Understanding the Digital Operational Resilience Act (DORA)

What is the Digital Operational Resilience Act?

The Digital Operational Resilience Act (DORA) is a new set of rules passed by the European Union that came into effect on January 16, 2023, with full application beginning on January 17, 2025, to strengthen the financial sector’s digital defenses, requiring banks, insurance firms, investment companies, and similar institutions to improve their digital security. This includes having good plans, training employees, testing systems regularly, and being transparent when problems arise. DORA aims to prevent widespread disruptions caused by cyberattacks, system failures, and other tech-related problems.

The core themes of DORA are risk management, incident response and reporting, digital operational resilience testing, third-party risk management, and information sharing. These elements build a comprehensive strategy for assessing risks, handling incidents, testing defenses, ensuring vendor security, and collaborating through information sharing.

How will DORA affect businesses?

With recent increased frequency and sophistication of cyberattacks, DORA aims to prevent severe consequences from cyber crime by setting strict risk management standards across the board for financial institutions like banks, insurance firms, investment companies, and even crypto-asset service providers. This applies not only to the institutions themselves, but also to the tech companies they rely on for services like cloud and data management.

Penalties for noncompliance with DORA can be severe, including:

1. Financial Penalties

Entities that fail to comply with DORA may face substantial fines. The amount can vary, but is typically proportionate to the gravity of the breach and the financial strength of the entity. Fines can be revenue-based, daily, cumulative, or a combination of various fine types depending on the violation. In some instances, fines may be reduced if the entity can demonstrate that it has taken steps to mitigate the impact of the breach or has cooperated fully with regulatory authorities during the investigation.

2. Operational Restrictions

In cases of severe noncompliance, regulatory authorities may impose restrictions on the entity’s operations. This could include limiting the scope of activities the entity is allowed to perform or suspending certain operations until compliance is achieved.

3. Increased Supervision

Entities that fail to meet DORA’s requirements may be subject to increased supervision by regulatory authorities. This could involve more frequent audits, mandatory reporting requirements, or other oversight measures designed to ensure future compliance.

4. Reputational Damage

Noncompliance with DORA can lead to reputational damage, especially if breaches are made public. Regulatory authorities may disclose noncompliance to the public, damaging the entity’s reputation and trustworthiness in the market.

5. Legal Consequences

In some cases, noncompliance could lead to legal actions by affected parties, including customers, partners, or other stakeholders who may have suffered losses due to the entity’s failure to meet DORA’s standards.

6. Regulatory Actions

Authorities have the power to impose various regulatory sanctions, including issuing warnings, mandating corrective actions, or even revoking licenses in extreme cases.

What are DORA’s key requirements?

ICT Risk Management and Governance

DORA places a significant responsibility on management to stay informed about Information Communication and Technology (ICT) risks and create robust risk management frameworks. This means top executives and board members can be held accountable if their firm doesn’t meet DORA’s requirements. Firms must be proactive, documenting their systems and regularly assessing their risk profiles.

Under DORA, businesses must analyze their entire technology landscape. This involves identifying critical functions and assets, understanding their interconnections, and documenting their dependencies on each other and external providers. It’s like drawing up a battle plan for the digital world, identifying weaknesses and strengths.

Consider a bank relying on a cloud provider to store sensitive customer data. DORA requires the bank to assess the cloud service’s security and document potential risks, holding both the bank and the cloud provider responsible for maintaining high-security standards.

DORA mandates business impact analysis to play out “what if” scenarios, including service disruptions, cyberattacks, or natural disasters. Through these simulations, institutions determine their risk appetite, strengthen their digital infrastructure, and create robust business continuity plans.

Incident Response and Reporting

If a major incident occurs, firms must be transparent with regulators and affected parties. They must file detailed reports outlining what happened, how they are addressing it, and how they’ll prevent it from happening again. There’s a clear structure for reporting serious incidents: an initial notification, updates on the resolution process, and a final, detailed analysis identifying root causes.

Incident reporting could become complex across different countries and authorities. However, the European Supervisory Authorities (ESAs) are streamlining the process. They aim to establish common templates and explore a centralized EU reporting hub. This simplification will speed up response times and coordination across the financial landscape.

Digital Operational Resilience Testing

DORA requires financial institutions to prove their defenses are strong through regular testing of their systems. This helps identify vulnerabilities and ensure protection measures are effective. These tests include vulnerability assessments, incident scenario simulations, and threat-led penetration testing (TLPT), essentially simulated cyberattacks.

The test results are reviewed by authorities, meaning firms must address weaknesses. This demonstrates a commitment to continuous improvement in their resilience.

Testing is an ongoing process. Each year, institutions must conduct basic tests to identify vulnerabilities early on. However, institutions critical to the financial system undergo a full TLPT simulation every three years. This testing also involves their key tech providers, ensuring everyone is on the same page regarding security. This strengthens the overall security posture.

Third-Party Risk Management

DORA emphasizes third-party risk management, explicitly addressing the tech providers serving financial institutions. This is because a secure system is only as strong as its weakest external link. Financial institutions must proactively mitigate the risks posed by these third-party service providers.

Financial institutions must ensure that any provider handling critical or important functions meet DORA’s strict security and operational requirements. This is because the institutions remain responsible even if the problem originates with an outside vendor.

For instance, if a financial institution contracts a company for data processing, they can’t assume the processor’s security is adequate. DORA mandates strict contract agreements covering exit strategies, regular audits, security requirements, and performance benchmarks. These measures shift the responsibility for strong security from a “hope for the best” approach to a legally binding and supervised reality.

In 2019, the EBA established the Guidelines on ICT and security risk management and Guidelines on outsourcing arrangements. Building on these, the MFSA released its Guidance on Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements in December 2020.

DORA empowers regulators to take action if necessary. They can force firms to terminate agreements with non-compliant tech companies, reinforcing that cybersecurity is not optional but the law.

Research shows that financial companies could spend up to 3% of their payroll on regulatory compliance. While this seems significant, compare it to the cost of major security breaches and reputational damage. The upfront investment in compliance is more appealing.

Information Sharing

While not mandatory, DORA encourages financial services firms to collaborate and share threat intelligence. This means firms are encouraged to share information about cyber threats they’ve faced and the mitigation strategies they’ve used. This fosters a collective defense effort, making everyone smarter and more effective.

However, sharing sensitive information requires clear ground rules. Any intelligence sharing must comply with existing regulations for personal data protection. This ensures sensitive data remains protected even in collaborative environments.

Training and Staff Awareness

Employees are often an organization’s most significant vulnerability regarding cyber threats. DORA emphasizes ongoing training and awareness programs for all staff members. These programs educate employees about cybersecurity threats, security procedures, and how to react during an technology incident.

Many resources are available for staff training in data protection, cyber security, and compliance frameworks like GDPR, ISO 27001, PCI DSS, and CCPA. Training methods include classroom sessions, in-house training, live online courses, self-paced online training, and e-learning programs.

How Craft Can Help

Craft’s supplier risk management solutions are designed to streamline compliance and enhance reporting. With our platform:

Identify risky suppliers with in-depth company profiles and easily scalable due diligence
Continuously monitor your supplier network for changes and potential violations.
Document your efforts for proof of compliance
Collaborate and share information across teams for faster risk mitigation.

Learn More

Conclusion

DORA significantly impacts financial companies and technology firms. It represents a crucial shift in the European financial industry’s mindset regarding cybersecurity. Robust security measures are no longer optional but a legally mandated, centrally supervised, crucial aspect of business in today’s digital world.

For an overview of regulations affecting the global supply chain, visit our compliance hub.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.