Digital Operations Resilience Act (DORA) Regulation
Digital Operations Resilience Act (DORA) Regulation
Ensuring the Cyber Resilience of Financial Institutions.
What is the DORA?
From managing IT and cyber risk to digital operational resilience
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) is a regulatory framework established to improve the cybersecurity and operational resiliency of the financial services sector. It complements existing laws such as the Network and Information Security Directive (NISD) and the General Data Protection Regulation (GDPR).
The Digital Operational Resilience Act (DORA), known as the “lex specialis” of NIS2, was introduced by the European Commission in 2020 and aims to strengthen the operational “resilience” of the financial sector in the European Union. It extends and unifies existing European standards and requirements to create a detailed and harmonized framework.
The concept of “resilience” introduces a paradigm shift. It requires companies in the financial sector to organize from the outset to ensure effective management of breakdowns and cyber-attacks.
DORA is based on three fundamental principles:
The Digital Operational Resilience Act (DORA) is expected to come into force on January 17, 2025. This date marks a significant milestone for financial institutions, which will need to comply with the new requirements set out in the legislation.
DORA applies, among others, to credit institutions, payment institutions, crypto-asset service providers, insurance and reinsurance companies, asset managers, and third-party ICT service providers.
DORA is not a one-time compliance exercise, but a requirement to maintain constant resilience in an evolving environment and an increasingly complex technological context.
Why DORA?
Spread of Cyberattacks Across Various Industries
With the financial sector’s growing dependence on digital technology and its expanding interconnectedness, it faces heightened vulnerability to diverse cyberattacks. Indeed, Statista reports that in 2022, the finance and insurance sector ranked as the second most frequent target for cybercriminal activities.
Financial institutions, handling vast sensitive data, are prime targets for hackers, as evidenced by their long-standing awareness of their appeal to cybercriminals. Despite various cybersecurity measures in place, many entities remain underprotected.
Which entities come under DORA?
DORA applies to almost all types of financial entities in the European Union. Although the first institutions that may come to mind are banks and insurance companies, many other organizations are covered by DORA as per Article 2.
DORA mandates financial entities to manage risks associated with third-party suppliers, implying that these suppliers must also comply with DORA regulations.
Banking & Payment
- Credit institutions
- Payment institutions
- Account information service providers
- Data communication service providers
- Electronic money institutions
- Third-party providers of information and communication technology (“ICT”)
Finance
- Investment firms
- Crypto-asset service providers licensed on crypto-asset markets and issuers of tokens referring to one or more assets
- Asset management companies
- Alternative investment fund managers
- Participatory finance service providers
- Central securities depositories
- Central counterparties
- Trading platforms
- Trade repositories
- Securitization repositories
- Credit rating agencies
- Administrators of critical benchmarks
Insurance
- Insurance and reinsurance companies
- Insurance intermediaries, reinsurance intermediaries and incidental insurance intermediaries
- Institutions for occupational retirement provision
What does the DORA framework require?
A paradigm shift in cybersecurity and operational resilience
DORA is not a “one-off” compliance exercise, but a demand to maintain constant resilience in a changing environment and an increasingly complex technological context.
The Digital Operational Resilience Act (DORA) regulations are divided into five categories, each designed to enhance different aspects of cybersecurity in organizations. The main components include:
ICT Risk Management
DORA requires a comprehensive framework for managing ICT-related risks as the foundation for the resilience of financial companies. The governing body assumes ultimate responsibility for managing the ICT-related risk of the financial entity.
Management of Incidents
DORA strengthens incident management in ICT by implementing detection, classification, and mandatory reporting of major incidents, as well as encouraging voluntary reporting of significant cyber threats to authorities.
Cybersecurity Testing
A risk-based approach ensures that critical and important IT systems are regularly tested for their operational resilience and protection against potential disruptions. For instance, a threat-based penetration test must be conducted at least every three years on production systems.
3P Risk Management
DORA mandates detailed record-keeping of all contracts with ICT service providers, particularly highlighting those critical to operations, and sets minimum standards for risk monitoring. It also establishes a European-level framework to oversee critical third-party service providers.
Information sharing
The regulation enables financial firms to exchange cyber threat information among themselves and to receive and act on anonymized threat data provided by the supervisory authority. The aim is to develop defensive capabilities and detection techniques.
What do the fines look like?
The competent authorities of the Member States will have the power to impose administrative sanctions or corrective measures such as the temporary or permanent cessation of any practice or conduct contrary to the provisions of the regulation or to adopt any type of measure, including monetary ones, to ensure that financial entities continue to comply with their legal obligations (Article 50).
Critical third-party ICT service providers violating the DORA regulations may incur daily public fines of up to 1% of their global daily turnover (Article 35), depending on the severity of the violation and their cooperation with authorities. The fine is applied daily until compliance is achieved or for a maximum of six months after notification to the critical ICT service provider.
What Stroople can do for you?
Prepare for DORA today and secure your digital operational resilience tomorrow
Stroople is dedicated to assisting your organization in aligning with DORA’s mandates, ensuring both robust protection and regulatory compliance.
We offer a suite of cyber resilience services tailored for financial institutions, including:
- Risk Assessment: Our team conducts thorough risk assessments to pinpoint vulnerabilities in your digital operations and advises on risk management strategies.
- Compliance Evaluation: We evaluate your organization’s adherence to DORA, offering support and guidance for areas needing enhancement.
- Incident Response Strategy: We aid in crafting a comprehensive incident response plan that aligns with DORA’s stipulations.
- Cybersecurity Evaluations: Through cybersecurity testing, we assess your security infrastructure’s strength, pinpointing and recommending rectifications for any identified weaknesses.
- Management of Third-Party Cyber Risks: We assist in effectively managing cyber risks related to third-party vendors and service providers, ensuring conformity with DORA’s regulations.
Our services are designed not just to ensure your organization’s compliance with DORA but also to embed best practices in cybersecurity and digital resilience.
