICT) incident detection and response, and proactive ICT third-party service provider risk
- DORA will apply to a wide range of organizations, from credit rating agencies and investment firms to credit and payment institutions. It also contains provisions aimed at critical ICT third-party service providers in the financial sector
- Complying with DORA requirements demands a thorough gap analysis of the current third-party ICT service provider arrangements, internal testing capabilities and policies, as well as incident detection and management protocols
You don’t have to be an enthusiastic astrologist or a tarot card reader to be fixated on specific dates. Sometimes, dealing with compliance is enough to provide the fixation. Take, for example, 17 January 2025.
If your organization operates within the EU’s financial sector, you’ll already know this date. It’s when the Digital Operational Resilience Act (DORA) becomes applicable. It really is going to be a big deal. If it was a Marvel movie, we’d be saying something like, “With great regulations comes great responsibility.”
And indeed it does. DORA requirements concern the dimensions of People, Processes, and Technology alike (by the way, check out how Zoreza Global’s Lead Solutions Architect, Glen Stokes, broke them down into 234 items). Furthermore, with the DORA regulation in place, your organization’s leadership will also become directly responsible for managing ICT risks – and ensuring compliance.
Nothing quite matches the excitement of a new regulatory compliance deadline, right? So you’d better come prepared – and just to help you along the way, here’s everything you need to know to get ready for the Digital Operational Resilience Act (DORA).
What is DORA?
Let’s start with the basics. The Digital Operational Resilience Act (DORA), or the EU Regulation 2022/2554, is a new EU legal framework. It ensures the digital operational resilience of the EU’s financial system. It comes with new technical standards and obligations regarding ICT risk management. In addition, it covers incident response and reporting on financial institutions and their critical ICT third-party service providers.
To cut a long story short: it’s a set of rules to guarantee the EU financial system stays strong in the face of digital difficulties.
DORA EU regulation is designed to be a comprehensive ICT risk management framework for all financial entities operating in the EU financial sector.
The organizations subject to DORA compliance have to implement specific technical standards to ensure their digital operational resilience by 17 January 2025.
Hence, tick tock, tick tock…
Which organizations does DORA apply to?
Okay, I don’t want to scare you but the scope is rather significant. The Digital Operational Resilience Act (DORA) will apply to organizations across 21 predefined categories. They include both financial institutions themselves and the critical third-party ICT service providers that serve them. However, the European Supervisory Authorities (ESAs) will name the critical third-party providers after DORA becomes applicable.
According to Article 2, DORA applies to such financial institutions as:
- Credit institutions
- Payment institutions
- Investment firms
- Insurance and reinsurance companies
- Crypto-asset service providers and issuers of asset-referenced tokens
- Electronic money institutions
- Alternative investment fund managers
- Trade repositories and trading venues
- Central counterparties
- Central securities depositories
The following organizations will also have to ensure DORA compliance:
- ICT third-party service providers
- Data reporting service providers
- Credit rating agencies
- Crowdfunding service providers
If you’re an ICT service provider for the EU financial sector players and are registered in another jurisdiction, you’ll need to create a subsidiary in the EU to comply with DORA.
Why has DORA been adopted?
The Digital Operational Resilience Act (DORA) serves two key purposes:
- Unifying the cybersecurity and ICT risk management requirements for financial organizations across all EU member states
- Ensuring the digital operational resilience of the EU’s financial system in the face of significant cyber threats, enabling it to withstand substantial disruptions
DORA is about unified cybersecurity and IT risk management rules. It’s like a regulatory shield that should protect the EU’s financial system against bad guys in cyberspace.
Were there any EU-wide guidelines on ICT and security risk management before DORA? Yes. But they didn’t apply to all financial entities and lacked specific technical standards. The disparities between member states’ approaches to the subject also varied wildly.
The DORA framework is the first time the EU regulators have addressed ICT and cybersecurity risk management within financial entities in such detail. It’s also a part of the EU’s larger digital finance strategy looking to support the digital transformation of the financial sector.
5 pillars of DORA regulations
DORA requirements can be grouped into four categories:
- ICT risk management and governance
- Incident response and reporting
- Digital operational resilience testing
- Third-party risk management
The fifth pillar of DORA, information sharing, is voluntary.
ICT risk management and governance
Now, to the fun part. An organization’s board members, executives, and senior managers bear the “ultimate responsibility” for its ICT risk management. Do they have to define and implement risk management strategies? Yes—but there’s more. Leaders can be held personally accountable for any failure to comply with DORA.
Bear in mind the following. DORA’s ICT risk management requirements for financial entities include:
- Developing and implementing a comprehensive and well-documented ICT risk management framework that aims to minimize ICT risk
- Setting up an independent control function to oversee and manage ICT risk
- Documenting and reviewing the ICT risk management framework at least once a year
- Using and maintaining up-to-date, reliable, appropriate, technologically resilient ICT systems, protocols, and tools
- Continuously monitoring the security and functioning of ICT systems and tools
- Deploying security tools, policies, and procedures to minimize the ICT risk and promptly detect anomalous activity
- Establishing a comprehensive ICT business continuity policy as part of an ICT risk management framework
- Defining backup policies and procedures, as well as restoration and recovery procedures and methods
- Putting in place crisis communication plans for major ICT-related incidents
Certain small financial entities are exempt from Articles 5 to 15 of DORA. They can instead put in place a simplified ICT risk management framework, as per Article 16. Those entities include:
- Small and non-interconnected investment firms
- Payment institutions exempted under the EU Directive 2015/2366
- Electronic money institutions exempted under the EU Directive 2009/110/EC
- Small institutions for occupational retirement provision
ICT-related incident classification, response, and reporting
DORA security requirements mandate financial entities to put in place appropriate systems to monitor, manage, record, classify, and report ICT-related incidents.
DORA also outlines the specific criteria which need to be taken into account when classifying ICT-related incidents:
- Duration, including service downtime
- Number of clients/transactions affected
- Reputational impact
- Geographical spread, including whether it affects more than two EU member states
- Data losses entailed
- Criticality of the services affected
- Direct and indirect costs and losses, both absolute and relative
In the event of a major ICT-related incident, financial entities must report it to a competent authority (state regulator or the ESAs). Reporting significant cyber threats remains voluntary.
Digital operational resilience testing
Financial entities are required to regularly test their ICT systems to ensure their resilience in the face of cyber threats.
DORA operational resilience testing requirements include:
- Testing all critical systems at least once a year
- Ensuring the independence of internal or external parties conducting tests
- Establishing procedures and policies to prioritize, classify, and remedy all issues revealed during testing
Digital operational resilience testing can include:
- Vulnerability and network security assessments
- Gap analyses
- Physical security reviews
- Source code reviews (where feasible)
- Scenario-based tests
- Compatibility testing
- Performance testing
- End-to-end testing
- Penetration testing
Financial entities considered critical to the health of the financial system will also be required to conduct threat-led penetration testing (TLPT) once every three years. Third-party ICT service providers will also have to participate in these tests.
The technical standards for TLPT are still in the works.
ICT third-party risk management
In plain words, it’s getting harder and harder to blame someone else.
Requirements for managing ICT third-party risk are what sets DORA apart in the regulatory landscape. The act mandates financial entities to factor in ICT third-party risk in their risk management framework. What’s more, they remain fully responsible for DORA compliance even when external ICT services are involved.
DORA requirements on managing ICT third-party risk include:
- Adopting and regularly reviewing an ICT third-party risk management strategy
- Maintaining a register of information on all ICT third-party contractual arrangements
- Reporting new contractual arrangements to competent authorities at least once a year (if those services support critical business functions – “in a timely manner”)
- Identifying and assessing risks before entering a contract with a third-party service provider
- Ensuring the provider follows appropriate security practices before entering a contract
- Including specific exit strategies, audits, and performance targets in the contractual provisions
Information sharing arrangements
While DORA authorizes information exchange on significant cyber threats between financial entities, it doesn’t make intelligence sharing mandatory. However, if you do choose to share intelligence, keep business confidentiality in mind (e.g.: privacy regulations like GDPR): the data has to be anonymized before sharing.
What is the current status of DORA?
The Digital Operational Resilience Act (DORA) was adopted in November 2022, published in December 2022, and entered into force on 16 January 2023. Now, organizations have until 17 January 2025 to ensure compliance—that’s when DORA requirements become applicable.
DORA requirements continue to be refined. The European Supervisory Authorities are preparing a set of policies to specify certain provisions of the law. To that end, they held two rounds of public consultations – one for each of the batches of the policy products.
The European Banking Authority, European Insurance and Occupational Pensions Authority, and European Securities and Markets Authority already published the first batch of Regulatory Technical Standards (RTS) as well as the Implementing Technical Standards (ITS). They include the technical standards for:
- Standard and simplified ICT risk management frameworks
- Classification criteria, approach, and materiality thresholds for ICT-related incidents
- ICT third-party service provider policy: governance arrangements; risk management and internal control framework
- Information register templates
These standards are currently awaiting approval from the European Commission. So, they should be considered final drafts for now.
The second batch of the European Supervisory Authorities’ RTSs is coming soon, too. It’s scheduled for publication on July 17, 2024.
How will DORA be enforced?
Following DORA's application in January 2025, the European Supervisory Authorities will determine which service providers are critical to the EU financial system. The ESAs will then assign so-called lead overseers to supervise DORA compliance among them.
The European Supervisory Authorities are:
- European Banking Authority
- European Insurance and Occupational Pensions Authority
- European Securities and Markets Authority
As for other financial entities, designated regulators in each member state will become responsible for policing their compliance. They’ll have the mandate to request remediation measures be taken – and impose both administrative and criminal penalties for non-compliance. The severity of those penalties is up to each member state.
Critical third-party service providers can also be fined for any failure to comply with DORA. The fines are limited to 1% of their average daily global turnover during the previous business year.
How will DORA compliance impact your organization?
Ensuring compliance with the Digital Operational Resilience Act requires organizations to assess its impact on people, process, and technology. Based on our assessment of its 234 items, DORA is bound to put the most strain on processes, with over half of the items (156) falling into this category.
(Disclaimer: this is not an indication of how much time aligning each domain to DORA will take.)
To assess your readiness for the DORA application, start by:
- Assessing the alignment of current ICT third-party risk management and contractual arrangements with DORA requirements
- Reviewing your current approach to network and infrastructure management, vulnerability detection, authentication, and access management and identifying gaps
- Identifying gaps in your ICT incident detection, classification, and response procedures
- Determining which parties will conduct mandatory resiliency and vulnerability testing
- Ensuring comprehensive cybersecurity incident reporting capabilities
- Comparing DORA requirements against applicable regulatory requirements in other jurisdictions (e.g., PS21/3 and Critical Third Parties in the UK, FINMA in Switzerland)
Prepare for DORA compliance with Zoreza Global
DORA won’t remain carved in stone even after it becomes applicable. Technical standards will continue evolving, and regulators will develop new iterations of requirements.
Keeping up with such prompt changes requires a new approach to regulatory compliance as traditional reporting solutions struggle to keep up.
We provide comprehensive support to financial institutions in implementing an Integrated Risk Management system, including assistance with testing, training, and updating processes and strategies—all in accordance with DORA regulations. A real-time graph-model Digital Twin for your organization can enable you to swiftly and effectively address new regulations across the three dimensions: People, Process, and Technology. With its help, you can also dynamically assess potential risks and forecast ICT incident impact in the spirit of DORA regulations.
Combined with LLMs, knowledge graphs can enable lightning-fast risk, performance, or value assessment relevant to your organization.
Intrigued?
If you’d like to learn more about preparing your organization for DORA compliance while ensuring digital governance maturity, effectiveness, and cost efficiency, contact us.