The Digital Operational Resilience Act explained

The Digital Operational Resilience Act (“DORA”) is part of the regulatory package adopted in 2020 by the European Union Commission to further enable and support the potential of digital finance in terms of innovation and competition, while mitigating the risks arising from it.

With the Network and Infrastructure Security (NIS2) Directive also recently approved by the EU parliament, DORA Regulation aims to consolidate and harmonize essential cybersecurity requirements with regards to digital and operational resilience in the financial sector.

DORA is a landmark piece of legislation for the financial industry and it is positioning the EU at the forefront of technology regulations.

Why DORA

With the Financial Sector concentrating more than 20% of the global cyberattacks, any destabilization of a financial entity has multiple and critical impacts for the whole economic ecosystem.

The growth and severity of cyber-attacks, the rising sophistication of hackers’ techniques, the danger of systemic consequences, and the gaps in the existing regulatory framework led to the conception of DORA. The goal is to uniformly regulate “operational resilience” in the financial sector in the EU.

Over the past decade, we acknowledge that, information and communication technology (ICT) has revolutionized the financial sector and gained a central role in its daily operations.  However, digital transformation has not been supported by adequate awareness and management of the cyber risks the sector is increasingly exposed to.  Also, cybersecurity provisions have so far remained scattered in different EU acts, not always consistent with each other and differentiated at the national level.

With DORA, the goal is thus to mandate the adoption of standardized cybersecurity requirements necessary to ensure that financial entities operating in the EU are better positioned to prevent, respond and recover from the impacts of ICT incidents, thereby continuing to deliver critical and important functions and minimizing disruption for customers and for the financial system.

Accordingly, this means establishing robust measures and controls on systems, tools and third parties, having the right continuity plans in place, and testing their effectiveness.

DORA in a nutshell: what does it change?

DORA establishes a streamlined digital operational resilience framework across the EU financial sector and is also setting a new oversight framework for ICT third-party service providers to financial entities.

DORA introduces new requirements across five pillars:

  1. ICT Risk Management: DORA raises requirements for appropriately managing ICT risks, including policies, procedures and tools for risk identification and minimization. As well, as part of the continuous improvement processes, DORA introduces compulsory training on digital operational resilience for the management body but also for the whole staff, as part of their general training package. 
  1. ICT Incident Reporting: DORA enforces improved monitoring, detection, and reporting of cyber threats and attacks in the financial sector. As a result, while all reports are collected in a central hub, the reporting process is to be standardized.
  1. Digital Operational Resilience Testing: DORA expands security testing requirements and seeks to establish an EU testing standard. Assessments of vulnerabilities and network security, gap analyses, software solution testing, threat led penetration-testing (TLPT), and third-party risk surveys are covered by these requirements. As far as TLPT are concerned, they will be mandatory for the largest entities and the “TIBER” methodology existing for the banking entities will most likely be adopted for the whole financial sector.
  1. ICT Third-Party Risk Management: Although there is overlap with the existing rules set in the outsourcing guidelines from the European Banking Agency (“EBA”), DORA requires financial institutions to assess and document the risks associated with ICT service providers, such as cloud services for instance, and to have a dedicated register. Contracts with these companies will have to comply with DORA, with tighter measures for third-party suppliers that will be classified as ‘critical’. Criteria to assess this notion of criticality are still under discussion. However, it is important to underline that those companies will be subject to direct regulatory oversight from a lead overseer
  1. Information and Intelligence Sharing: DORA promotes information-sharing arrangements among financial entities with a view to enhancing digital operational resilience, in particular by raising awareness of cyber threat information and intelligence, including indicators of compromise, tactics and cyber security alerts.

To whom does it apply? 

The scope of the DORA is vast and regulation will impact almost everyone in the financial sector.  Indeed, it will apply not only to “traditional” financial institutions (e.g., banks, investment firms, and insurance companies) but also to “new players” in the market, such as payments and e-money institutions, credit rating agencies ore crypto-asset service companies. Initially, audit firms were included but they are finally out of scope. Overall, more than 22,000 financial entities are concerned across the EU.

In addition, depending on their function in the supply chain, critical ICT service providers (e.g. cloud service providers) may be directly or indirectly covered by DORA, whether they are European or not.

How about the legislative timeline?

DORA entered into force on 16th January 2023 and firms will face a tight 24-month implementation period to be compliant. In the meantime, the designated European Supervisory Authorities (“ESA”) are currently finalizing some key technical standards, namely Regulatory Technical Standards (“RTS”) and Implementing Technical Standards (“ITS”). Financial entities will have to comply with, whilst national competent authorities will oversee compliance and enforce the regime as required. Some further articulation of the roles of the European Union Agency for Cybersecurity (“ENISA”) with their local counterpart in each country, e.g. “ANSSI” in France, will also be provided.

The new rules will then fully apply from 17th January 2025.

How to prepare for the DORA regulation?

In order to be meet this crucial deadline, we recommend organizations to take the following steps at the earliest:  

  • Perform a maturity assessment against DORA requirements, with associated gap analysis and mitigation plan to reach compliance at the soonest,
  • Assess Response and Recovery Strategies,
  • Start working on consolidation of the register of information for all ICT third party providers,
  • Implement a robust operational resilience testing programs with Threat-Led Penetration Testing Framework when required,
  • Raise awareness and start training your staff on digital operational resilience,
  • Involve Senior Management / C-Suite, as stakeholders need to play a pivotal role into operational resilience.

January 2025 is coming fast and achieving all of this will be a significant task.

As a consequence, getting a head start will buy firms valuable time to be fully compliant. It will be critical for all financial entities to take a proactive and informed approach. We recommend them to carry out preparatory activities to determine the actual impact of DORA on their organization and thus be ready when it is implemented. DORA is an opportunity for all of those who will tackle the regulation in a proactive and business-oriented manner.