Digital Operational Resilience Act (DORA) Compliance is a regulation for financial sector companies conducting their business in the EU region. Approved by the EU parliament in November 2022 and is expected to come into effect by January 2025, its purpose is to improve the security regulatory landscape.

Similar to compliance such as GDPR, HIPAA, and PCI DSS, DORA will also assist the firms in aligning their security and privacy plans with the ever-changing digital resilience standards and risk management.

It was designed by the European Supervisory Authority to assist in modernizing and consolidating ICT risk resilience across the financial sector. With the DORA compliance, every financial organization in and doing business in the EU will be held to the same criteria for minimizing, auditing, and managing cyber risk.

The act’s regulatory bodies will evaluate each financial institution based on its ability to implement the necessary digital security safeguards. This helps the companies to be able to produce their ability to withstand various business continuity and information technology-related risks to the legal entities as well as their clientele.

The five pillars of DORA

1. ICT Risk Management

The DORA’s ICT risk management framework requires the firm’s management body to take “full and ultimate accountability” for ICT risk management, as well as developing and approving its digital operational resilience strategy and reviewing and approving the firm’s policy on the use of ICT Third Party Providers (TPPs). The DORA compliance authorizes competent authorities to levy administrative penalties and take remedial measures against management body members who breach the Regulation.

The law harmonizes the reporting regime for ICT-related events by requiring all financial companies to report to their competent authorities through a single framework. It also allows ESAs to provide additional aspects for the reporting framework, such as taxonomy, timelines, data types, templates, and criteria.

2. Incident Reporting and Information Sharing

The DORA Compliances incident reporting framework aims to simplify several existing EU incident reporting rules applicable to financial services businesses. Nonetheless, it will introduce a substantial new classification, notification, and reporting framework, compelling organizations to improve their ability to collect, evaluate, escalate, and communicate information about ICT events and risks.

Most businesses do not have all the capabilities necessary to measure the quantitative impact of events and evaluate their underlying causes in the way that the DORA requires.

If a customer or counterparty is exposed to a major cyber danger, the DORA requires FS firms to alert them and offer information on relevant security measures to defend against the hazard. Entities must also document any important cyber risks, which will necessitate a greater incident management capability to monitor, address, and resolve cyber occurrences.

ESAs are also asked to publish a joint report assessing the possibility of further centralizing incident reporting by establishing a single EU Hub for large ICT-related incident reporting by enterprises. Streamlining ICT-incident reporting is projected to lessen the cost of complying with different incident reporting standards in the financial industry, while also facilitating a better common awareness of cross-border cyber risks.

3. Third-Party Risk Management

The DORA compliance applies to all ICT outsourcing contracts, not only those with cloud service providers (CSPs), and includes both third and fourth parties who support financial services businesses in the performance of essential or important tasks (CIFs). Certain contractual provisions, such as access and audit rights, data protection, security measures, and exit plans, must be included in ICT outsourcing contracts. These agreements will be legally enforceable and may be difficult to negotiate with some service providers.

The DORA requires businesses to assess the concentration risk of their ICT outsourcing contracts that support CIFs and adopt a multi-vendor plan to mitigate it. Certain firms may be put under pressure to justify their operating model decisions and build redundancy and adaptability into their systems as a result.

The DORA creates a new supervision structure for key ICT third-party providers (CTPPs), such as CSPs, allowing European Supervisory Authorities (ESAs) to assess, monitor, and penalize them if they fail to meet the DORA Compliance standards. This will compel CTPPs to strengthen their resilience and security procedures, as well as collaborate with financial institutions and regulators.

4. Digital Operational Risk Testing

The DORA Compliance requires all in-scope organizations (excluding micro-enterprises) to demonstrate that they perform an acceptable set of security and resilience tests on their critical ICT systems and applications at least once each year and to address any vulnerabilities uncovered during testing completely. With the requirement for business effect analysis, this might become a significant area of supervisory inspection, driving firms to develop broader and more accurate testing and scenario analysis skills. 

Firms that exceed a specific level of systemic relevance and maturity (as defined by a Regulatory Technical Standard (RTS)) will be required to undergo advanced Threat Led Penetration Testing (TLPT) every three years (unless revised on a firm-by-firm basis by national authorities).

Negotiators opted to stipulate that the methodology for the TLPT testing be created in line with the ECB’s existing TIBER-EU framework, so enterprises presently conducting or considering TIBER testing may be certain that their effort will count toward the DORA’s advanced testing standards. 

In addition, the DORA mandates FS firms to include all TPPs that enable CIFs in advanced testing activities. This is uncommon in TLPT efforts in the financial sector today, and it will almost certainly need extensive planning and mapping of TPPs to CIFs.

If a TPP is unable to participate due to security concerns, the DORA compliance authorizes the TPP to perform its TLPT as “pooled testing” for the FS enterprises to which it offers services. This is a growing area of shared assurance that will require joint action from the financial services sector to operationalize.

5. Intelligence Sharing On Cyber Risks and Vulnerabilities

DORA encourages financial institutions to set up procedures for sharing cyber threat intelligence and information. It includes indicators of compromise, tactics, techniques, and procedures, as well as cybersecurity alerts and configuration tools.

These companies must exchange information within a trustworthy community to strengthen their digital operational resilience. The information-sharing arrangements must protect the sensitive nature of the information while also adhering to business confidentiality and data protection policies. 

Furthermore, financial companies must inform their respective competent authorities upon confirmation of their involvement in these arrangements. It also helps the whole business become more aware of and prepared to meet continuous cyber threats by promoting the sharing of threat intelligence. This is especially essential since many cyber threat actors in the financial industry will attack numerous firms at the same time.

Applicability Of DORA Compliance

DORA compliance applies to a wide range of financial businesses both inside and outside the European Union. According to the European Parliament’s research, about 22,000 ICT service providers and financial firms will be affected. 

While DORA is an EU rule regulated by the European Banking Authority and other members of the European Council, it might also apply to entities outside the EU. Like the General Data Protection Rule (GDPR), any service providers to or have offices in the EU would be subject to the rule. DORA rules for organizations providing ICT services vary somewhat; any company providing these services to financial institutions must also reconsider its strategy for addressing cyber hazards. 

The following firms should ensure risk management and enterprise cybersecurity:

1. Insurance firms
2. Crowdfunding service providers
3. Companies that make investments
4. Intermediaries
5. Cryptocurrency firms
6. Pension plans
7. Credit bureaus
8. Managers of alternative investment funds
9. Financial institutions
10. Providers of ICT services
11. Banks

Requirements For DORA Compliance In Companies

The proposals, which were published in an official publication produced by the EU parliament, address a wide range of security and ICT risk management issues.

DORA compliance emphasizes, that firms must be able to regularly monitor security and ICT technologies to reduce risk. This means that every financial institution will have to take proactive risk management activities, such as continually monitoring their third-party risk levels and security measures.

It also demands businesses conduct remediation measures for vulnerabilities, implement operational risk management, and invest in new technologies, policies, and processes. It also mandates to maintain continual resilience, the EU also mandates enterprises to constantly develop and improve their risk-based strategies. 

This means that firms will need to proactively measure key performance indicators (KPIs) throughout their security ecosystem.

Practical steps to implementing DORA regulation

Gap analysis

Assessing the current security posture of the process, system, and assets would be the first step in implementing the DORA regulation.

This helps to find the difference between the current state of your firm and the desired state of the regulatory body. This helps to develop a detailed action plan and set timelines for implementing the same.

Identification of areas requiring investment/development

Concentrate on elements of the DORA compliance that require frequent outputs that may be questioned by supervisors, such as business impact analysis, resilience testing, incident reporting, and third-party risk management. 

This will entail investing in the governance, risk, and compliance structure surrounding ICT, cyber, and TPRM functions, as well as resolving operational vulnerabilities that are discovered.

Monitor the Level 2 technical standards

Pay particular attention to the consultation versions of the RTSs/ITSs that the ESAs will draft over the next 12-18 months since they will reveal vital information about how the new regulations will work in practice. 

As draft Level 2 standards become available and are finalized, you will be able to update your gap analysis and implementation strategy.

Conclusion

To comply with the Digital Operational Resilience Act (DORA) compliance, financial institutions must improve their cybersecurity and operational resilience measures. Identifying vulnerabilities, implementing security standards, keeping correct asset inventories, and showing compliance with regulators and auditors are critical components of regulatory compliance.

For major violations of the legislation, financial institutions can be fined up to 10 million euros or 5% of their entire yearly revenue, whichever is greater. Supervisory authorities may order financial institutions to take corrective actions to remedy any flaws or failures in their operational resilience, and they may publicly chastise financial firms that fail to comply with the regulation’s requirements. 

Institutions that regularly fail to comply with the regulations’ standards would have their authorization revoked. Firms may be forced to reimburse consumers or other parties for any losses caused by a failure to comply with the regulation’s requirements.