The financial services industry is one of the most regulated markets in the world, and evolving cyberthreats require compliance with new and updated regulations. This resource will help you get up to speed on how to leverage your existing cybersecurity compliance initiatives to prepare for the requirements of DORA.
What Is DORA (Digital Operational Resilience Act)?
The Digital Operational Resilience Act, DORA, is one of the newest mandates governing how EU financial services organizations manage IT and cyber risks. Its goal is to strengthen the resilience of those operating in the EU financial sector by streamlining and upgrading existing rules and bringing in new requirements to address cybersecurity gaps. Notably, it requires companies to enhance risk management, incident reporting processes, testing, and compliance related to critical third-party partners.
DORA's General Objectives
What to Expect from the Digital Operational Resilience Act (DORA)
Cybersecurity for Business Continuity
At its heart, DORA is designed to ensure organizations can maintain business as usual in the event of a cyberattack . Having standardized requirements for increasingly linked entities and those in their extended supply chains will help the EU financial community achieve stronger overall cyber protection through better assessment, reporting, and communication of information communication technologies (ICT) risk.
Extending NIS2
It’s important to remember that DORA is not a Directive, it’s a Regulation. This means all EU Member States must prove compliance by Jan. 17, 2025, which the European Council has the power to enforce. DORA extends the Network and Information Security (NIS2) Directive, which specifies cybersecurity measures required for the protection of critical infrastructure.
DORA Requirements
Information Communication Technologies (ICT) Risk Management
Classification and Reporting of ICT-related Incidents
Digital Operational Resilience Testing
Information and Intelligence Sharing Between Financial Entities
Vendor Management
Who Does DORA Impact?
DORA applies to any organization that manages, transfers, holds, insures, invests, creates, protects, or raises money as well as those that grade investments. Examples include the following:
Banks
Insurance & Reinsurance Firms
Insurance & Reinsurance Firms
Auditors & Audit Firms
Brokers
Trade Repositories
Management Firms
Credit Rating Agencies
Crypto-Asset Providers
Credit Institutions
Crowdfunding Services
Third Parties Are Now Subject to Regulation
With DORA in place, a financial organization’s previously unregulated supply chain partners may now expect to fall under the supervision of regulators . This includes third-party vendors that supply ICT software, but not hardware . These include:
- Brokers
- Providers of Digital & Data Services
- Crowdfunding Services
- Providers of Software & Data Analytics
- Data Centers
What Does DORA Mean for EU Financial Operations?
Building on Existing Compliance Initiatives
In many cases, financial organizations won’t have to start from square one to address the impact of DORA. You will have a lot of the building blocks in place due to operational requirements for NIS2, GDPR, PCI DSS, etc. Look at this as an opportunity to review what you already do and ensure those processes are up to date. Use this as the impetus to refresh your processing activities register and to re-engage and identify who can help you from each area of the business to assist with “The DORA Project.”
How Do DORA and GDPR Compare?
No doubt your organization already has documented security policies in place for GDPR, but these will need to be supplemented and updated for DORA . DORA requires a risk assessment for each major change in the network and information system infrastructure, in the processes, or procedures, affecting their functions, supporting processes, or information assets. In certain cases, this will align with Data Protection Impact Assessments (DPIAs) under GDPR and can serve as the initial risk assessment to determine if the change will require a DPIA to be conducted.
How to Prepare for DORA: Key Dates
The time to prepare for DORA compliance is now, despite what may seem like a long lead time. Below are the key dates as set forth in the articles of the regulation.
Impact and Cost of Non-Compliance
Financial Entities
Although monetary penalties have not yet been set, there is wording about “extensive fines” that will be imposed. Member States will lay down frameworks, and DORA leaves the door open for potential criminal liability for non-compliance.
Critical ICT Third-Party Service Providers
Monetary penalties may be up to 1% of a service partner’s average daily worldwide turnover in the preceding business year. These will be applied on a daily basis until compliance is achieved, for a maximum of six months.
DORA Compliance: People, Process, and Technology
It’s easy for non-technical people to underestimate the impact of a regulation like DORA. One key advantage of the regulation is that it helps to raise awareness at the leadership level about the need for investment in projects and teams that will ensure compliance. People, processes, and technology all play a role when it comes to implementing and enforcing an operational resilience strategy.
DORA and Cybersecurity
Working toward DORA compliance gives financial institutions and members of their third-party networks an excellent opportunity to take a fresh look at security vulnerabilities and everyday risk management practices. Addressing weak points can present a strategic advantage in an ever-challenging digital landscape and help address similar elements of multiple regulations.
Learn More About Cybersecurity Solutions Download DORA Guide
How Fortra Solutions and Products Fit in the DORA Framework
Complying with DORA’s requirements will take time and careful planning. Understanding the existing state of your infrastructure allows you to assess risks and prioritize your remediation efforts with Fortra technology and services.
Mitigate Infrastructure and Software Risks Before They Become an Issue
Identify and address risks within your infrastructure, software, and web applications before an attacker can take advantage of them using Fortra solutions for:
Mitigate Threats to Your Resilience
Identify and address risks that could be introduced during day-to-day operations with Fortra solutions for:
Minimize the Impact of Attacks and Mistakes
Implement proven methods of identifying attacks and mistakes early and minimize the impact with Fortra solutions for:
We Can Help with DORA Compliance
Contact the professionals at Fortra for a free 30-minute consultation on what solutions are best for your organization. We’ll help you determine what you need to do next to be in compliance with DORA.
