The DORA Regulation represents a significant step forward in the EU's efforts to strengthen digital operational resilience within the financial sector and providers of information and communication technology (ICT services). It is a new regulatory framework aimed at creating a robust and uniform approach to IT security, ensuring financial stability and consumer protection.
The goal is to increase resilience against future cyber and information security incidents, enabling financial companies and ICT service providers to prevent and respond to risks without affecting customers or society in general.
What is the DORA Regulation?
DORA, which is the acronym of Digital Operational Resilience Act, is an EU regulation that gives authorities the ability to effectively monitor and manage cyber and ICT risks in the affected companies. The regulation applies from January 17, 2025.
Similar to NIS2, the intention is to strengthen the protection of critical infrastructure. However, DORA is specifically targeted at the financial sector, which heavily relies on ICT services that allow users to access, edit, and transfer information. The enhanced security will be strengthened through strict requirements for managing suppliers and regular threat-based assessments of network and information systems.
In short, the regulation aims to harmonize the requirements for financial institutions' ability to develop, strengthen, and continuously monitor their digital operational resilience.
Who is covered by the Digital Operational Resilience Act?
The DORA Regulation constitutes a comprehensive regulatory framework designed to strengthen digital operational resilience across the financial sector. The regulation has a broad scope and includes not only traditional financial institutions such as banks, credit institutions, payment providers, insurance and reinsurance companies, and investment firms, but also significant third-party providers of ICT services.
This means that the regulation, in addition to addressing direct financial entities, also imposes significant requirements on providers of critical ICT services that financial institutions depend on. For example, cloud computing services, data center services, and other digital solutions supporting financial operations. The purpose is to ensure that both financial institutions and their key technology providers maintain high standards of cybersecurity and operational robustness.
What requirements does DORA impose?
The regulation sets a wide range of requirements for risk management, incident handling and reporting, and the use of threat information. Supplier management, documentation assurance, security testing, IT operations, and cybersecurity are also key elements.
This means that organizations must shift their focus from documenting financial solidity to also demonstrating how resilient operations are maintained during IT security incidents.
DORA sets minimum requirements within 5 categories:
- Governance and risk management
- Incident reporting
- Testing, preparedness, and mitigation
- Third-party risk management
- Information sharing
1) Governance and Risk Management
Within governance and risk management, the DORA Regulation requires organizations to implement policies and guidelines. They must:
- Develop and maintain robust ICT systems and tools that limit the effects of ICT risks
- Identify, categorize, and document critical functions and assets in the IT infrastructure
- Ensure continuous monitoring of ICT risks to implement necessary protection and prevention measures
- Quickly identify and respond to unusual activities
- Prepare detailed contingency plans for handling IT security incidents
- Annually test disaster and contingency plans
- Develop strategies for staff training and education based on both internal and external incidents
2) Incident Reporting
Regarding incident reporting, companies covered by DORA are required to:
- Prepare guidelines for logging all ICT incidents and define major incidents based on applicable rules
- Submit initial, preliminary, and final reports on covered security incidents
- Standardize ICT incident reporting using templates
3) Testing, Preparedness, and Mitigation
In the category involving testing, preparedness, and mitigation, companies must:
- Conduct annual tests of ICT tools and systems
- Identify and promptly address any weaknesses, deficiencies, or security gaps
- Regularly perform threat-based penetration tests (TLPT) for ICT services affecting critical functions
4) Third-Party Risk Management
DORA also requires third-party providers of ICT services to fully participate and cooperate in cyber readiness tests. Financial companies must ensure their service providers comply by:
- Continuously monitoring the risks posed by third-party ICT service providers
- Reporting a register of outsourced activities and any changes in the outsourcing of critical services to third parties
- Considering risks from further outsourcing arrangements
- Ensuring comprehensive contracts with ICT service providers with clear rules for monitoring and availability
5) Information Sharing
For information sharing, financial companies are required to:
- Create frameworks for exchanging information and intelligence on cyber threats with other financial organizations
- Accept supervisory authorities' sharing of relevant anonymized information and intelligence on cyber threats
Comparing DORA and NIS2
The DORA Regulation shares many similarities with the NIS2 Directive, and both initiatives represent a desire for a high level of security against cyber threats. However, while NIS2 covers a wide range of industries and sectors, DORA specifically targets the financial sector.
A key aspect of DORA is its call for close linkage with NIS2 to ensure a coherent cybersecurity strategy across all sectors. The interaction allows financial supervisory authorities to be informed about cyber incidents affecting other sectors, supporting an integrated response across the EU.
Together, DORA and NIS2 form a comprehensive framework for cybersecurity, ensuring a coordinated effort to protect the EU's critical infrastructures.
How does DORA affect your organization?
The Digital Operational Resilience Act builds on and extends existing regulatory requirements by introducing new obligations for covered organizations. Although many already have some experience managing compliance and regulatory requirements at both national and international levels, DORA presents new requirements that may be less familiar or more comprehensive than before.
To comply by the regulation, it is important for financial organizations to recognize the need for digital and operational resilience. Regardless of the organization's current maturity level, it is crucial to begin or intensify efforts to build resilience. A good starting point is to conduct a GAP analysis to identify any gaps between current processes and the requirements set out in the DORA Regulation. Additionally, a maturity assessment will provide an overview of how well-prepared the organization is to address digital threats and risks overall.