Digital Operations Resilience Act (DORA) Regulation
Digital Operations Resilience Act (DORA) Regulation
Ensuring the Cyber Resilience of Financial Institutions.
What is the DORA?
From managing IT and cyber risk to digital operational resilience
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) is a regulatory framework established to improve the cybersecurity and operational resiliency of the financial services sector. It complements existing laws such as the Network and Information Security Directive (NISD) and the General Data Protection Regulation (GDPR).
The Digital Operational Resilience Act (DORA), known as the “lex specialis” of NIS2, was introduced by the European Commission in 2020 and aims to strengthen the operational “resilience” of the financial sector in the European Union. It extends and unifies existing European standards and requirements to create a detailed and harmonized framework.
The concept of “resilience” introduces a paradigm shift. It requires companies in the financial sector to organize from the outset to ensure effective management of breakdowns and cyber-attacks.
DORA is based on three fundamental principles:
The Digital Operational Resilience Act (DORA) is expected to come into force on January 17, 2025. This date marks a significant milestone for financial institutions, which will need to comply with the new requirements set out in the legislation.
DORA applies, among others, to credit institutions, payment institutions, crypto-asset service providers, insurance and reinsurance companies, asset managers, and third-party ICT service providers.
DORA is not a one-time compliance exercise, but a requirement to maintain constant resilience in an evolving environment and an increasingly complex technological context.
Why DORA?
Spread of Cyberattacks Across Various Industries
With the financial sector’s growing dependence on digital technology and its expanding interconnectedness, it faces heightened vulnerability to diverse cyberattacks. Indeed, Statista reports that in 2022, the finance and insurance sector ranked as the second most frequent target for cybercriminal activities.
Cyberattacks against financial services companies in Europe increased significantly between 2022 and 2023. For example, the number of ransomware attacks in the financial sector increased by 64% in 2023 compared to the previous year. Additionally, in the third quarter of 2023, the number of incidents in this sector doubled compared to the same period in 2022, highlighting the increased attention of criminals towards this industry. In 2023, the number of ransomware attacks in the financial sector jumped by 64% and nearly doubled compared to 2021.
Customer data from financial companies is particularly sought after on underground markets, accounting for 42% of ads for the sale, purchase, or free distribution of compromised databases.
Financial institutions, handling vast sensitive data, are prime targets for hackers, as evidenced by their long-standing awareness of their appeal to cybercriminals. Despite various cybersecurity measures in place, many entities remain underprotected.
Which entities come under DORA?
DORA applies to almost all types of financial entities in the European Union. Although the first institutions that may come to mind are banks and insurance companies, many other organizations are covered by DORA as per Article 2.
DORA mandates financial entities to manage risks associated with third-party suppliers, implying that these suppliers must also comply with DORA regulations.
Banking & Payment
- Credit institutions
- Payment institutions
- Account information service providers
- Data communication service providers
- Electronic money institutions
- Third-party providers of information and communication technology (“ICT”)
Finance
- Investment firms
- Crypto-asset service providers licensed on crypto-asset markets and issuers of tokens referring to one or more assets
- Asset management companies
- Alternative investment fund managers
- Participatory finance service providers
- Central securities depositories
- Central counterparties
- Trading platforms
- Trade repositories
- Securitization repositories
- Credit rating agencies
- Administrators of critical benchmarks
Insurance
- Insurance and reinsurance companies
- Insurance intermediaries, reinsurance intermediaries and incidental insurance intermediaries
- Institutions for occupational retirement provision
What does the DORA framework require?
A paradigm shift in cybersecurity and operational resilience
DORA is not a “one-off” compliance exercise, but a demand to maintain constant resilience in a changing environment and an increasingly complex technological context.
The Digital Operational Resilience Act (DORA) regulations are divided into five categories, each designed to enhance different aspects of cybersecurity in organizations. The main components include:
ICT Risk Management
DORA requires a comprehensive framework for managing ICT-related risks as the foundation for the resilience of financial companies. The governing body assumes ultimate responsibility for managing the ICT-related risk of the financial entity.
Management of Incidents
DORA strengthens incident management in ICT by implementing detection, classification, and mandatory reporting of major incidents, as well as encouraging voluntary reporting of significant cyber threats to authorities.
Cybersecurity Testing
A risk-based approach ensures that critical and important IT systems are regularly tested for their operational resilience and protection against potential disruptions. For instance, a threat-based penetration test must be conducted at least every three years on production systems.
3P Risk Management
DORA mandates detailed record-keeping of all contracts with ICT service providers, particularly highlighting those critical to operations, and sets minimum standards for risk monitoring. It also establishes a European-level framework to oversee critical third-party service providers.
Information sharing
The regulation enables financial firms to exchange cyber threat information among themselves and to receive and act on anonymized threat data provided by the supervisory authority. The aim is to develop defensive capabilities and detection techniques.
What do the fines look like?
The competent authorities of the Member States will have the power to impose administrative sanctions or corrective measures such as the temporary or permanent cessation of any practice or conduct contrary to the provisions of the regulation or to adopt any type of measure, including monetary ones, to ensure that financial entities continue to comply with their legal obligations (Article 50).
Critical third-party ICT service providers violating the DORA regulations may incur daily public fines of up to 1% of their global daily turnover (Article 35), depending on the severity of the violation and their cooperation with authorities. The fine is applied daily until compliance is achieved or for a maximum of six months after notification to the critical ICT service provider.
What Stroople can do for you?
Prepare for DORA today and secure your digital operational resilience tomorrow
Eligibility for DORA
The DORA is a complex regulation that may overlap with other applicable regulations (NIS2, …)
We help you by organizing targeted workshops, training sessions, and updates to assist you in understanding DORA.
We define the scopes affected by DORA compliance and conduct an initial impact analysis. We also identify your critical assets.
Gap Analysis
It is important to identify the main gaps in your maturity to ensure an effective resilience plan.
We analyze the gaps between the measures already in place and the 480 DORA requirements through guided interviews and document analyses.
We ensure a correlation between DORA requirements and major international cybersecurity standards (NIST, CIS Controls, ISO 27001, etc.).
Roadmap
Remediation
Cybersecurity Standards & DORA
Advantages of Integrating Cybersecurity Standards into DORA
In the financial sector, compliance with DORA and major cybersecurity standards (NIST, CIS Controls, ISO, etc.) mitigates the risks associated with online transactions and data breaches, thereby enhancing trust and ensuring business continuity. Financial institutions must pay particular attention to DORA’s strict requirements regarding operational resilience and third-party ICT risk management.
Unified Approach
Security standards offer globally recognized best practices. Aligning DORA with these standards ensures consistent management of cybersecurity and compliance.
Simplified Management
Organizations can simplify their management processes by leveraging existing infrastructure and resources. Management can be conducted through user-friendly tools.
Efficiency
Clear guidelines facilitate prioritization of efforts and allocation of resources based on the importance and impact of each control.
Scalability & Adaptability
Standards can be selected and adapted according to the size, activity, and challenges of the organization. Aligning them with DORA ensures cybersecurity measures remain flexible in the face of regulatory and technological changes.
Ongoing enhancement
Cybersecurity standards incorporate the concept of continuous improvement. By aligning them with DORA, organizations can keep their cybersecurity measures up to date against new threats.
Any question? Ask our experts.
June 20, 2024, at 11:00 AM
WEBINAR : DORA
DORA : Are you ready?
4 Operational Prerequisites for Effective Cybersecurity Preparation
Replay