Digital Operational Resilience Act (DORA): How to Comply with this Landmark Regulation
The increasing frequency and sophistication of cyberattacks poses serious threats to global financial stability according to a new report by the International Monetary Fund (IMF). In the past two decades, nearly one-fifth of reported cyber incidents have affected the global financial sector, causing $12 billion in direct losses to financial firms, the report notes.
Recognizing the necessity of the resilience of financial entities, the European Union has responded with the Digital Operational Resilience Act (DORA). This landmark regulation is designed to enhance the operational resilience of financial institutions by mandating stringent cybersecurity measures.
In this blog post, we'll delve into the specifics of DORA, its purpose, requirements, implementation timeline, penalties for non-compliance, and how Secureframe can simplify and expedite your path to compliance.
What is the Digital Operational Resilience Act?
The Digital Operational Resilience Act (DORA) is an EU regulation that aims to help financial entities and their providers of information and communications technology (ICT) withstand, respond to, and recover from all types of ICT-related disruptions and threats. By establishing robust standards for ICT risk management, incident reporting, operational resilience testing, and third-party risk monitoring, DORA seeks to improve the digital operational resilience of the EU's financial sector.
Although DORA does overlap with other regulations such as GDPR and NIS 2, the applicability of all three frameworks are much different. DORA is unique in its focus on strengthening the digital resilience of the European financial ecosystem and is applicable specifically to the financial sector where NIS2 and GDPR are much broader in organization applicability.
DORA entered into force on January 16, 2023 and will be required as of January 17, 2025. As this enforcement date draws closer, it’s important that organizations understand the scope, purpose, and requirements of DORA. We’ll cover this below.
Recommended reading
What is GDPR Compliance?
Who does DORA apply to?
The scope of DORA is broad within the financial sector. The new law applies to financial entities, which includes most types of financial services entities regulated in the EU, such as banks, payments and e-money firms, investment firms, insurers, and crypto asset firms.
DORA also applies to “critical” ICT third-party service providers of these financial entities. Providers are designated as critical based on several factors, including:
- the potential impact a large-scale failure would have on the provision of financial services
- the type and importance of entities that rely on the provider
- how easily the provider can be replaced
These providers will need to show they can comply with mandatory contractual provisions under DORA to continue servicing their clients in the EU.
What is the purpose of DORA?
The primary purpose of DORA is to bolster the operational resilience of financial institutions in the face of growing cyber threats. It does this in two significant ways. First, it aims to harmonize various cybersecurity and risk management regulations that apply to financial entities across the EU. Two, it aims to offer a comprehensive framework that addresses several key aspects of risk management.
These key focus areas are:
- ICT risk management: Establishing comprehensive risk management frameworks to identify, assess, and mitigate ICT-related risks
- ICT-related incidents: Mandating timely and standardized reporting of significant ICT-related incidents to competent authorities
- Digital operational resilience testing: Requiring regular testing of ICT systems to identify and rectify vulnerabilities
- ICT third-party risk management: Ensuring that financial entities manage risks associated with third-party ICT service providers
- Oversight of critical third-party providers: Strengthening the governance framework to oversee ICT risk management practices effectively
- Information sharing: Exchanging information and intelligence on cyber threats
DORA requirements: How to comply with the regulation
The DORA document itself is almost 80 pages long, and includes 64 articles. The document defines several key areas of focus in its regulation.
Below, we summarize the key requirements for DORA compliance.
1. Establish an ICT risk management framework
In-scope financial institutions must develop and maintain a robust ICT risk management framework that enables them to respond to risks quickly and comprehensively.
At a minimum, this framework should:
- Identify ICT-supported business functions: Clearly map out all business functions that rely on ICT systems and services.
- Identify ICT risks: Catalog all potential sources of ICT risks, including hardware, software, data, and communication systems.
- Address cybersecurity threats and vulnerabilities: Continuously monitor and evaluate cybersecurity threats and vulnerabilities, and implement measures (such as policies, procedures, and tools) to protect against these threats and regularly update them based on the evolving threat landscape.
- Mitigate identified risks: Develop and apply risk mitigation strategies to manage identified risks effectively.
Recommended reading
7 Benefits of Continuous Monitoring & How Automation Can Maximize Impact
2. Establish incident reporting processes and procedures
In-scope entities are required to establish processes and procedures for the timely detection, management, and reporting of ICT-related security incidents. Some next steps may include:
- Implementing systems to detect incidents as they occur, including both automated and manual detection mechanisms
- Developing a clear process for managing incidents once detected, including immediate response measures, investigation procedures, and remediation steps.
- Defining and adhering to strict timelines for reporting incidents to relevant authorities and ensuring these reports include detailed information about the nature of the incident, its impact, and the steps taken to address it.
3. Test your ICT system regularly
Regular testing of ICT systems is mandatory to ensure resilience against potential threats. In-scope entities are required to oversee the implementation and outcomes of resilience testing, including vulnerability assessments and penetration testing. Both types of testing can help identify and address security vulnerabilities in the entity’s ICT infrastructure.
It’s also important that in-scope entities use the results from these tests to improve and strengthen ICT security measures accordingly.
4. Establish a third-party risk management system
In-scope entities must ensure that their contracts with third-party ICT service providers (including new and existing contracts) meet the prescriptive requirements set out in DORA.
Contracts must include certain provisions that mandate adherence to the entity’s risk management standards, such as providing assistance with incident management and taking part in the entity’s security awareness and operational resilience training.
In-scope entities must develop and maintain a register of information on ICT service providers to competent authorities at least every three years, or more often if engaging vendors for critical functions. This register of information should contain extensive due diligence, including contractual agreements and report information.
Recommended reading
Third-Party Security: 8 Steps To Assessing Risks And Protecting Your Ecosystem
5. Establish a clear governance structure
Management is responsible for approving and overseeing the implementation of an ICT risk management program and ensuring it aligns with and reflects their organization’s risk profile and tolerance. To do so, the organization must establish a clear governance structure. This involves:
- Defined roles and responsibilities: Clearly outline the roles and responsibilities of all individuals involved in ICT risk management, from senior management to operational staff.
- Active involvement of senior management and boards: Ensure that senior management and boards are actively involved in overseeing ICT risk management processes. They should be informed about significant risks and involved in decision-making processes.
- Regular reviews and updates: Conduct regular reviews of the governance structure and update it as needed to reflect changes in the organization or the threat landscape.
6. Establish processes for information sharing
Effective information sharing is crucial for maintaining operational resilience. In-scope entities are therefore responsible for promoting and evaluating the effectiveness of information-sharing arrangements regarding cyber threats and vulnerabilities. This includes mechanisms and processes for sharing information about ICT threats, incidents, and vulnerabilities within the organization and with external entities, such as industry partners, regulators, and other stakeholders.
By addressing these key requirements, financial institutions can ensure compliance with DORA and enhance their operational resilience against ICT-related threats.
Recommended reading
Why Compliance Automation is a Strategic Advantage for Modern Organizations
DORA implementation timeline
The implementation of DORA follows a structured timeline to allow financial entities sufficient time to achieve compliance:
- Entry into Force: DORA entered into force on January 16, 2023.
- Transitional Period: Financial entities are granted a transitional period until January 17, 2025, to align their operations with the new requirements.
- Compliance deadline: By January 17, 2025, all financial institutions within the EU must fully comply with DORA.
DORA violations and fines: Penalties for non-compliance
Non-compliance with DORA can result in significant penalties, reflecting the regulation's stringent nature.
Financial institutions that fail to meet DORA requirements face fines of up to 2% of their total annual worldwide turnover. Individuals face a maximum fine of EUR 1,000,000 for non-compliance. The amount will depend on the severity of the violation and the financial entity's willingness to cooperate with authorities. Failure to report major ICT-related incidents or significant cyber threats as required under DORA may also result in fines.
Third-party ICT service providers designated as critical by the European Supervisory Authorities (ESAs) may face fines of up to EUR 5,000,000 for non-compliance. Individuals face a maximum fine of EUR 500,000.
Entities may face additional sanctions, including public censure, restrictions on business activities, or even the revocation of licenses in severe cases. Beyond financial penalties and sanctions, non-compliance can also lead to severe reputational damage, eroding customer trust and investor confidence.
How managed service providers can help entities meet the DORA compliance deadline
According to a McKinsey survey conducted in March 2024, only about a third of financial institutions were confident that they could fulfill all DORA regulatory expectations by January 2025. 31% doubted they would meet the DORA deadline while 38% were neutral. Moreover, all said they expected at least some DORA efforts to continue beyond the 2025 deadline.
A managed service provider can help simplify and speed up the process. By leveraging the expertise and resources of MSPs, financial institutions can streamline their compliance efforts, quickly identifying and addressing gaps in their ICT risk management practices and ensuring they meet the DORA compliance deadline.
Here’s a few ways MSPs can help financial entities achieve DORA compliance efficiently and effectively:
- Conducting a gap analysis: A gap analysis is a critical first step in the compliance journey. It helps identify the differences between the current state of an entity’s ICT risk management and the requirements set forth by DORA. After evaluating any existing ICT risk management processes, incident response procedures, third-party risk management processes, and governance structures, MSPS can highlight gaps where the entity’s current practices fall short of DORA requirements and offer actionable recommendations to address identified gaps and align practices with regulatory standards.
- Implementing an automated compliance tool: Beyond actionable recommendations, MSPs can go one step further in simplifying the DORA compliance process by implementing tools that automate compliance tasks, like evidence collection, policy management, and continuous monitoring, and reduce manual effort.
- Offering expert guidance: MSPs can help support financial entities throughout the compliance process, not just during the readiness phase. By offering expert guidance at all stages, MSPs can help entities navigate the complexities of DORA, implement best practices for ICT risk management, and integrate their efforts into an existing cybersecurity and compliance program.
- Conducting ongoing assessments: After helping the entity develop and implement a robust ICT risk management framework, as well as incident reporting procedures, TPRM processes, and more, MSPs can regularly assess the entity’s compliance status and identify any emerging gaps or issues.
If you need help finding a Service Provider to help you with DORA compliance, reach out to us directly at partners@secureframe.com.
Compliance Automation Platform Buyer’s Guide
Learn how a compliance automation platform can help streamline and scale your security and compliance efforts, then use a scorecard to fast-track the vendor evaluation process.
Simplify and speed up DORA compliance with Secureframe
Achieving compliance with DORA can be a complex and resource-intensive process. In fact, the McKinsey survey revealed that most financial institutions are expecting to spend €5 to 15 million on DORA strategies, planning, design, and orchestration — and some early estimates for full implementation costs are coming in at five to ten times that range. Additionally, 40% of surveyed financial entities and ICT providers are dedicating more than seven full-time equivalents to their DORA compliance program.
Compliance automation solutions like Secureframe can significantly simplify and accelerate this journey, helping to reduce the efforts and costs required to comply. Here is some key features and functionality that Secureframe offers:
- Automated control testing: Secureframe automates the testing of EU DORA requirements through integrations with your existing tech stack, ensuring continuous compliance with EU DORA requirements without the manual burden. With 110 controls aligned to EU DORA, you can be confident you'll be compliant against the regulation.
- Policies developed by experts: Secureframe offers policies and procedure templates, developed and vetted by compliance experts specifically for EU DORA. You can easily publish this documentation, assign them to owners, and track policy acceptance and regular review within Secureframe.
- Compliance expertise: Our team of compliance experts and former security and compliance auditors provide essential support to help you navigate EU DORA requirements effectively and implement best practices for ICT risk management.
- EU-based support: Our dedicated team in the EU ensures that you receive timely and localized assistance.
- Continuous monitoring: Secureframe makes it easy to stay compliant with EU DORA. You can organize and schedule regular reviews of controls through the Secureframe platform, ensuring ongoing adherence to regulatory requirements.
Schedule a demo to see how financial institutions can confidently meet DORA requirements, safeguarding their operations and ensuring resilience against cyber threats, with Secureframe.
Recommended reading
A Guide to Automated Evidence Collection for Compliance
FAQs
What is DORA?
The Digital Operational Resilience Act (DORA) is a regulation enacted by the European Union to ensure that financial institutions can withstand, respond to, and recover from ICT-related disruptions and threats.
Why was DORA introduced?
DORA was introduced to enhance the operational resilience of financial institutions by mandating comprehensive risk management frameworks, incident reporting, third-party risk management, resilience testing, and governance measures.
What are the key requirements of DORA?
Key requirements include establishing a robust ICT risk management framework, timely incident reporting, managing third-party risks, conducting regular resilience testing, and implementing strong governance and oversight.
How can financial institutions manage third-party risks under DORA?
Institutions must ensure that third-party ICT service providers adhere to the same risk management standards through thorough due diligence and continuous monitoring.
What is involved in resilience testing under DORA?
Resilience testing involves regular testing of ICT systems, including penetration testing and vulnerability assessments, to ensure they can withstand potential threats.
What is the timeline for DORA implementation?
DORA came into force on January 16, 2023, and in-scope financial entities must fully comply by January 17, 2025.
What are the penalties for non-compliance with DORA?
Penalties include fines up to 1% of the institution's annual turnover, public censure, restrictions on business activities, revocation of licenses in severe cases, and reputational damage.
How can Secureframe help with DORA compliance?
Secureframe offers automated compliance management, continuous monitoring, centralized documentation, and expert support to simplify and expedite the compliance process.
What specific features does Secureframe provide to aid DORA compliance?
Secureframe provides automated workflows, continuous system and vendor monitoring, centralized compliance documentation, and expert guidance to help financial institutions meet DORA requirements effectively.