The EU's DORA regulation: What is it, and how does it affect your organization?

In an era where cyberthreats and technological disruptions pose significant risks to financial stability, regulatory frameworks must evolve to safeguard institutions and consumers alike. The European Union (EU) introduced the Digital Operational Resilience Act (DORA) to ensure that financial entities remain secure and resilient against such challenges.

What is DORA?

DORA, officially known as Regulation (EU) 2022/2554, was enacted to establish uniform requirements for the security of network and information systems within the EU's financial sector. The regulation aims to ensure that financial entities can withstand, respond to, and recover from all types of information and communications technology (ICT)-related disruptions and threats.

As stated in the regulation, the purpose of the DORA regulation is "to achieve a high common level of digital operational resilience" by setting uniform requirements concerning the security of network and information systems supporting the business processes of financial entities.

Key focus area of the DORA regulatory framework

DORA has been mandated for a wide range of financial entities, including banks, insurance companies, investment firms, credit institutions, and ICT third-party service providers supporting these organizations.

• ICT risk management: Financial entities are required to implement robust frameworks to manage ICT risks effectively.
• Incident reporting: Mandates the reporting of major ICT-related incidents to competent authorities, enhancing transparency and facilitating prompt responses.
• Digital operational resilience testing: Requires regular testing of digital operational resilience, including advanced threat-led penetration testing for significant institutions.
• ICT third-party risk management: Sets standards for managing risks associated with third-party ICT service providers, ensuring that dependencies do not compromise operational integrity.
• Information sharing: Encourages the exchange of cyberthreat information and intelligence among financial entities to foster a collaborative defense environment.

For more insights on the regulation, you can refer to eiopa.europa.eu.

How does DORA affect your organization?

While DORA is primarily targeted at financial institutions, its implications extend beyond the financial sector. Non-financial organizations that interact with financial entities or provide ICT services to them may also need to align with DORA’s principles to ensure compliance and maintain strong cybersecurity practices.

Key impact:

• Strengthening risk management practices: Organizations must implement robust ICT risk management frameworks to identify, assess, and mitigate potential threats.
• Enhanced incident reporting requirements: Entities must develop structured processes for reporting ICT-related incidents to regulatory authorities in a timely manner.
• Rigorous resilience testing measures: Regular digital operational resilience testing is required to assess vulnerabilities and ensure preparedness for cyberthreats.
• Mitigating third-party ICT risks: Firms must establish stringent monitoring and risk assessment protocols for third-party ICT service providers.
• Improved collaboration and information sharing: Financial institutions are encouraged to share intelligence on cyberthreats and incidents to enhance sector-wide resilience.

DORA and ICT providers: A 5-step checklist to evaluate your ICT provider's current standing

Given the increasing reliance on ICT service providers, it's imperative to assess their alignment with DORA's requirements. Here's a concise checklist to guide your evaluation:

• Assess regulatory scope: Determine if your ICT providers fall under DORA's definition of critical third-party service providers. This assessment is crucial, as such providers will be subject to direct oversight by EU financial regulators.
• Review contractual agreements: Ensure that contracts with ICT providers include mandatory provisions as stipulated by DORA, covering aspects like data security, incident reporting, and compliance obligations.
• Evaluate risk management practices: Verify that your ICT providers have robust risk management frameworks in place, including regular risk assessments, mitigation strategies, and resilience plans.
• Confirm testing and audit protocols: Ascertain that providers conduct regular digital operational resilience testing, such as threat-led penetration tests, and are open to audits and assessments.
• Establish communication channels: Set up clear protocols for timely communication and reporting of ICT-related incidents, ensuring swift responses to potential disruptions.

Recent developments

As of February 2025, several significant milestones have been achieved in the implementation of DORA:

• Feb. 18, 2025: The European Supervisory Authorities (the European Banking Authority, the European Insurance and Occupational Pensions Authority, and the European Securities and Markets Authority) provided a roadmap for the designation of critical third-party providers. Competent authorities are required to submit registers of ICT third-party arrangements by Apr. 30, 2025, with criticality assessments and final designations expected by July 2025.
• Feb. 11, 2025: The TIBER-EU framework was updated to align with DORA, enhancing the framework for threat intelligence-based ethical red-teaming to bolster cyber resilience.
• Feb. 11, 2025: The European Banking Authority amended its guidelines on ICT and security risk management measures to align with DORA, aiming to simplify the ICT risk management framework and provide legal clarity.

These show that DORA represents a transformative step in fortifying the digital operational resilience of the EU's financial sector. Organizations must proactively assess and enhance their ICT frameworks, ensuring compliance and robust defense against the ever-evolving landscape of digital threats.