5 Things CISOs Should Know about the Digital Operational Resilience Act (DORA) Regulation

What is the DORA Regulation?

The Digital Operational Resilience Act (DORA) is a European Union (EU) regulation that aims to ensure that the EU financial sector can withstand and recover from severe information and communication technology (ICT) disruptions, and that an incident does not devolve into a systemic risk that threatens financial stability.

Like the EU’s General Data Protection Regulation (GDPR), which harmonizes disparate data privacy laws across the EU, DORA consolidates and upgrades ICT risk management requirements that have historically been addressed through a myriad of legal acts.

With one overarching regulation for all EU countries, DORA seeks to reduce the administrative burden associated with duplicative obligations, strengthen several requirements, and support a smooth, rapid exchange of information with competent authorities to address ICT risk in the event of a large-scale attack with potentially systemic consequences.

What are the systemic risks that DORA seeks to prevent?

The financial system relies on robust ICT infrastructures to function and to maintain the confidentiality, integrity, and availability of data and systems as cyber incidents increase in frequency and impact.

In February 2020, the European Systemic Risk Board (ESRB) published a systemic cyber risk report that identified ICT risk as a source of systemic risk to the financial system, with the potential to have serious negative consequences on the economy. The interconnectedness of various information systems enables cyber incidents to spread quickly and widely, across sectors and geographical borders. An operational outage in one organization can rapidly escalate to a liquidity crisis, leading to a systemic crisis that threatens the global economy and erodes trust in the financial system. Consequently, in September 2020, DORA was proposed by the European Parliament and Council on digital operational resilience for the financial sector.

What types of entities are regulated by DORA?

DORA applies to a wide range of financial entities operating in the EU, even if they’re headquartered elsewhere, including traditional banks, investment firms, insurance providers, and payment processors, as well as non-traditional entities like crypto-asset service providers and crowdfunding platforms. It does not apply to small or medium-sized enterprises.

For the first time ever, DORA will enable financial regulators to directly supervise third-party ICT providers that are deemed critical to financial services, no matter where these organizations are headquartered. If they provide services to large financial entities operating in the EU, then they are bound by DORA, even if they’re based outside the EU. Critical third-party providers (CTPPs) that supply financial firms with ICT systems and services—such as cloud service providers, datacenters, and data service providers—must comply with DORA requirements.

No matter where it is headquartered, any financial entity or CTPP must comply with DORA in its EU operations and will need to decide whether to implement DORA outside of their EU operations. Regulators across the world are watching DORA closely, and will likely implement parts of it in their own resilience regulations.

When will DORA be enforced?

DORA entered into force and became legally binding on January 16, 2023.

On January 17, 2025, DORA will apply, European Supervisory Authorities (ESAs) will begin their oversight and CTPP designation activities, and fines can be given for noncompliance.

What are the requirements of the DORA regulation?

DORA provides a governance and control framework to ensure effective and prudent management of ICT risk to achieve a high level of digital operational resilience. This framework has five core pillars:

1. ICT Risk Management - includes identifying, classifying, and continuously monitoring all information and ICT assets supporting critical business functions; promptly detecting anomalous activities; triggering incident response processes; and analyzing the causes of disruption.
2. Incident Management - includes addressing the root cause of incidents to prevent reoccurrence and ensuring that reporting to competent authorities includes all information necessary to determine the significance of the incident and assess any cross-border impact.
3. Operational Resilience Testing - includes maintaining a comprehensive testing program that uses a range of assessments, methodologies, and tools; follows a risk-based approach that takes into account the evolving threat landscape; and incorporates threat-led penetration testing (TLPT) on critical or important functions.
4. Third-Party Risk Management - includes employing stricter requirements for contractual arrangements with CTTPs, emphasizing clear responsibilities, data protection, responsibilities around incident response, exit strategies, and access rights.
5. Information Sharing - includes exchanging cyber threat information and intelligence within trusted communities of financial entities, such as FS-ISAC.

Learn how modern NDR can help you comply with DORA

For a deeper look into how modern network detection and response (NDR) solutions can help financial entities comply with DORA, and maintain the security and availability of critical business services so the financial sector continues uninterrupted, download the DORA whitepaper.