Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a European Union regulation that aims to strengthen the cybersecurity and operational resilience of financial institutions, such as banks, insurance companies, and investment firms. Designed with specific criteria and requirements, DORA establishes a comprehensive framework to ensure that Europe’s financial sector can withstand and recover from severe operational disruptions, including cyber-attacks.

The Digital Operational Resilience Act is a regulation that was adopted by the EU in 2022 and will become effective in January 2025. It is designed to harmonize the rules and requirements relating to operational resilience for the financial sector across the EU, covering over 20 different types of financial entities as well as ICT (Information and Communications Technology) third-party service providers.

More than just a recommended safeguard, DORA is a critical regulation that seeks to strengthen the cybersecurity posture and operational resilience of the European financial system as a whole. To achieve that, DORA mandates that financial institutions understand their entire IT infrastructure, including third-party suppliers and identify potential vulnerabilities and risks. These entities will be expected to implement robust strategies to protect their systems, data, and customers from disruptions.

DORA seeks to empower the financial sector to better identify, protect against, detect, respond to, and recover from ICT-related incidents that could threaten the provision of critical financial services. Its key objectives include:

• Strengthening the cybersecurity and operational resilience of financial entities in the European Union, such as banks, insurance companies, and investment firms.
• Establishing a comprehensive framework ensures the financial sector can withstand and recover from severe operational disruptions, including cyber-attacks.
• Standardizing the requirements related to operational resilience for the EU’s financial sector, including the various types of financial entities and ICT third-party service providers.
• Ensuring financial institutions understand their entire IT infrastructure, including third-party suppliers, can identify potential vulnerabilities and risks and implement robust strategies to protect their systems, data, and customers from disruptions.

The core purpose of DORA is to elevate cybersecurity standards and digital operational resilience in the European financial sector. It aims to go beyond just defensive measures, advocating for a robust resilience framework that ensures the continuity and quality of financial services, even in the face of significant operational disruptions.

DORA’s comprehensive framework for strengthening the cybersecurity and operational resilience of the EU’s financial sector is structured around five key requirements:

1. ICT Risk Management

DORA requires financial entities to have a robust ICT risk management framework with strategies, policies, and procedures for protecting information, software, and physical assets. Additionally, entities must conduct business impact analyses, create response and recovery plans, and test them regularly. They must also implement security awareness programs for all staff and management.

2. ICT-related Incident Management, Classification, and Reporting

Entities must be able to quickly classify, address, and report ICT-related incidents and cyber threats to regulators and affected parties. Incidents must be reported within four hours of becoming aware, with a more detailed report provided within a week. This requires entities to have robust incident response plans and processes for root cause analysis.

3. Digital Operational Resilience Testing

DORA requires entities to conduct regular tests on their ICT systems and infrastructure to assess vulnerabilities and the effectiveness of protective measures. This includes basic tests annually and more comprehensive threat-led penetration testing every three years to identify gaps and weaknesses in the entity’s resilience capabilities.

4. ICT Third-Party Risk Management

DORA mandates entities to actively manage the ICT risks posed by third-party service providers, including conducting due diligence and audits. Contracts with third parties must include provisions for security, incident reporting, and exit strategies. Entities are also responsible for ensuring third parties comply with DORA’s requirements.

5. Information and Intelligence Sharing

To help build collective awareness and develop best practices for preventing and responding to cyber threats, entities are encouraged to participate in voluntary cyber threat intelligence sharing with other financial institutions. Information sharing must comply with data protection regulations and avoid disclosing sensitive customer information.

By implementing these five requirements, financial entities in the EU can bolster their overall digital operational resilience and better withstand and recover from severe ICT-related disruptions.

DORA’s scope is broad, covering a wide range of EU financial entities and services. The primary entities affected by DORA include:

Traditional Financial Institutions

• Credit institutions (banks)
• Payment institutions
• Electronic money institutions
• Investment firms
• Insurance and reinsurance companies
• Credit rating agencies

These traditional financial sector players are DORA’s primary targets, as they are responsible for critical financial services and hold large amounts of sensitive customer data.

Emerging Financial Entities

• Crypto-asset service providers (CASPs)
• Crowdfunding service providers
• Managers of alternative investment funds (AIFMs)
• UCITS management companies

DORA also covers newer financial market participants, recognizing their growing role in providing services and the need to ensure operational resilience.

Critical Third-Party Service Providers

• Cloud computing providers
• Data center operators
• Software vendors
• Data analytics firms

DORA includes critical third-party ICT service providers that support the operations of financial entities. These providers are considered systemically important and must also comply with DORA’s requirements.

DORA casts a wide net, covering a broad range of EU financial institutions and service providers. However, its full scope extends beyond EU-based institutions—DORA also covers non-EU financial entities that operate within European markets. This means that even if an organization is headquartered outside the EU but has a presence or provides services within the EU, it is still subject to DORA’s regulations.

DORA’s broad reach is intentional, as it aims to improve the overall operational resilience of the entire European financial sector. By encompassing traditional banks, emerging fintech players, and critical third-party service providers, DORA seeks to mitigate systemic risks arising from disruptions or cyber incidents affecting any part of the financial ecosystem.

As of Spring 2024, the Digital Operational Resilience Act is in the implementation period, which lasts for two years from the time it went into effect. This means that all affected financial entities in EU markets and their critical ICT providers must be prepared to fully comply with DORA’s requirements by January 2025.

While European regulators are still finalizing specific technical details, DORA’s overall scope and requirements are now clear. In January 2024, European Supervisory Authorities (ESAs) published the first set of requirements under DORA for ICT and third-party risk management and incident classification. These rules are on the European Insurance and Occupational Pensions Authority’s website.

After a two-year implementation, the Digital Operational Resilience Act will be fully enforceable starting in January 2025. Relevant regulatory authorities in each EU member state will enforce DORA’s requirements. These authorities will have the power to monitor compliance and impose penalties on financial entities that fail to meet the regulation’s standards.

Critical aspects of DORA’s enforcement standards include:

• Regulatory oversight: Supervisory authorities will closely monitor financial entities’ compliance with DORA’s requirements, including ICT risk management, incident reporting, resilience testing, and third-party risk management practices.
• Penalties for non-compliance: Authorities can impose significant penalties on financial institutions that fail to meet DORA’s standards. These penalties can include administrative fines of up to 1% of the entity’s total annual turnover, as well as other remedial actions such as public reprimands or even the withdrawal of the entity’s authorization to operate.
• Guidance and coordination: Regulatory authorities will also provide guidance and best practices to support financial entities in complying with DORA. They will also promote coordination and consistent supervisory practices across the EU to ensure a level playing field.
• Oversight of critical third parties: DORA introduces a new framework for overseeing critical ICT third-party service providers that support the financial sector. These providers will be subject to direct supervision by the ESAs to manage the risks they pose to financial entities.

By empowering regulators to closely monitor compliance and impose meaningful penalties, DORA aims to ensure that financial institutions in the EU take the necessary steps to abide by DORA’s regulatory standards.

As financial entities work towards complying with the Digital Operational Resilience Act, they face several key challenges and hurdles to meeting DORA’s standards.

Complexity of Regulatory Requirements

Given their complex nature, interpreting and understanding the many DORA regulations can be challenging. Organizations must invest significant time and resources to comprehensively understand the regulation’s requirements and develop tailored compliance strategies.

Resource Constraints

Many organizations face limitations in budget, manpower, and technical expertise required to implement the robust compliance measures demanded by DORA. This includes conducting thorough risk assessments, investing in advanced cybersecurity solutions, and upgrading legacy IT systems.

Legacy IT Systems

Outdated infrastructure and legacy systems within financial entities may lack the necessary capabilities and security measures to meet DORA’s requirements. Upgrading or replacing these systems can be a costly and complex undertaking.

Evolving Cyber Threats

The dynamic and sophisticated nature of cyber threats presents a constant challenge for organizations striving to maintain regulatory adherence. Continuous monitoring, assessment, and enhancement of security measures are necessary to keep pace with the evolving threat landscape.

Third-Party Risk Management

DORA places a significant emphasis on managing the ICT risks posed by third-party service providers. Financial entities must establish robust oversight and due diligence processes for their extensive network of suppliers, which can be a complex and resource-intensive endeavor.

Resilience Testing

Regularly testing the digital operational resilience of financial entities, as required by DORA, can be a challenge. Organizations must develop a strategic and coordinated approach to vulnerability assessments, penetration testing, and other resilience exercises to ensure comprehensive coverage of their critical functions.

Fostering a Culture of Compliance

Embedding a culture of risk awareness, accountability, and continuous improvement across the organization is crucial for effective DORA compliance. Overcoming siloed mindsets and aligning various teams, such as IT, compliance, legal, and risk management, can be a significant challenge.

Navigating these challenges will require financial entities to adopt a proactive and collaborative approach, leveraging external expertise and solutions where necessary. Careful planning, strategic resource allocation, and a commitment to enhancing digital operational resilience will be essential to successfully meeting DORA’s requirements.

The financial services sector has been identified as a prime target for cyber threats, underscoring the critical need for robust operational resilience measures. According to the International Monetary Fund (IMF), their survey found that the financial sector is at risk due to weak cybersecurity defenses.

This sentiment is echoed by the Bank of England, whose latest systemic risk survey revealed that 74% of respondents view cyber-attacks as the highest risk facing the financial sector.

Frameworks like DORA have become vital in helping financial institutions and their associated suppliers, such as ICT providers, understand how to effectively manage these evolving cyber risks. Recent industry research highlights the significant cyber threats faced by the financial sector:

• The Verizon 2022 Data Breach Investigations Report (DBIR) recorded the most prevalent threats, including data breaches, DDoS attacks, and ransomware. The report emphasizes that stolen credentials are a key factor in the success of many of these attacks.
• A 2022 Commodity Futures Trading Commission survey found that 74% of the 130 global financial institutions surveyed had experienced at least one ransomware attack incident in the previous year.

These alarming statistics underscore the urgent need for financial entities to strengthen their cybersecurity posture and operational resilience in line with regulations like DORA.

The Digital Operational Resilience Act strongly emphasizes third-party risk management, recognizing the significant role that ICT providers play in supporting the financial services sector.

Industry research highlights the growing threat of supply chain attacks targeting the financial sector. According to the Verizon 2022 Data Breach Investigations Report, the financial industry was the second-most popular target for these types of attacks. DORA aims to address this vulnerability by establishing comprehensive requirements for financial entities to manage the ICT risks posed by their third-party service providers.

The European Union Agency for Cybersecurity (ENISA) has reported increased sophistication and volume of supply chain attacks, with threat actors targeting the technology supply chain to steal data and financial assets. DORA’s provisions for third-party risk management will coordinate requirements using existing frameworks like the European Banking Authority (EBA) Outsourcing Guidelines.

Any ICT provider designated “critical” by an ESA will be subject to a strict oversight framework. This heightened scrutiny ensures that these systemically essential technology providers implement robust security measures and comply with DORA’s requirements.

Financial institutions increasingly turn to Zero Trust solutions to effectively manage third-party risks. These technologies provide enhanced visibility across the extended network of suppliers, including ICT providers. By enforcing security measures such as least privilege access and proactive control of sensitive areas and data, Zero Trust helps prevent data breaches and mitigate the impact of ransomware and other cyber threats.

As the Digital Operational Resilience Act approaches its enforcement deadline in January 2025, financial institutions must take proactive steps to ensure they are prepared to meet the regulation’s requirements. Here are some helpful tips to proactively prepare for DORA compliance:

Understand DORA in Depth

• Thoroughly familiarize yourself with the DORA regulation, its specific requirements, and how it applies to your organization.
• Consider taking specialized training, such as becoming a DORA Certified Compliance Specialist, to deepen your knowledge of the regulation.

Assess Cyber Risks

• Conduct a comprehensive assessment of cyber risks across your organization and extended supply chain.
• Utilize risk assessment solutions to help identify and evaluate potential vulnerabilities.

Adopt a Principle of Proportionality

• Ensure your approach to DORA compliance considers the scale, complexity, and importance of your ICT-related dependencies and risks.
• Make informed decisions on risk management that align with the regulation’s requirements.

Involve Cross-Functional Teams

• Engage multiple teams, including IT security, legal, compliance, risk management, and senior leadership, in the DORA compliance process.
• Ensure a holistic, organization-wide approach to addressing DORA requirements.

Empower Leadership

• Ensure senior management leads DORA implementation and receives adequate training, such as becoming a Certified Cyber Risk Officer.
• Secure buy-in and support from the board of directors for necessary DORA-related changes.

Regularly Review and Update Plans

• Continuously review and update your digital operational resilience strategy and ICT third-party risk management policies to stay aligned with DORA.
• Stay agile to make necessary changes as regulations and threats evolve.

Prioritize Remediation Actions

• Develop a straightforward process for prioritizing and addressing operational vulnerabilities identified through DORA-related assessments.
• Focus on the most critical areas first to mitigate the highest-priority risks.

Produce Demonstrable Evidence

• Be able to provide regulatory officials with evidence that your organization is resilient to both firm-specific and broader sectoral threats.
• Maintain comprehensive documentation to showcase your DORA compliance efforts.

Factor in External Environment

• Regularly monitor the external threat landscape and incorporate this information into your overall operational resilience strategy.
• Stay informed about potential risks and take proactive steps to mitigate them.

Identify Critical Functions

• Clearly identify the critical or important functions (CIFs) within your organization as per DORA requirements.
• Ensure these CIFs are the focal point for building robust operational resilience.

By following these comprehensive tips, financial institutions can better prepare for the upcoming DORA compliance requirements and strengthen their overall digital operational resilience.

Proofpoint offers a range of solutions and expertise that can help organizations in the financial sector effectively comply with the Digital Operational Resilience Act requirements. Proofpoint’s capabilities can enhance an organization’s overall cybersecurity resilience and incident response capabilities. By providing advanced threat detection, prevention, and response tools, Proofpoint empowers companies to better protect against external cyber threats, insider risks, and supply chain vulnerabilities—all critical components of DORA as well as Network and Information Systems (NIS 2) Directive compliance.

As these regulations encourage, Proofpoint also facilitates information sharing and threat intelligence exchange. The company’s threat intelligence services and secure collaboration platforms help organizations stay informed about the latest cyber threats and coordinate their response efforts with relevant stakeholders and authorities. From conducting risk assessments and gap analyses to developing tailored compliance strategies, Proofpoint can help organizations understand their current capabilities, identify areas for improvement, and implement necessary controls and processes.

Additionally, Proofpoint’s solutions also enable continuous compliance monitoring and reporting. Organizations can leverage Proofpoint’s tools to regularly assess their security posture, identify vulnerabilities, and generate the necessary documentation to demonstrate their adherence to DORA and NIS 2 requirements to regulatory bodies.

By partnering with Proofpoint, financial institutions and other critical infrastructure providers can strengthen their overall digital operational resilience and meet the stringent cybersecurity standards set forth by these landmark European regulations. To learn more, contact Proofpoint.