Everything You Need to Know about DORA

What is DORA? The Digital Operational Resilience Act (or DORA, for short) is a new regulation designed to impact financial entities that operate across the European Union.

Financial institutions are required to, among other obligations:

• Implement an internal governance and control framework that covers ICT (Informations and Communications Technology) risk, incident management, and testing.
• Ensure that contractual arrangements with third-party ICT suppliers reach the required standards and provide assurance of their security.

All EU financial entities are required to comply with DORA. This includes traditional financial institutions such as banks, investment firms, and credit institutions, but also includes more modern and non-traditional institutions such as crypto asset service providers and crowdfunding platforms.

Who created DORA?

The policies that make up DORA were created by three European supervisory authorities: (1.) the European Banking Authority (EBA), (2.) the European Securities and Markets Authority (ESMA), and (3.) the European Insurance and Occupational Pensions Authority (EIOPA).

The regulation was implemented at the end of 2022, with each of the EU member states individually ratifying and bringing DORA into action. Financial institutions have until 17th January 2025 to demonstrate that they are fully compliant with DORA.

What is the objective of DORA?

The EU recognised that how we do business has fundamentally changed as technology improves. Many of the processes that would have once taken hours, if not days, can be done at the touch of a button.

However, right alongside all the positives gained from the advent of such technologies, so is there a raft of negatives, especially a rise in cybersecurity issues. As cyber criminals become smarter and look for weaknesses in ICT resources, regulations such as DORA provide those likely to be targeted with a framework to aid them in resisting, responding to, and recovering from any such disruptions.

What are the pillars of DORA?

The DORA guidelines have been broken down to cover five key areas or pillars. Businesses operating in the financial sector will need to be compliant with each of the pillars to be considered fully compliant overall.

1. ICT risk management

ICT risk management framework should be resilient enough to detect and protect against anomalies that could result in an impact on ICT systems. This will need to be a continuous process as protocols and software continue to develop. When new technology or standards emerge into the market, so will existing protocols need to change.

In addition to this, business continuity policies must be put in place along with disaster recovery plans. If there is an incident caused by ICT, businesses must be able to recover promptly.

2. ICT-related incident reporting

Businesses operating within the financial sector must create and implement a strict management process through which they can monitor, record, and report on ICT-related incidents. Incident reporting must fit the criteria detailed in the full DORA legislation. As many countries have chosen to expand upon DORA to establish further layers of protection, businesses must also ensure that they are compliant with the regulations set out by these individual countries.

3. Digital operational resilience testing

An ICT risk management framework should be regularly tested to ensure that it is prepared to handle threats and that the company as a whole is still adequately supported and secured. Should weaknesses or gaps be identified as a result of the testing, counteractive measures need to be introduced to mitigate or even fully eliminate them.

Severe operational disruption can cause issues more widespread than an IT failure. Critical functions need to be protected by an adequate resilience plan to ensure the business can return to normal as quickly as possible.

Resilience testing needs to be proportionate to the business that requires them. Size, industry, and risk profiles could all be factors that alter testing requirements. Red or Purple Team Assessment, sometimes also called Conduct Threat Led Penetration Testing (TLTP), can be used for higher levels of risk exposure.

4. ICT third-party risk

Nowadays, companies make use of a vast array of ICT service providers just to be able to do their jobs and meet business outcomes successfully. However, even if the software has nothing to do with the financial sector, it could carry a certain degree of risk.

Companies need to ensure that they actively monitor the risks that could arise from using these ICT third-party providers. This often requires building a relationship with the provider to ensure harmonious and complete monitoring on both sides of the service. Financial entities should also ensure that they include any and all third-party ICT systems and applications in their own risk management frameworks to ensure they have full visibility over potential issues and disruptions.

These contractual arrangements with third-party providers should cover monitoring and accessibility details such as the locations where data is processed.

5. Information sharing

One of the overarching goals of DORA is to reduce the risk of cyber threats, and this is best done by sharing knowledge and creating a community of trusted financial entities.

Companies that must align with DORA compliance are actively encouraged to share information and intelligence if it means drawing attention to active cyber threats that could cause widespread disruption. This can help raise awareness of ICT risks as well as minimise the ability of threats to spread. When more people are in the know, we can better fight against malicious entities.

DORA is an overarching regulation. While members of the European Union are required to be compliant with it, it is not the European parliament that will be in charge of monitoring compliance and prosecuting those who do not align with the act. This will be the responsibility of each EU member state and relevant European supervisory authorities.

For example, two of France's major financial authorities contributed to the development of the Digital Operational Resilience Act. They would be the ones responsible for issuing penalties and sanctions if regulations were broken. These penalties and sanctions are also established by each member state.

Primarily, regulators will have the power to impose fines of up to 1% of a financial institution's daily turnover, determined from the preceding fiscal year. This fine can also be repeatedly imposed until the threshold for compliance is reached.

These sanctions can also be much greater than just this fine. In an age of knowledge-sharing, choosing not to align with DORA compliance can cause a blow to reputation. Financial organisations operating across multiple EU member states may discover that partners and clients in one country begin to look at other financial services institutions if the original picks up an unfavourable reputation in another.

Ensure compliance with DORA with C2 Meridian

Network and information systems are only going to become more sophisticated in the future, and so with it will come a rise in ICT-related incidents as cyber criminals also align themselves with improvements.

Ensure that your organisation is fully compliant with DORA before 17th January 2025. C2 Meridian is designed to be as flexible as possible to meet your requirements, whatever they might be. We aim to simplify digital operational resilience and risk management, giving you the tools you need to successfully navigate and mitigate major ICT-related incidents.

Book a demo with us today and find out how we can aid your approach to ICT risk management.