The EU Digital Operational Resilience Act (DORA) is a major piece of cybersecurity legislation for financial institutions. The act establishes a framework for every service provider and their suppliers to follow to maintain operational resilience.
The act has four pillars:
- ICT third-party risk management
- ICT operational resilience
- Cyber threat intelligence
- Incident reporting
It also places strict requirements on financial institutions for managing supplier relationships, such as ICT providers. This blog is a guide to DORA compliance and provides useful and actionable insights for CISOs, DPOs, and legal departments. It covers:
- What is DORA?
- When did DORA come into force?
- Impact of each DORA pillar on financial organizations
- Sectors and sub-sectors impacted by DORA
- Areas to consider to achieve full compliance
- How DORA benefits you
What is DORA?
The Digital Operational Resilience Act (DORA) – Regulation (EU) 2022/2554 is a new EU regulation on Digital Operational Resilience for the financial sector. It sets uniform requirements across the EU to improve the cybersecurity and resilience of EU financial organizations.
To do so, DORA imposes specific technical constraints in relation to each of its pillars:
- Governance and ICT risk management
- ICT incident management
- Digital operational resilience tests
- ICT service providers risk management
- Cyber threats information-sharing
Remarkably, it also applies to third parties providing ICT-related services to financial organizations. Critical third-country ICT (Information and Communications Technology) service providers to financial entities in the EU will be required to establish a subsidiary within the EU so that oversight can be properly implemented.
When did DORA come into force?
DORA was published in the Official Journal of the European Union and entered into force on 16 January 2023. DORA is expected to be applied from 17 January 2025 at the time of writing (November 2023).
Impact of each DORA pillar on financial organizations
Given DORA’s newly binding nature, QuoIntelligence expects scrutiny over financial organizations to increase. Below, we analyze the impact of each pillar of DORA for financial organizations and provide recommendations on the next steps to comply with the regulation:
Governance and ICT risk management
DORA imposes an ICT risk management framework which includes the identification and classification of critical functions, protection and prevention, backup and restoration policies, learning and training, that should be reviewed once a year. Organizations should also identify their critical or important functions and map their assets and dependencies. To do so, the management body has specific importance, DORA even sets the obligation for them to have specific training on IT risks.
ICT incident management
DORA requires entities to establish and implement incident management processes to report any major ICT-based incidents to the authorities. The notification must be made within strict deadlines, depending on what the EU considers a major incident. To do so, financial entities will have to implement a classification methodology that complies with DORA. DORA will possibly follow ENISA’s taxonomy.
Operational resilience tests
The regulation mandates resilience tests that independent parties have to carry out, including vulnerability and network security assessments, scenario-based testing, and penetration testing.
ICT service providers risk management
Financial firms will be required to assess risks associated with their third-party ICT service providers. In addition, they will have to verify that providers meet the definition of a Critical ICT Third-Party Provider, and they comply with DORA themselves. In addition, they will have to ensure that in their contracts with third parties there are mandatory contractual elements set under DORA, which might lead to modifications in their contracts with ICT service providers.
Information sharing on cyber threats
DORA introduces guidelines on establishing information-sharing agreements between financial institutions to exchange cyber threat intelligence. This includes tactics, techniques, and procedures (TTPs), and recurrent alerts.
Areas to consider to achieve full compliance
Although the regulation will be binding from January 2025, organizations are advised to create a roadmap to ensure they achieve full compliance by then.
To start preparing for compliance, QuoIntelligence recommends:
- Appointing a senior management to oversee DORA compliance and carry an assessment to determine what is the impact for the organization and the path forward.
- Implementing a program road map to comply with DORA by 2024. The following points could be considered:
- Identifying the current risk management and incident management processes in place.
- Identifying which ICT suppliers might be impacted.
- Considering potential scenarios for operational resilience testing.
- Setting a threat intelligence department or service provider.
Sectors and sub-sectors impacted by DORA
DORA primarily focuses on the financial sector within the European Union, however this includes not only banking and finance but also other sub-sectors that play important roles in the larger financial ecosystem:
- Insurance and Pensions: this category extends to reinsurance companies and pension funds.
- Investment Firms: including asset managers, stock exchanges, and various types of investment funds.
- Payment Services: companies that facilitate money transfers and payments fall into this category, including credit card companies and electronic money institutions.
- Crypto Assets: with the increasing popularity and usage of currencies DORA also covers firms involved in issuing, managing, and securing crypto assets.
- Credit Rating Agencies: DORA shields these entities which play a role in evaluating the creditworthiness of financial instruments and entities.
- Central Counterparties (CCPs) and Trade Repositories: central counterparties acting as intermediaries in derivatives markets between two parties in a transaction while trade repositories collect and maintain data on over the counter (OTC) derivatives.
- Securitization Repositories: repositories which maintain records pertaining to securitizations that involve the pooling of types of debt.
- Data Reporting Service Providers (DRSPs): entities offering data reporting services for the sector.
- Critical Third-Party Service Providers: in today’s age many financial institutions heavily rely on third party technology providers for services such as cloud computing, software and infrastructure. DORA acknowledges the vulnerabilities that can arise from these relationships and emphasizes the importance of resilience, for these entities as well.
How DORA benefits you
Banking & Financial Institutions:
- CEO: DORA guarantees EU banks stands strong amidst digital disruptions, fostering trust among investors and customers.
- COO: DORA simplifies operational continuity by providing a clear framework for digital resilience, securing those day-to-day operations, from customer transactions to backend processes, continue seamlessly.
- CFO: Financial risks now include digital vulnerabilities. DORA helps in pre-emptively addressing these concerns, potentially saving the organization from significant financial setbacks stemming from digital disruptions.
Insurance & Pensions:
- Insurance Seller/Agent: DORA’s guidelines will protect the digital platforms and tools Insurance Agents rely on for their interactions with clients, allowing them to assure clients of their data’s safety and the security of their policies.
- Pension Fund Manager: With the increasing digitization of pension fund management and tools, DORA makes sure that these platforms remain resilient against digital threats, ensuring the long-term security of beneficiaries’ funds.
Investment Sector:
- Asset Manager: DORA acts as a safeguard which allows the digital platforms and algorithms asset managers rely on for asset allocation, management, and reporting to remain consistently up to date against the latest threats, allowing for informed and secure investment decisions.
- Stock Exchange Executive: in the high-stakes world of stock exchanges where milliseconds matter, DORA shields its digital infrastructure, minimizing the risk of technical glitches that can lead to financial chaos.
Payments & Crypto:
- E-commerce Business Owner: because digital payments are vital for the success of online businesses, DORA makes sure payment gateways and platforms fortified against digital threats for smooth transactions and satisfied customers.
- Crypto Exchange Founder: DORA protects the framework ensuring that exchange platforms remain impervious to hacks and breaches.
Rating & Data Reporting Agencies:
- Credit Rating Analyst: DORA ensures that the digital tools employed for credit assessment are reliable and resistant to external threats, allowing for accurate and trustworthy ratings.
- Data Reporting Executive: with vast amounts of data being reported and analyzed, DORA’s guidelines guarantee that these data streams remain uncompromised and accurate, upholding the agency’s reputation.
- Pension Fund Manager: With the increasing digitization of managing pension funds and related tools DORA plays a role in maintaining the resilience of these platforms against threats. This ensures the long-term security of beneficiaries’ funds.
Conclusion
The EU Digital Operational Resilience Act (DORA) is a significant piece of legislation that will have a profound impact on financial institutions operating in the European Union. The act aims to improve the operational resilience of financial entities and their suppliers by establishing a framework for managing cyber threats, third-party risks, and incident reporting. As the implementation period for DORA begins, it is essential for financial institutions to start preparing for compliance to avoid reputational damage, regulatory fines, and even criminal sanctions.
Keep up to date
To keep up with the latest cyber and geopolitical threats, subscribe to QuoIntelligence’s Weekly Intelligence Newsletter, published every Thursday around 1900 CET.