The Digital Operational Resilience Act (DORA), which comes into full effect on 17 January 2025, aims to prevent and mitigate cyber threats by establishing a comprehensive ICT risk management framework for the EU financial industry.
In this article, we outline the main elements of DORA, as well as key recommendations for preparing effectively for this important new regulation.
What is the DORA regulation?
DORA is a new EU regulation which seeks to ensure that financial institutions and critical ICT providers advance their cyber security and operational processes to safeguard their key systems, enhancing the industry’s operational resilience.
It is a robust regulatory framework aimed at harmonising disparate EU regulations into a single regulation that will be implemented by every EU state. The span of organisations in scope of this regulation is expansive, and some may not yet fully understand its risks and ramifications.
As with the lead-up to the launch of the GDPR, many businesses may underestimate the amount of work required to become compliant, and those based outside the EU may not realise that they also need to pay attention to the changes.
How will DORA help to advance operational resilience?
The overriding objective of DORA is to ensure digital operational resilience and to strengthen the IT security of financial entities such as banks, insurance companies and investment firms.
Digital operational resilience is defined as the ability of a financial entity to build, assure and review its operational integrity and reliability. This includes ensuring the security of network and information systems, either through direct means or through indirect services provided by ICT third-party service providers.
Maintaining operational resilience in a fast-moving commercial environment is a critical challenge for financial institutions. Alongside continually evolving cyber threats, the sharp rise in organisational reliance on cloud applications and services has created a riskier and more complex business landscape.
Under DORA, all impacted companies across EU member states must ensure that they understand the ICT risks facing their organisation. They must then take steps to ensure they are able to monitor, detect, withstand, respond to and recover from ICT-related threats and disruptions. These measures must be proportional to the potential risks.
DORA is related to two other key EU regulations: NIS2 and PSD2. Learn more.
When will DORA requirements be enforced?
DORA requirements entered into force on 16 January 2023, and will be enforceable after 24 months. This means that financial entities are expected to be fully compliant by 17 January 2025. While some further details of the regulation are still being finalised, companies need to be aware of the regulation’s key elements to plan for the changes ahead.
The DORA implementation timeline
What are the five pillars of DORA?
DORA is based on five key pillars:
- ICT risk management: A comprehensive risk management framework for ICT systems including policies, procedures, regular assessments and programs.
- ICT-related incident response and reporting: Standardised reporting of ICT-related incidents based on predefined criteria, timelines and templates.
- Digital operational resilience testing: Testing and assurance of technology resilience through a combination of techniques including, but not limited to, vulnerability scanning and threat-led penetration testing (TLPT).
- ICT third-party risk: Stricter controls and processes for third-party risk management and oversight, including upkeep of a suite of ICT outsourcing registers.
- Information sharing: Mechanisms for sharing information on threat actor activity.
Some of DORA’s requirements are straightforward and align with previous/existing regulations applicable to the financial industry, so should only represent a small change based on what businesses are already doing. However, other requirements are more challenging and prescriptive and will require additional effort and resources in order to ensure compliance.
Which organisations are impacted by DORA?
The regulation’s scope is very broad and covers nearly all types of firms in the financial sector, as well as ICT providers working with or for financial institutions. It is also very important to understand how proportionality affects your organisation’s obligations in relation to DORA.
A notable requirement is that ICT providers deemed to be “critical third parties”, such as cloud platforms or data analytics services, need to establish a subsidiary within the EU within 12 months of designation (if they do not already have an EU establishment) to ensure that effective oversight can be implemented. As part of DORA, the supervisory authorities also retain the right to conduct inspections on critical technology service providers outside of the EU as deemed required.
What are the risks of failing to comply with DORA?
Entities found to be in violation of the regulation may face fines of up to 2% of their total annual worldwide turnover or, in the case of an individual, a maximum fine of €1 million. The penalties applied will depend on the severity of the violations and cooperation with local national competent authorities.
What are the key requirements for compliance?
DORA’s requirements for financial entities and ICT providers cover four key areas:
1. ICT risk management and governance
DORA makes an organisation’s management body or board ultimately responsible for digital operational resilience and ICT risk management. Companies are also expected to set up appropriate cyber security protection measures, including policies and repeatable programs relating to, for example, patch management and technical controls or solutions such as encryption and SIEM/MDR, and security testing mechanisms such as penetration testing, vulnerability scanning, secure configurations/hardening and tabletop exercises.
The requirements closely echo the US SEC rule changes from 2023. These require companies to describe the nature of their board’s oversight of cyber security risks and their management team’s expertise in assessing and managing material cyber security risks.
2. Incident response and reporting
DORA includes rigorous rules on incident response and reporting to regulatory bodies. Relevant entities are required to set up systems to monitor, manage, log, classify and report ICT-related incidents.
Businesses must then submit reports to regulators and affected clients and partners for all major ICT incidents. The exact reporting requirements and time frames are:
Content and timelines for reporting
These requirements are extremely challenging, demanding exacting incident response plans and fast, seamless coordination between teams, affected business functions, counsel and response or forensics vendors.
3. Digital operational resilience testing
To meet the requirements set out by DORA, organisations must regularly test their ICT systems in order to effectively assess their defences and identify vulnerabilities. In some cases, companies should report test results and associated plans to the relevant competent authorities for validation.
The many types of testing techniques available to help organisations meet DORA requirements include vulnerability scanning, penetration testing, red teaming and tabletop exercises.
4. Third-party risk management
With incidents and data breaches associated with third parties increasing, it is hardly surprising that third-party risk management forms a key aspect of DORA. DORA applies to financial entities and to the ICT providers that support the financial sector. As a result, financial companies must be proactive in the way they manage ICT third-party risk. They should also be vigilant about how they review and plan for the tough requirements affecting updates to contractual arrangements. Not doing so could remove the ability to work with ICT providers unable to meet the new requirements.
Preparing for DORA: How Kroll can help
Updating controls and processes in line with DORA can be a daunting prospect. While DORA is largely an extension of obligations, practices and activities that already exist, its requirements are often more prescriptive because they introduce enhanced requirements, especially for business continuity planning and third-party risk. The consequence of this is the need to make critical changes to your internal controls environment ahead of the implementation deadline.
Given DORA’s breadth and complexity, early preparation and planning is key. Read our full guide on preparing for DORA. DORA is a law, not a recommendation or a guideline, so come 2025, the associated regulatory risk and potential repercussions are very real. If you haven’t already started to do so, it is important to act now in order to be prepared before the final date to comply with DORA. This can be achieved more easily and quickly by accessing support from partners with proven expertise.
With unrivalled expertise in cyber security assessments and program design, cyber resilience risk management, incident response, digital resilience testing and third-party risk management, Kroll is uniquely positioned to provide in-depth support to help your organisation to prepare for and fully meet DORA requirements. We have a long track record of working with financial institutions to enable them to achieve their security and regulatory goals.