Article

Digital Operational Resilience Act (DORA)

ComplianceSecurity
Time to read: 16 minutes

Definition and scope of DORA

DORA stands for the European Union’s (EU) Digital Operational Resilience Act, which was passed in 2022 to provide a risk management framework with the intention of protecting the EU financial sector from cyber threats. It dictates steps that EU financial institutions must take to protect their information and communication technologies (ICT).

The scope of the Digital Operational Resilience Act is sweeping. It dictates specific technology standards that financial institutions and their service providers must implement in ICT systems. These standards apply not just to EU organizations, but to any financial institution and their third-party service providers that operate in the EU.

Historical context and legislative journey

The primary driver behind the Digital Operational Resilience Act was the European Commission’s realization of the scale of ICT usage and financial institutions’ reliance on it. As cyber attacks increased and cyber risks exploded, the Commission sought to legislate cybersecurity best practices to protect the financial sectors’ ICT systems by strengthening them and ensuring their operational resilience. Another objective was to harmonize disparate risk management rules that had emerged across the EU.

The importance of DORA in the digital era for financial entities

When the Digital Operational Resilience Act is fully enforceable in January 2025, financial institutions will face rigorous data management requirements. These will have far-reaching implications not just for ICT systems but also for adjacent systems and processes.

Additionally, these requirements will extend far beyond individual financial institutions. The scale of the compliance requirements will be extensive as all third-party vendors need to be assessed and certified as compliant.

The core framework of DORA: The five pillars explained

The Digital Operational Resilience Act is based on five core principles or pillars. Together, these pillars address the core aspects of digital operational resilience.

1. ICT risk management requirements

The Digital Operational Resilience Act requires that financial institutions develop and implement a risk management program. This should follow a risk management framework based on international standards and must include a digital resilience strategy, cybersecurity training for all employees, including the management team, and regular audits. Organizations must have security controls to protect ICT assets and plans in place to recover them in case of attack or disaster.

2. ICT-related incident reporting

The ability to quickly and efficiently detect and respond to cybersecurity incidents is a fundamental objective of the Digital Operational Resilience Act. The regulation requires financial institutions to have comprehensive systems and processes in place to detect, respond to, and recover from cybersecurity incidents that put ICT systems at risk, as well as root-cause reports on significant issues.

DORA requires that financial institutions submit ICT incident reports within one month of incident detection. As part of DORA, a centralized EU hub will collect data related to ICT-related incidents rather than have this information collected locally by National Competent Authorities (NCAs).

3. Digital operational resilience testing

The Digital Operational Resilience Act requires organizations to conduct regular testing of ITC systems. Testing should include an assessment of procedures, tools, and methodologies to identify and prioritize vulnerabilities and direct remediation.

DORA requires formal testing once per year, with threat-led penetration testing (TLPT) every three years. To reduce testing burdens, the DORA test framework is modelled after the TIBER-EU framework, which is a voluntary testing guideline developed by the European Central Bank that details how financial institutions should test cyber resilience.

4. Management of third-party risk, including service providers

To address cyber risk that comes from third-party service providers, the Digital Operational Resilience Act holds financial institutions responsible for mapping third-party dependencies and assessing any risk coming from these partners. This includes risks that could impact their cyber resilience, result in a data breach, or expose them to supply chain attacks. Financial institutions are required to conduct risk posture assessments and submit annual reports on all ICT partners and vendors.

5. Information-sharing among financial entities

In an effort to increase visibility into the risk and threat landscape affecting EU financial organizations and foster collaboration on cyber threat defences, the Digital Operational Resilience Act encourages information sharing. Information sharing between financial institutions aims to improve awareness of cyber threats and response tactics to mitigate cyber risk across the sector.

The Digital Operational Resilience Act applies to all organizations that provide financial services in the EU, regardless of where they are based. The regulation’s main focus is on the finance industry, but it also affects third-party suppliers and service providers in the financial sector.

Comprehensive list of entities required to comply

According to Article 2, Scope, the types of financial entities that the Digital Operational Resilience Act requires to comply with the regulation are as follows:

  1. Account information service providers
  2. Administrators of critical benchmarks
  3. Central counterparties
  4. Central securities depositories
  5. Credit institutions
  6. Credit rating agencies
  7. Crowdfunding service providers
  8. Crypto-asset service providers as authorized under a Regulation of the European Parliament and of the Council on markets in crypto-assets
  9. Data reporting service providers
  10. Electronic money institutions, including electronic money institutions which are exempted pursuant to Directive 2009/110/EC
  11. ICT third-party service providers
  12. Institutions for occupational retirement provision
  13. Insurance and reinsurance undertakings
  14. Insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries
  15. Investment firms
  16. Management companies
  17. Managers of alternative investment funds
  18. Payment institutions, including payment institutions which are exempted pursuant to Directive (EU) 2015/2366
  19. Securitization repositories
  20. Trade repositories
  21. Trading venues

Understanding compliance obligations under DORA

  1. Audit access for regulators and financial institutions assessing suppliers
  2. Cyber threat intelligence sharing between financial institutions
  3. Incident reporting process to share information in DORA’s centralized EU hub
  4. Map all third-party ICT service providers and assess their risk posture
  5. Retrospective analysis of ICT incidents
  6. Risk management and governance framework with corresponding policies and programs
  7. Security testing programs with reporting on general testing and penetration test reporting

The role of European supervisory authorities in enforcement

For financial entities, the Digital Operational Resilience Act is enforced by regulators, referred to as competent authorities, in each EU member state. They have the authority to impose administrative and criminal penalties on organizations that fail to comply with the regulation. Each EU member state determines the specific penalties.

ICT service providers deemed critical by the European Commission are overseen by three European Supervisory Authorities (ESAs):

  1. European Banking Authority (EBA)
  2. European Securities and Markets Authority (ESMA)
  3. European Insurance and Occupational Pension Authority (EIOPA)

ICT service provider oversight of the Digital Operational Resilience Act is handled by a Lead Overseer, who is appointed by the ESAs. They are supported by other agencies, including the European Network and Information Security Agency (ENISA) and other EU competent authorities.

The Lead Overseer is allowed to levy fines against non-compliance ICT service providers up to 1% of their annual revenue. ICT service providers can be fined every day for up to six months until compliance is achieved.

Operationalizing DORA in your organization

Like many regulations, operationalizing the Digital Operational Resilience Act is often a matter of adjusting and augmenting existing systems and processes. The biggest lift for most organizations is the requirement to assess and monitor third-party ICT service providers. The following provides an overview of how to operationalize DORA effectively.

Steps towards achieving compliance with the DORA regulations

The following are general steps to help financial entities achieve compliance with the Digital Operational Resilience Act.

  1. Determine the applicable scope.
    Review the list of entities in Article 2 of the Digital Operational Resilience Act that are required to comply with DORA to confirm that DORA regulations are applicable to the organization.
  2. Understand the compliance requirements.
    Determine what is required of the organization to meet the requirements set forth in the Digital Operational Resilience Act.
  3. Conduct a cyber risk assessment.
    Assess how the organization and its third-party ICT service providers’ systems and processes align with the Digital Operational Resilience Act requirements and document gaps.
  4. Engage teams across the organization.
    Include teams outside of the IT group to ensure that all cyber risks and gaps are identified. This also ensures that the compliance strategy is comprehensive and meets the needs of other groups.
  5. Develop an operational resilience strategy.
    If a resilience strategy is in place, review it to confirm that it meets the Digital Operational Resilience Act requirements and modify it accordingly. If one has not been developed, create a comprehensive strategy for ensuring business continuity in the event of a security incident impacting ICT systems, as well as responding to cyber threats, data breaches, and other issues or disruptions.
  6. Define responsibilities.
    According to the Digital Operational Resilience Act, the board of directors and executive team are responsible for managing ICT risk and ensuring operational resilience. It is critical that functions be delegated and overseen by leadership. Key areas to focus on include:
  7. Identify and assess third-party ICT service providers.
    Map all third-party ICT service providers and develop a plan for assessing their cyber risk and cyber resilience based on the Digital Operational Resilience Act criteria. Implement processes for ongoing monitoring and regular testing.
  8. Test systems and processes.
    Perform regular digital operational resilience testing to confirm compliance and identify any deficiencies or areas for optimization. Threat-led penetration testing (TLPT) testing should also be conducted at least every three years using approved frameworks, such as TIBER-EU and CBEST Intelligence-Led Testing.
  9. Develop an incident response plan.
    Be ready to quickly and effectively respond to an incident by developing a comprehensive incident response plan that encompasses both technical responses as well as communication protocols. Assign roles for each function and practice them. Also, the incident response plan must be tested and reviewed on a regular basis.
  10. Build a training program.
    Create an employee training program that generates and enforces awareness of digital operational resilience and individuals’ roles in maintaining it. Focus on the importance of cybersecurity and steps to minimize cyber risk.
  11. Monitor ICT systems.
    Use tools to automate the monitoring of ICT systems to identify cyber risk and cyber threats proactively.
  12. Security policies to ensure data security
  13. Management and governance of ICT-related functions and systems
  14. Reviews of the digital operational resilience strategy and associated systems and programs
  15. Assessments of ICT service providers
  16. Budget to support operational resilience efforts

Implementing an ICT risk management framework

The following are the basic steps to implement an ICT risk management framework as required by the Digital Operational Resilience Act. Each organization will have unique requirements and sub-steps, but these steps provide a broad overview of what is involved.

  1. Prepare by understanding all of the requirements for ICT risk management as well as the entities and individuals involved in all areas of it.
  2. Categorize ICT systems and detail their functions, data collected, connections to other systems, and user access.
  3. Select and implement security controls for ICT systems, including those that cover technical, operational, and physical protection and digital resilience.
  4. Assess the accuracy and efficacy of ICT security controls to identify any gaps or vulnerabilities.
  5. Implement processes for continuous monitoring of ICT systems to identify and respond to threats and cyber risks as quickly as possible.

Best practices for incident reporting and resilience testing

Incident reporting and resilience testing are pillars of the Digital Operational Resilience Act. Best practices to facilitate these critical functions include the following.

Incident reporting best practices start with defining what an incident is and establishing categories of incidents. In the wake of an incident, a comprehensive report should include the following:

  1. General information about the incident—when it occurred and a summary of what happened
  2. Chronology of the incident and the response tactics
  3. Setting or environment where the incident occurred
  4. Affected people, organizations, and systems, as well as the damage
  5. Witnesses and teams involved in detecting and remediating the incident and what they saw and did
  6. Supporting visuals in the case of physical incidents
  7. Immediate response tactics, as well as planned remediation tactics

To ensure the efficacy of a cyber resilience plan, it is important to test it. The following are several considerations when performing cyber resilience testing.

  1. Define cyber resilience metrics, such as time to recovery
  2. Establish baselines for digital operational resilience metrics
  3. Simulate cyber attacks or system disruptions
  4. Test digital operational resilience and incident response plans as well as employees' knowledge of cyber resilience and cybersecurity best practices and their roles
  5. Use results from testing to update and improve digital operational resilience strategies and associated plans

Managing third-party and ICT-related risks

The following should be considered when evaluating managing ICT risks from third-party service providers to meet Digital Operational Resilience Act requirements.

When evaluating potential ICT service providers, start by determining the criticality of the service being provided. The depth of the assessment should be commensurate with this.

Once an ICT service provider has been selected, build minimum requirements for digital operational resilience and cybersecurity into the contract. Also, processes and metrics for monitoring and testing compliance with these requirements must be established.

Ensure that all business continuity and recovery plans are in place for all ICT service providers. This should include backups of all critical data.

The Digital Operational Resilience Act is expected to materially improve the overall operations and security of the financial services industry both in the EU and abroad.

This is because of the requirements of third-party ICT service providers and the fact that the regulation impacts any organization operating in the EU.

Enhancing operational resilience in the face of digital threats

The specific cybersecurity requirements mandated by the Digital Operational Resilience Act are designed to ensure business continuity in the event of a cyber attack or other incidents that impact ICT systems. The regulation codifies cyber best practices into law and applies them to the sprawling financial services ecosystem.

The role of DORA in fostering a harmonized European financial ecosystem

A key driver of the Digital Operational Resilience Act was to harmonize standards across the EU. DORA creates a unified regulatory environment that streamlines compliance and helps financial entities and third-party ICT service providers deliver the same high level of resilience and cybersecurity.

Potential challenges and considerations for the future

Effectively implementing processes and systems to meet the requirements for compliance with the Digital Operational Resilience Act will be a challenge for many organizations. Issues commonly cited include a lack of:

  1. A clear definition of operational resilience
  2. Processes and infrastructure for reporting and information sharing
  3. Limitations on assessing and identifying the full scope of cyber risks that impact digital resilience

Conclusion: Embracing digital operational resilience for sustainable success

Following the requirements for compliance with the Digital Operational Resilience Act not only helps organizations avoid penalties but also provides a model for sustainable cyber resilience and cybersecurity.

Summary of key takeaways about DORA

Understanding the five pillars of the Digital Operational Resilience Act is paramount to ensuring compliance and enabling optimal performance of all systems and operations. Any financial institution, regardless of whether DORA applies, can benefit from the guidance set forth in the five pillars:

  1. ICT risk management requirements
  2. ICT-related incident reporting
  3. Digital operational resilience testing
  4. Management of third-party risk, including service providers
  5. Information-sharing among financial entities

The importance of proactive engagement with DORA requirements

With a rapidly evolving technology ecosystem and threat landscape, organizations must stay vigilant. Take time to stay informed about the latest solutions available to support digital operational resilience and cybersecurity defences. Also, monitor threat intelligence from internal and external sources to inform cyber defence and digital operational resilience strategies and tactics.

Final thoughts on preparing for a resilient digital future in finance

The Digital Operational Resilience Act presents an opportunity for finance organizations to assess and enhance their security and resilience posture. The requirements for third-party ICT service providers extend this to the broader business community. This promises to deliver far-reaching benefits as organizations will be better prepared to achieve high levels of digital operational resilience.

Assess the strength of your identity security program

Research-backed, industry-specific benchmark data and a roadmap for driving business value

Mark and Sumit

S1 : E2

Identity Matters with Sumit Dhawan, Proofpoint CEO

Join Mark McClain and Sumit Dhawan to understand the future of cybersecurity and how security teams can support CISO customers in the midst of uncertainty.

Play podcast
Mark and Ron

S1 : E1

Identity Matters with Ron Green, cybersecurity fellow at Mastercard

Join Mark McClain and Ron Green to understand the future of cybersecurity and the critical role identity security plays in safeguarding our digital world.

Play podcast
Dynamic Access Roles

Dynamic Access Roles

Build the next generation role and access model with dramatically fewer role and flexibility

View the solution brief