The introduction of the Digital Operational Resilience Act (DORA) has brought sweeping changes for financial organizations worldwide. This article provides an overview of the DORA regulation, its impact on financial enterprises and how to strengthen your IT disaster recovery strategies for compliance.
What is the Digital Operational Resilience Act or DORA Act?
The Digital Operational Resilience Act (DORA) is regulatory legislation proposed by the European Commission that seeks to improve the resilience posture of financial services organizations that operate within the European Union (EU). First introduced in September 2020, a provisional agreement on the DORA’s content was reached on May 11th, 2022. As of January 2023 the DORA regulation technical standards were available and they will be applicable by January 2025.
What are the main objectives of the DORA act?
The DORA european regulation aims to reduce the cyber security and resilience risk and impact on financial markets. Financial institutions rely heavily on cloud providers, which is risky, and if a major cloud provider has a serious outage the impact would be widespread and potentially catastrophic for global financial markets. The DORA regulation establishes a universal framework for managing and mitigating Information and Communication Technology (ICT) risks in the financial sector and sets more stringent parameters for resilience testing which improves the safeguards for resilience in cloud management.
Who is affected by the DORA law?
The DORA regulation is very wide and encompasses a range of financial services organizations operating in the EU, including banks, loan organizations, insurance companies, and auditors. The DORA also applies to the critical Information and ICT third-party providers (cloud and non-cloud), as defined in the regulation, that service the financial industry and could have a systemic impact on financial services provisioning in Europe. Examples of the financial services organizations regulated at the EU level that will be impacted by the DORA include:
- Capital markets
- Payment institutions
- Investment firms
- Credit rating agencies
- Crypto-asset service providers
- Crowdfunding service providers
- Fintech
- Trading venues
- Financial system providers
- Credit institutions
How does the DORA regulation impact financial institutions?
The DORA regulation requires financial services organizations to adequately capture, test, and iteratively improve their recovery plans. This will significantly impact how they document, execute and audit testing. Testing will need to occur regularly and span both the applications and third-party ICT vendors’ systems.
What does the DORA framework change?
The DORA framework provides a more robust and comprehensive digital resiliency framework, with more stringent requirements for digital operational resilience documentation and testing. Some of the changes include:
- The execution of recovery and vulnerability tests at least once a year as well as threat-led penetration testing every three years.
- A complete audit documentation of the tasks and results associated with each recovery plan.
- Post-execution analysis and remediation plans for addressing any weaknesses.
- Reporting on weaknesses to the relevant DORA authorities for validation.
Why is operational resilience important?
Operational resilience is defined as the ability to anticipate, detect, prevent, respond to, learn and/or recover from disruptions in operations that could possibly impact delivery of important business products or services. For financial institutions, operational resilience often refers to the ability to provide critical services when faced with a large-scale disruption.
The Digital Operational Resilience Act (DORA) prioritizes operational resilience within the financial sector for several reasons. Firstly, it safeguards critical financial services by ensuring institutions can withstand disruptions like cyberattacks or outages, preventing widespread financial and economic consequences. Secondly, DORA fosters a level playing field by establishing consistent standards across the European Union, minimizing inconsistencies and vulnerabilities in individual regulations. Finally, by promoting robust operational resilience, DORA contributes to a more secure and trustworthy financial environment, boosting confidence among consumers and businesses, which is crucial for a healthy and stable financial ecosystem.
As cybersecurity threats and IT service disruptions increase, it’s critical for organizations to ensure their systems can resist losses and outages and recover from them if they occur.
DORA's five pillars of resilience
Under the DORA regulation, financial services organizations and Information and ICT third-party providers will need to focus on the following five key pillars.
- Risk management - requiring a robust, well-documented ICT risk management framework to effectively deliver greater digital operational resilience.
- Incident reporting - requiring an ICT-related incident management process and the development of capabilities to monitor, handle, and follow up on such incidents.
- Digital operational resilience testing - obligations to implement a proportional and risk-based digital operational resilience testing program on an annual basis and penetration testing every three years.
- ICT third-party risk - maintains that ICT third-party risk should be managed by the financial services organizations as an integral component of their ICT risk management framework.
- Information sharing - defining a process to be put in place to share cyber threat information and intelligence, provided such exchange of information aims at enhancing the digital operational resilience of financial services organizations. This also takes place within trusted communities and is carried out in accordance with applicable legislation (e.g. data protection, trade secrets, and competition).
Are you up to speed with the DORA regulation framework?
The DORA requirements deadline is approaching fast with many coming due January 2025. Financial entities should review the DORA banking regulation here in its entirety and have a full understanding of the requirements and implications.
It’s important to understand how your firm will handle each requirement to gain full compliance. Many organizations will undoubtedly need to find best-of-breed solutions to address DORA financial requirements.