Decoding DORA: A Guide to the EU’s Digital Resilience Act for FinServ

Take heed: DORA applies to roughly 22,000 entities in the entire EU financial ecosystem, including related providers based outside the EU. Violators can face fines of up to two percent of gross revenue.

In response to escalating cyber threats targeting financial services, the EU introduced the Digital Operational Resilience Act (DORA), aimed at establishing a common level of digital operational resilience across financial entities. While the deadline for DORA passed on January 17, regulators will consider its complexity, making it probable they will analyze the level of effort a financial entity has placed into becoming compliant. For now, regulators will focus on helping organizations become compliant, but they will have little tolerance for those that are obviously not making any effort.

Evidence shows that many entities have still not achieved full compliance. The sections below clarify the scope and main pillars of this DORA compliance mandate.

DORA Scope And Applicability (Articles 1 through 3)

DORA is applicable to a very broad swath of financial entities in the EU, including banks and investment firms, payment institutions, insurance and re-insurance undertakings, trading venues, electronic money institutions, central securities depositories, etc. Also covered within the scope are crypto-asset service providers, credit rating agencies, crowdfunding, and third-party ICT service providers (like cloud computing services, data centers and analytics providers).

DORA applies to roughly 22,000 entities in the entire EU financial ecosystem, including ICT providers based outside the EU. Organizations that violate DORA requirements can face penalties of up to two percent of gross revenues.

The Proportionality Principle (Article 4)

There's an allowance built in the DORA act that serves as guidance for organizations as to what extent they are in scope for all or a subset of the requirements. In other words, the “proportionality principle” ensures that regulatory requirements are tailored around the size and scale of a business, their overall risk profile, and the type of services or operations they’re conducting. For example, a smaller organization may be required to have lighter testing or reporting requirements, while a larger, critical entity may be subject to more stringent oversight and reporting assessment.

The Five Main Pillars Of DORA (Articles 5 through 45) 

At its core, DORA is all about risk resilience. Here are the five main pillars:

1. Information Risk Management and Governance: Financial entities must establish internal governance structures that manage ICT risk. This includes having a management body that approves, oversees, and periodically reviews risk management practices. It includes having a comprehensive, well-documented framework that outlines the strategies, processes, protocols, and controls needed for managing ICT risk. It includes having ICT systems, processes, and tools that help identify, assess, and mitigate digital risks and ensure the resilience, continuity, and availability of ICT systems.,

2. Incident Management, Classification, Notification: Financial entities are required to establish and implement incident management processes to detect, manage, and notify ICT-related incidents. They must classify these incidents based on criteria such as the number of financial counterparts affected, the duration of the incident, the geographical spread, the data losses that occurred, the criticality of services affected, etc. Significant cyber threats must be reported to the relevant competent authority, such as the European Central Bank.
   
   
3. Operational Resilience Testing: The purpose of digital operational resilience testing is to identify weaknesses and gaps in security controls and processes, to proactively implement corrective measures, and to validate security performance. The resilience testing program must include a range of tests such as vulnerability assessments and scans, open source analysis, network security assessments, source code reviews, physical security reviews, penetration testing, red team exercises, etc. DORA recommends adopting a risk-based approach to testing, taking into account all material risks and emerging threats the business might be exposed to.
   
   
4. Third-party Risk Management: Entities must have in place contracts that require third parties to remain responsible and under obligation of DORA; they must adopt and regularly review strategies on third-party risk; they must have a well-documented register detailing the ICT services provided by third parties. In cases of high technical complexity, financial entities must verify whether auditors possessing appropriate skills and knowledge have performed relevant audits and assessments. There must also be an exit strategy in place—entities must be able to exit contracts without disruption to business activities or without impacting the quality of service provided.

5. Information Sharing: Amongst financial firms and regulators, DORA encourages the sharing of cyber threat information and intelligence, such as indicators of compromise, tactics, techniques, and procedures (TTPs), cyber security alerts and configuration tools, etc., with the goal of raising awareness about emerging threats, impeding cyber threats from spreading, and supporting defense capabilities. DORA specifies that the information must only be shared within trusted communities, and it must support business confidentiality and ensure protection of personal data.

Key Takeaways:

There’s a tendency for organizations to dive straight into regulations. Instead, we recommend that organizations follow the approach below:

1. Assess whether you’re an in-scope organization: Even though your organization may not be a financial entity, you may still be in-scope for DORA (e.g., you provide critical services to a financial entity). Therefore, it’s worth understanding whether your business is in scope, evaluating the proportionality principle requirements, and running an assessment to understand what requirements are applicable.
   
   
2. Perform a gap analysis: Find out what you already have in place in terms of processes, policies, and controls. Compare them with the applicable DORA requirements. Organizations (particularly SMBs) can leverage industry tools like the ISF Standards of Good Practice (SOGP), to identify gaps in security procedures, protocols, and controls.

3. Focus on meeting the compliance: Instead of trying to boil the ocean, use the gap analysis findings to address security priorities and identify gaps. Focus on what you need to do from an organizational perspective to meet compliance. Achieving full compliance immediately may not be feasible, but setting up a process to regularly review and improve security practices is essential for meeting compliance requirements.

Almost all (82%) chief risk officers from the European banking industry rank cyber risk as the biggest threat over the next 12 months. By aligning with DORA requirements, financial institutions can not only mitigate cyber risks and meet regulatory expectations but also build sustainable trust in an increasingly regulatory environment.