The EU’s DORA regulation: definition, timeline and tips for compliance
With only months to go until DORA comes into force, we’re taking a closer look at the EU’s latest regulatory move to keep digital threats at bay in the financial sector. Read on to find out what the soon-to-be-implemented Digital Operational Resilience Act entails and means for businesses, why it came to be, when it will go into full effect, and how to navigate compliance.
What is DORA? Meaning and implementation timeline
The Digital Operational Resilience Act (DORA) is an EU regulation that entered into force on January 16, 2023, and will become effective as of January 17, 2025. It aims at strengthening the information and communication technology (ICT) posture of financial firms within the remit of the three European Supervisory Authorities, making sure that the financial sector can withstand, contain, and recover from operational disruptions caused by cyber attacks. As explained by the European Securities and Markets Authority, the DORA regulation is expected to create harmony and uniformity in digital operational resilience-related rules for the industry, applying to twenty-one different types of financial entities as well as external ICT service providers.
Why was DORA created? Background and key considerations
The EU’s DORA regulation was introduced as a strategic response to the growing dependence of the financial sector on digital technologies and the simultaneous increase in cyber threats.
“We live in uncertain times. Banks and other companies which provide financial services in Europe already have plans in place for their IT security, but we need to go one step further,” Zbyněk Stanjura, the Minister of Finance of Czechia, commented on the passing of DORA in late November 2022. “Thanks to the harmonized legal requirements which we adopted today, our financial sector will be better able to continue to function at all times. If a large-scale attack on the European financial sector is launched, we will be prepared for it.”
The ultimate goal of the new legislation is to ensure that all entities within the EU’s financial system, from banks and investment firms to crypto-asset service providers, have the necessary safeguards against cyberattacks, thus protecting the financial market’s integrity and stability.
With the unstoppable digitalization of the financial sector, services have become more efficient and accessible. But this digital transformation has also brought along heightened risks of cyber incidents, exposing industry players of all types and sizes to significant operational disruptions and financial losses. Not to mention that due to the interconnected nature of the financial ecosystem, the impact of such incidents can easily ripple across borders, potentially evolving into systemic crises.
DORA, the first draft of which was published by the European Commission in September 2020, addresses these challenges by establishing a comprehensive framework that mandates a uniform set of standards for digital operational resilience across the EU. This includes requirements for all financial entities to identify, classify, and mitigate cyber risks, manage ICT third-party risks, set up dedicated incident management mechanisms, and regularly test and audit their digital defenses.
The DORA law also facilitates a more coordinated approach to cybersecurity across member states, boosting their collective ability to safeguard the financial ecosystem against emerging digital threats. This is crucial in fostering a secure and resilient digital financial market that can support the EU’s economic growth and protect the interests of its citizens and businesses.
What is the current status of DORA? 2024 update
The EU’s Digital Operational Resilience Act is now in the critical phase of regulatory development and implementation. Having been formally adopted, it is undergoing the process of being transposed into the national laws of member states. Financial organizations and external ICT service providers must achieve DORA compliance by January 17, 2025, when the regulation becomes effective and enforceable. They have had the opportunity to plan their roadmap towards compliance with the DORA law since June 2022, when the deadline was announced.
According to a study by Deloitte, however, only 29% of the surveyed financial entities had such a roadmap in place, while the rest opted to start working on it in 2023 and some even later in 2024.
They will definitely have their work cut out for them. Not only does the preparation for the new regulation involve significant investments in cybersecurity infrastructure and the establishment of rigorous incident response mechanisms, it also calls for enhanced scrutiny of third-party ICT service providers. The European Union’s regulatory bodies are also ramping up their efforts to provide guidance, support, and oversight to ensure a smooth transition and consistent application of DORA’s standards.
DORA requirements: everything you need to know
Establishing crucial requirements for companies to enhance their ability to withstand, respond to, and recover from ICT-related disruptions, DORA rests on several pillars:
- ICT risk management: DORA requires companies to implement a comprehensive and well-documented ICT risk management framework. This framework should cover all aspects of ICT, including security, data governance, and business continuity. Organizations must regularly assess ICT risks and adapt their defense mechanisms to mitigate these threats effectively.
- Incident reporting: DORA mandates the establishment of a robust incident reporting mechanism. Companies must promptly report significant cyber and ICT-related incidents to the relevant authorities. This facilitates a timely and coordinated response to threats, minimizing their impact on financial markets and consumers.
- Digital operational resilience testing: DORA prescribes the regular testing of digital operational resilience. Meaning that companies must conduct periodic tests to assess their systems and processes’ resilience to cyberattacks and other ICT disruptions, such as vulnerability assessments, penetration testing, and scenario-based exercises.
- Third-party risk management: Recognizing the industry’s growing reliance on third-party service providers, DORA also focuses on managing and monitoring the ICT risks arising from these relationships. Companies must ensure that their external vendors adhere to the same standards of ICT risk management, including regular audits and compliance checks.
- Information sharing: To foster a collective approach to digital resilience, the DORA regulation encourages companies to share information on cyber threats and vulnerabilities within a trusted community. This approach not only enables better preparedness and response to emerging ICT risks, but also bolsters the overall stability of the EU’s financial system.
- Oversight framework: The Digital Operational Resilience Act introduces an oversight framework for critical third-party service providers, including cloud computing services. This ensures that these providers meet stringent standards for ICT risk management, reducing the systemic risk they pose to the European Union’s financial system.
From third parties to technology: how will DORA impact financial firms?
In the wake of DORA, financial industry players will need to take a long, hard look at their existing ICT risk management practices. Most importantly, they will be required to adopt a holistic approach to digital resilience, encompassing everything from cybersecurity defenses to business continuity planning. This will likely lead to an increase in operational costs, at least in the short term, as businesses invest in upgraded technologies, employee training, and enhanced security measures.
The act will cement a standardized and robust vendor risk management framework in the financial sector. Firms will have to ensure that their suppliers and service providers, especially those labeled critical third-party service providers, comply with the same standards of cyber risk management to which they are held. This involves conducting thorough due diligence, frequent audits, and possibly renegotiating contracts to include clauses related to DORA compliance.
Plus, the Digital Operational Resilience Act’s emphasis on information sharing will foster a culture of collaboration and collective defense among members of the financial ecosystem. This may also compel individual companies to strike a balance between competitiveness and the necessity of sharing critical threat intelligence. Such a shift could dramatically improve the sector’s resilience to cyber threats as a whole – but not without significant cultural adjustments for many firms.
Lastly, the oversight framework introduced by the new European cyber resilience regulation places an additional layer of regulatory scrutiny on critical third-party service providers, including cloud services. This will affect not only the service providers themselves, who must meet higher standards, but also the organizations that rely on these services. Companies may need to reassess their partnerships, ensuring their critical service providers can meet DORA requirements.
How to prepare for DORA? 8 essential tips for compliance
- Conduct a gap analysis: Begin by assessing your current cybersecurity practices and policies against DORA’s compliance requirements to find any areas that need improvement.
- Enhance third-party risk management: Devise a well-rounded strategy for managing third-party risks, including due diligence processes, to guarantee all vendors comply with DORA standards.
- Invest in cybersecurity training: Provide ongoing cybersecurity training for all employees to build a resilient workforce and foster a culture of responsibility and awareness.
- Implement robust incident response plans: Establish or update incident response plans to ensure quick and effective action in the event of a cyber threat or breach.
- Foster collaboration and information sharing: Join industry groups or forums to facilitate sharing of threat intelligence and best practices within the financial sector.
- Review and update IT infrastructure: Make certain that IT systems and infrastructure are up to date, secure, and capable of withstanding cyber threats in line with DORA requirements.
- Engage with regulatory authorities: Stay informed about the latest guidance from regulatory bodies regarding DORA’s implementation and seek clarification when necessary.
- Allocate resources appropriately: Ensure that sufficient resources, including budget and skilled personnel, are allocated to meet DORA compliance objectives efficiently.