DORA stands for the Digital Operational Resilience Act, which is a European Union regulation that came into force on 16 January 2023 and will be applicable from 17 January 2025.
The purpose of DORA is to ensure financial entities such as banks, insurance companies, and investment firms have appropriate IT security. This allows them to stay resilient and operational in a “worst-case” scenario event, thereby providing financial protection to their customers.
As the world becomes ever more dependent on technology, there is an increasing number of highly sophisticated and evolving cyber-attacks, hacking, and financial scams.
A report from IT Governance already totals 2,265,054,405 European breaches across 457 incidents in 2024 alone.
The financial sector, more than any other, remains highly vulnerable to cyber-attacks or incidents, with the impact of such attacks having potentially disastrous consequences.
In 2020, the EU Systemic Risk Board examined cyber risk in the EU financial sector and found that risks arose from the way many businesses utilise technology and networks.
The report concluded that factors such as interconnected CRM, payment, and finance systems, the use of third-party providers and suppliers, and businesses operating across borders and jurisdictions, have resulted in financial entities being at a higher risk of attack than ever before.
To achieve its objective of strengthening IT security in financial entities, DORA is divided into 5 key requirements or “pillars”.
Financial entities must effectively manage risks related to their information and communication technology (ICT) systems. This requires them to establish “an internal governance and control framework” for overseeing the entity's risk management activities. This process must define the methods to address ICT risk and achieve ICT objectives.
Financial entities must ensure resilience when relying on third-party providers for critical ICT services with the principle that financial entities remain responsible for their obligations under this regulation and there is no way to contract out of this. Financial entities are required to conduct a comprehensive assessment to identify and address potential risks before entering into any contractual arrangements for ICT services.
All major incidents affecting ICT systems should be promptly reported to their relevant supervisory authority. A “major” incident is defined as “an ICT-related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity.”
Entities will be required to notify authorities of an incident, provide an interim report detailing progress in resolving the incident, and a final report that provides details of the root cause and actions taken to prevent recurrence.
Regular testing (at least once a year) of ICT systems is required to assess the effectiveness of the financial entities' digital operational resilience. Larger firms are also required to carry out threat-led penetration testing every three years.
Financial entities must collaborate and share intelligence to enhance overall resilience. Information on cyber threats can (and should) be securely shared between entities in compliance with the General Data Protection Regulation (GDPR).
Although there is no doubt that DORA can offer the reassurance of data security and management that is required, this is undoubtedly a challenging timescale for implementation and compliance, particularly as the technical details required for effective compliance were not immediately available when it was first announced.
With the transition changes required for ISO 27001:2022 and DORA, this is a difficult time for many organisations within the financial sector that require both certifications to remain compliant.
It should also be noted that DORA is an EU regulation, i.e., a must-do, which means that it acts as primary legislation in each member state without needing to be passed into law separately by each EU country. As a result, the requirements are consistent across all of the EU.
Any ICT service provider that any given financial entity designates as providing a critical function, under the requirements of DORA, will now come under the direct scrutiny of the relevant regulatory authority.
The provider will need to provide reassurance to the entity that they can fully meet all the requirements under the pillars of the DORA framework, which to some could prove challenging depending on their experience of resilience monitoring and controls.
While the UK is no longer an EU member, DORA will still apply to any UK financial service firm that is operating in the EU. The UK is also not immune from the risks that prompted DORA for EU financial entities.
The UK authorities similarly recognised that whilst technology services such as cloud computing and data analytics can bring multiple benefits as part of digital transformation, this increased reliance on third parties also poses similar growing risks.
In 2021, the Prudential Regulation Authority (PRA), the Financial Conduct Authority (FCA), and the Bank of England (collectively the UK supervisory authorities) introduced new rules to strengthen the operational resilience of UK financial entities.
Similarly to DORA, the UK supervisory authorities hold financial entities responsible and ultimately accountable for their operational resilience, regardless of whether or not they rely upon third parties to support the delivery of their business services.
DORA is more prescriptive around ICT and cyber resilience than current UK operational resilience regulation. UK entities must determine if their financial market activities are within EU territories and if so, do they fall within the scope of DORA.
Although there is a two-year readiness period, organisations, estimated at over 20,000 financial entities and ICT service providers, have a lot to consider and for any business that is currently without a robust and detailed ICT resilience programme, preparing for DORA will be a significant undertaking.
Similar to how ISO 27001 certification requires maintaining and reviewing information security across an organisation, DORA explicitly requires maintaining and improving systems to ensure future resilience. Therefore, DORA must not be considered a one-off requirement.
DORA, which came into force on 16 January 2023, is a crucial EU regulation aimed at enhancing the digital operational resilience of financial entities. It covers a wide range of institutions including banks, insurance companies, and investment firms.
Compliance with DORA is mandatory and financial institutions must adapt to its provisions to ensure robust cybersecurity and operational continuity.
Digital Operational Resilience Act (DORA), EIOPA, 2024
Data Breaches and Cyber Attacks in 2024 in Europe, IT Governance, 2024
Sam Kendall, 07.06.24
Sabrina McClune, 07.06.24