DORA (Digital Operational Resilience Act) is an EU-wide regulation enforcing strict rules for the operational resilience of financial entities and their ICT system providers. It aims to create a harmonized and secure financial ecosystem – resilient to the ever-evolving risk landscape and fit for the digital future.  

Due to the growing reliance on digital services, the EU brings a wide range of financial entities under its regulatory umbrella. If an organization participates in the financial value chain, it is likely subject to DORA. 

This includes traditional financial entities such as credit institutions and investment firms, as well as emerging service providers like crypto-asset or crowdfunding services.

DORA also applies to critical third-party ICT providers that support the financial sector, including cloud providers, data centers, and data analytics providers.

To support businesses in building a robust operational resilience framework, DORA defines 5 pillars: 

1. ICT Risk Management: Strengthening ICT risk management to minimize the impact of ICT incidents.

2. ICT Incident Reporting: Establishing processes for the identification, analysis, and reporting of ICT-related incidents.

3. Digital Operational Resilience Testing: Implementing regular resilience testing, including advanced threat-led penetration tests and attack simulations.

4. ICT Third-Party Risk Management: Ensuring robust management of third-party ICT risks through rigorous oversight, contractual compliance, and regulatory reporting obligations.

5. Information Sharing: Promoting collaboration among financial entities by exchanging threat intelligence and lessons learned.

DORA defines penalties for non-compliance, ensuring that organizations within its scope take cybersecurity and operational resilience seriously. The European Supervisory Authorities (ESAs) have the power to impose fines for non-compliance.

Organizations found in violation of DORA requirements can face fines up to 2% of their total annual worldwide turnover, depending on the severity of the violation. For individuals, the maximum penalty can reach 1 million euros.

Third-party providers deemed as critical by ESAs could incur even higher fines — up to 5 million euros.

8 essential steps to achieve compliance with DORA:

1. Conduct a gap analysis: Assess your current cybersecurity practices and policies against DORA’s compliance requirements to find any areas that need improvement.

2. Enhance third-party risk management: Devise a well-rounded strategy for managing third-party risks, including due diligence processes, to guarantee all vendors comply with DORA standards.

3. Invest in cybersecurity training: Provide ongoing cybersecurity training for all employees to build a resilient workforce and foster a culture of responsibility and awareness.

4. Implement robust incident response plans: Establish or update incident response plans to ensure quick and effective action in the event of a cyber threat or breach.

5. Foster collaboration and information sharing: Join industry groups or forums to facilitate sharing of threat intelligence and best practices within the financial sector.

6. Review and update IT infrastructure: Make certain that IT systems and infrastructure are up to date, secure, and capable of withstanding cyber threats in line with DORA requirements.

7. Engage with regulatory authorities: Stay informed about the latest guidance from regulatory bodies regarding DORA’s implementation and seek clarification when necessary.

DORA and the NIS2 Directive (Network and Information Systems Directive) are both legislations introduced by the European Union aimed at improving cybersecurity and digital resilience across the EU. While they share common goals, they differ in scope, sectorial focus, and approaches.  

1. Scope and targeted entities 

DORA is a regulation tailored specifically for the financial sector, focusing on digital resilience. It ensures that financial services – including banks, investment firms and their ICT service providers – can effectively handle, mitigate, and recover from ICT-related incidents.  

The NIS2 Directive applies to essential and important entities across multiple sectors, such as energy, transport, health, water, digital infrastructure, and some financial services. Its primarily goal is to improve the overall cybersecurity posture of the EU. 

DORA is a regulation that has binding legal force and applies uniformly across all EU Member States without requiring national transposition. 

NIS2 is a directive, which sets objectives that Member States must achieve but allows them to define how to transpose these into their national laws. This can lead to variations in implementation across Member States. 

Lex specialis rule: In cases where financial services fall under the scope of both DORA and NIS2, DORA takes precedence due to the lex specialis rule. As a result, entities must primarily adhere to DORA’s sector-specific requirements. 

 3. Objectives and measures: 

DORA focuses on digital operational resilience across the financial sector by mandating measures in five key areas: ICT risk management, incident reporting, third-party risk management, operational resilience testing, and information sharing.  

NIS2 aims to strengthen the cybersecurity of all critical infrastructure and essential services by promoting supply chain security, incident handling and reporting, cyber hygiene practices, and broader risk management strategies.

4. Operational resilience testing: 

DORA introduces mandatory resilience testing of ICT systems and processes. Significant entities must undergo Threat-Led Penetration Testing (TLPT) performed by independent external testers under strict regulatory oversight. This ensures systems are tested against realistic, advanced cyber threats. 

While testing is a part of the NIS2 framework, it is not as rigorously defined as in DORA. Instead, testing is integrated into broader risk management strategies, focusing on vulnerability assessments and system audits with less emphasis on threat simulation. 

DORA emphasizes stringent regulation of third-party ICT providers delivering critical services to financial institutions. It mandates specific contractual requirements for service providers and direct regulatory oversight for critical ICT providers, such as cloud providers and data centers. 

NIS2 addresses third-party risk as part of supply chain security focusing on the overall security of external partners and vendors. However, it does not impose the same direct regulatory obligations on ICT providers as DORA does.

6. Incident Reporting:

DORA aims to harmonize the reporting of ICT-related incidents, including data breaches, service disruptions, outages, and third-party ICT failures. Financial entities must submit the following reports on major incidents to their competent national financial supervisors (who may escalate major incidents to the ESAs):

• Initial report: within 4 hours, but no later than 24 hours, containing a brief overview of the incident.
• Intermediate report: Within 72 hours with insights into the root cause, impact on the business and clients.
• Final report: Within one month, including the final resolution, costs & losses incurred, and remediation steps.

NIS2 also establishes detailed incident reporting, but with a broader focus on any cybersecurity event that impacts critical services, such as cyberattacks, system failures, and supply chain vulnerabilities. NIS2 sets similar reporting deadlines for incidents to be submitted to the CSIRTs (Computer Security Incident Response Teams):

• Early warning: Within 24 hours.
• Incident notification: Within 72 hours including an initial assessment of the incident’s impact and severity.
• Final report: No later than one month after the incident.

Both frameworks aim to simplify reporting processes with automated workflows, templates, and user-friendly interfaces.