The Digital Operational Resilience Act (DORA) is a regulatory framework introduced by the European Union to strengthen the digital resilience of financial institutions and mitigate Information and Communications Technology (ICT) risks across the financial sector. It establishes strict requirements for ICT risk management, incident reporting, resilience testing, and oversight of third-party providers. Although DORA was introduced and became effective on January 16, 2023, it is set to come into full force on January 17, 2025, and affected organisations must be compliant by then.
DORA’s ultimate goal is to ensure that the financial sector can withstand, respond to, and recover from a wide range of ICT-related disruptions, minimising systemic risks and protecting the integrity of the EU’s financial ecosystem.
Why Was DORA Introduced?
Before DORA, many financial institutions relied on reactive strategies to deal with cyber incidents. These included allocating emergency funds to handle issues as they arose or implementing fragmented and inconsistent measures to manage ICT risks.
Key Problems with This Approach:
- Escalating Incident Costs: Addressing cyberattacks or ICT failures after they occurred often led to higher costs than the funds put aside could cover, including regulatory fines, reputational damage, and operational downtime.
- Fragmented Practices: There was no consistent framework for ICT risk management across the EU, leading to vulnerabilities in a sector that depends on interconnected networks and services.
- Systemic Risk: The reliance on reactive measures didn’t address root vulnerabilities, increasing the likelihood of widespread disruptions that could ripple across the financial system.
DORA shifts this paradigm by mandating proactive and preventive measures, ensuring firms are better prepared to handle digital disruptions.
Who Does DORA Apply To?
DORA applies to a wide range of entities within the financial sector, including, but not limited to:
- Banks
- Investment firms
- Payment institutions
- Insurance companies
- Crypto-asset service providers
Additionally, ICT third-party providers, such as cloud service providers and data centres, fall under DORA’s scope, so that the entire financial ecosystem adheres to stringent digital resilience standards.
DORA applies to more than 22,000 financial entities and ICT service providers operating within the EU, as well as the ICT infrastructure supporting them from outside the EU. The regulation introduces specific and prescriptive requirements for all financial market participants.
Organisations based outside the EU must act fast to determine if they fall in scope of DORA, based on the broad range of financial markets activities included and whether those take place within EU jurisdictions.
Key Requirements Under DORA
DORA is built around 5 core themes, each with their own specific requirements.
- ICT Risk Management (Articles 5 – 16)
- Establish a comprehensive ICT risk management framework covering identification, protection, detection, response, and recovery processes.
- Ensure the governance framework is robust, with accountability resting on senior management.
- ICT-Related Incident Management, Classification, and Reporting (Articles 17 – 23)
- Standardise incident classification and reporting of major ICT-related incidents.
- Implement compulsory reporting mechanisms and anonymised EU-wide incident reports.
- Digital Operational Resilience Testing (Articles 24 – 27)
- Conduct regular resilience testing, including large-scale threat-led penetration tests every three years by independent testers. OmniCyber Security has a team of CREST-accredited pen testers experienced in carrying out this kind of testing.
- Managing ICT Third-Party Risk (Articles 28 – 44)
- Develop and maintain a detailed register of information on all contractual arrangements with ICT third-party providers.
- Implement guidelines for pre-contract assessments, contract contents, termination processes, and stressed exit plans.
- Information Sharing Arrangements (Article 45)
- Encourage financial entities to share threat intelligence and information to enhance collective resilience.
Steps to Prepare for DORA Compliance
To meet DORA’s requirements by the 2025 deadline, organisations should:
- Conduct a Gap Analysis
Identify shortcomings in current ICT risk management, incident reporting, and third-party oversight. - Develop an Implementation Plan
Establish timelines and allocate resources to align practices with DORA’s mandates. - Strengthen ICT Risk Management
Update policies to include continuous risk assessment and implement advanced monitoring tools. - Streamline Incident Reporting
Establish procedures for classifying and reporting incidents in line with DORA’s technical standards. - Test Resilience
Regularly conduct resilience assessments and address vulnerabilities identified during testing. - Enhance Third-Party Oversight
Evaluate ICT providers’ compliance with DORA, ensuring robust contracts and exit strategies are in place. - Foster Collaboration
Join industry forums and information-sharing networks to stay informed on emerging threats
Penalties for DORA Non-Compliance
Failure to comply with DORA can result in significant penalties. National competent authorities will oversee compliance and can impose fines, including periodic payments of up to 1% of the average daily global turnover of the preceding business year for up to six months until compliance is achieved.
DORA is a critical step toward building a resilient financial ecosystem in an increasingly digital world. By proactively addressing vulnerabilities and fostering collaboration, DORA ensures that financial institutions are equipped to handle the challenges of modern ICT disruptions. Organisations should act swiftly to meet the upcoming compliance deadline, as failure to do so could result in significant penalties and operational risks. For more guidance, visit the official DORA website.
For more information about how OmniCyber Security can help you meet DORA’s requirements, including with our class-leading penetration testing services, get in touch with our experts today.
