Understanding the Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act is a European Union (EU) regulation that targets how financial institutions and their information and communication technology (ICT) partners manage cyber risk. It creates a binding oversight framework and establishes technical standards that EU financial entities and their service providers must implement in their ICT systems.

History of DORA

The European Commission originally proposed DORA in September 2020, and the European Parliament passed it two years later. Finally, on January 17, 2024, the European Banking Authority (EBA), Securities and Market Authority (ESMA), and Insurance and Occupational Pensions Authority (EIOPA) published the final technical standards. DORA officially came into force the same day.

Now, EU financial entities and ICT service providers have until January 17, 2025 to comply with their DORA requirements. By that time, each EU Member State will begin enforcing compliance. Designated regulators, known as “competent authorities,” can request entities take specific security measures and remediate known vulnerabilities.

Likewise, noncompliance penalties are severe. For example, ICT service providers deemed “critical” by the European Commission will be supervised by “Lead Overseers.” These organizations can penalize noncompliant providers with fines of up to 1% of their average daily worldwide turnover from the previous business year.

What is cyber resilience?

DORA is designed to strengthen “cyber resilience” for regulated financial entities. This term encompasses an organization’s ability to uphold operational integrity and business continuity amidst disruptions, such as data breaches and cyber attacks.

Continuity is especially vital in the financial sector, where ICT systems play a key role in how consumers access and manage their funds. According to ESMA, financial services have become heavily reliant on digital technologies to conduct day-to-day operations. That dependency, in turn, has increased cyber risk exponentially.

Indeed, even a single ICT incident can have major ripple effects on critical infrastructure. When not managed properly, risks can disrupt financial service delivery, which can impact other entities, sectors, and even the European economy altogether.

Imagine a scenario in which an investment bank’s third-party trading platform goes offline during a denial-of-service attack. Not only would this disrupt the end-user experience, but it could also cost clients a lot of money on the market.

To make matters more complicated, geopolitical events have given rise to state-sponsored attackers and rogue hacktivists targeting financial services. Russia’s war in Ukraine, for instance, inspired pro-Russian cybercriminals to attack the European Investment Bank’s network infrastructure in 2023. Fortunately, the incident only briefly impacted the availability of its website.

Why is DORA important?

Financial service providers are at risk. DORA aims to bolster cyber resilience in two ways:

1. Address ICT risk management for financial institutions at scale
2. Harmonize risk management regulations into one cohesive framework

Previously, EU regulations primarily focused on ensuring financial firms had enough capital to cover operational risks and disruptions. Some regulators released guidelines on ICT risk management, but they didn’t apply to all entities the same. Plus, they were based on general best practices — not technical standards.

Without a unified oversight framework, each EU Member State issued its own requirements. This created a maze of disjointed regulations that cross-border enterprises couldn’t easily navigate.

DORA solves this problem with one set of rules for all covered entities regardless of where they operate in the EU. By harmonizing risk management in the financial sector, DORA minimizes confusion and raises the bar for ICT security and business continuity.

What organizations must comply with DORA requirements?

DORA most directly impacts organizations that provide financial services in the European Union. That includes banks, credit unions, investment firms, insurance companies, and other types of financial institutions. However, the scope doesn’t stop there.

ICT service providers are also subject to DORA compliance. In other words, any technology company that delivers ICT systems to the EU financial sector must adhere to its regulations. Under DORA, that includes any ICT provider based outside the EU, but still operating within its jurisdiction. 

Let’s say your organization is based in the United States and supplies cloud services and data analytics to Austrian clients. In this case, your company must establish a subsidiary within the EU to facilitate effective governance.

Altogether, per PricewaterhouseCoopers (PwC), DORA applies to over 22,000 financial firms and ICT service operators.

DORA’s comprehensive framework is structured around five pillars. Each addresses a different aspect of cyber resilience and risk management, but in combination, they form the foundation for a strong and secure financial sector.

1. ICT risk management and governance

Per Article 5, management bodies are responsible for implementing a “sound, comprehensive, and well-documented” ICT risk management framework that enables them to mitigate cyber risk and ensure operational resilience at a level commensurate with their business needs, size, and complexity. Leaders who fail to do so can be held personally liable for noncompliance.

Broadly, organizations are required to have systems in place to maintain business continuity in the event of an ICT incident. Risk management frameworks should include strategies, policies, procedures, and tools to protect physical components and digital infrastructure from unauthorized access or damage.

Additionally, businesses are required to:

• Map their ICT systems to identify critical assets, functions, and dependencies between providers.
• Conduct regular risk assessments on their ICT systems to document, classify, and plan for cyber threats.
• Complete business impact analyses to understand how severe disruptions might affect operations.
• Implement suitable cybersecurity measures, such as identity and access management (IAM) tools, automated threat detection systems, and so on.

Establish business continuity and disaster recovery plans for cyber attacks, service failures, and natural disasters. Complete post-incident reviews to learn from past events and drive continuous improvement.

2. Incident reporting

Article 15 requires financial entities to establish and implement an ICT-related incident management process. Specifically, organizations must put early warning systems in place to detect, mitigate, and report incidents as quickly as possible. They’re also required to establish processes for monitoring incidents during and after the fact, allowing teams to identify and eradicate their root causes.

And, according to Articles 16-20, organizations must:

• Classify ICT-related incidents with the criteria that apply to different impact levels.
• Create a common template or procedure for reporting incidents to the supervisory authority.
• Inform end users and customers about a major incident without delay in addition to all measures being used to mitigate its consequences.
• Report events by the end of the business day or within four hours of the start of the next business day (if the incident occurs within two hours of the end of the previous one).

Notably, DORA requires entities to file three different types of reports:

1. An initial report to notify the authorities
2. An intermediate report to communicate progress toward resolving the incident
3. A final report analyzing the incident’s root causes and how they were resolved

3. Digital operational resilience testing

DORA establishes a few baseline requirements related to resilience testing. Conducting tests allows organizations to assess preparedness for ICT-related incidents, detect vulnerabilities, and implement corrective measures.

Per Article 21, entities must:

• Establish a testing program that matches their size, business, and risk profiles
• Include a range of assessments, tests, methodologies, and tools
• Follow a risk-based approach taking into account the evolving landscape of ICT risks
• Ensure tests are undertaken by independent parties
• Prioritize, classify, and fully remedy all discovered issues and vulnerabilities
• Test all critical ICT systems and applications at least annually

Additionally, Article 23 states financial entities should also conduct threat-led penetration testing at least every three years. This aims to address higher levels of risk exposure, such as underlying ICT processes that support critical functions and services (including those outsourced to a service provider).

4. Third-party risk management

DORA expects financial firms to actively manage their third-party risk landscape and keep operational resilience in mind when negotiating contractual arrangements. Specifically, DORA establishes the following rules regarding third-party risk management:

• Financial entities must keep a register of information relating to contractual agreements with third-party ICT service providers.
• Firms must report to competent authorities at least once per year on how many new contracts it has signed with ICT suppliers.
• Entities should practice due diligence when evaluating contracts by identifying all relevant risks and potential conflicts of interest. They must also negotiate stipulations involving exit strategies, audits, and performance targets for accessibility and security.
• The rights and obligations of the financial entity and the ICT third-party service provider should be allocated and set out in writing, accessible to both parties. 
• Critical ICT providers are subject to direct oversight from a relevant supervisory authority.

According to the regulation, entities are forbidden from contracting with ICT companies that fail to meet the appropriate technical standards. Competent authorities may even suspend or terminate agreements that don’t comply.

5. Information sharing

Although not strictly enforced, DORA also encourages collaboration among trusted financial entities, hoping to:

• Raise awareness of ICT-related risks
• Minimize the spread of ICT threat vectors
• Share defensive techniques, mitigation strategies, and threat intelligence

DORA is one of several EU directives related to cyber resilience and digital security. The revised Network and Information Systems (NIS 2) regulation overlaps heavily with DORA compliance, which may leave some wondering which guidelines they have to follow.

In September 2023, the European Commission clarified the relationship between the two pieces of legislation. Critically, DORA is sector-specific, impacting mainly financial service organizations. NIS 2, by contrast, is a broader regulatory framework covering critical infrastructure such as energy and transportation.

According to Article 4(1) and (2) of the NIS Directive, DORA’s provisions shall apply instead of those outlined in NIS 2. That means DORA takes precedence for financial entities, at least when it comes to ICT risk management, incident reporting, and resilience testing.

DORA sets a high bar for risk management, which means meeting its requirements won’t be easy. Fortunately, there’s a clear path you can take to get started:

1. Conduct a gap analysis: An initial gap analysis involves assessing the entire company profile from top to bottom, defining its state of cyber maturity, and understanding its existing risk management framework. This exercise will help you determine the extent to which your current processes and procedures should be updated.
2. Mandate ICT training: It’s best to create an ongoing training program for all employees — management included. Leaders are liable for DORA noncompliance, so ensure everyone stays informed and vigilant of the latest ICT security threats.
3. Audit third-party contracts: Taking a deep dive into your contractual arrangements can help you understand dependencies with ICT providers. In turn, you can identify and prioritize security measures for protecting these connections. Inventory all contracts, including cloud service providers, software vendors, and other ICT systems. Then, ensure they have provisions that align with DORA requirements.

Strengthen cyber resilience with Entrust

Don’t leave DORA compliance to chance. Whether you’re a financial entity or an ICT provider, Entrust’s portfolio has everything you need to harden your defenses and protect critical infrastructure.

Our solutions include:

• Hardware security modules (HSMs): nShield HSMs help provide a secure environment for generating, managing, and protecting cryptographic keys, which are crucial for data encryption and secure communications.
• Cloud security posture management: The Entrust CloudControl security platform helps protect your hybrid cloud environments by making it easy to identify, remediate, and report on configuration and compliance in one pane of glass.
• Key Management: Key management is essential to ensuring the confidentiality and integrity of data and financial transactions. Entrust KeyControl helps you to manage cryptographic assets throughout their lifecycle, preventing unauthorized access to ICT systems.
• Identity and access management: Entrust Identity as a Service is an intelligent platform that streamlines user authentication, authorization, and access control. Connect with your consumers through secure portals, identity proofing, and more.
• Public key infrastructure (PKI): Entrust PKI helps provide a framework for secure communications and authentication, using digital certificates to verify entities and encrypt data.