Since we already have GDPR, getting to know what DORA stands for could be hard for those who are not self-confessed compliance nerds.
Surprisingly, it has zero connection to “Dora the Explorer”, even though to work right now at a compliance office you should be great at finding the right path through any regulatory jungle!
DORA, which stands for the Digital Operational Resilience Act, is a regulatory framework established by the European Union to enhance the resilience and security of financial entities’ information and communication technology (ICT) systems. DORA entered into force on January 16, 2023, and applies from January 17, 2025 (Just to remind everyone: GDPR was introduced on 25th May 2018, and was mostly about data privacy in a general sense).
DORA aims to ensure that financial institutions within the EU can withstand, respond to, and recover from all types of ICT-related disruptions and threats, including cyberattacks. The regulation is part of the EU’s broader strategy to improve the overall stability and security of the financial system in an increasingly digitalized world.
Financial entities must manage risks associated with third-party ICT service providers.
This includes conducting due diligence, establishing contractual requirements, and monitoring third-party performance.
Five Key Points of the DORA Regulations:
-
Risk Management
One of the main pillars of DORA is ICT risk management. DORA encourages financial entities to have a proactive view of how to manage vulnerabilities. This means that they should be addressed before the incident happens. Regular risk assessments, continuous evaluation, and constant monitoring of the ICT environment are the key points of Chapter II of the Digital Operational Resilience Act, if you do not want to read it. ICT-related risks also include monitoring who accesses the data. DORA emphasizes the fact that any financial organization should precisely monitor who accesses their data and try to reduce risks as much as possible. This includes conducting due diligence, establishing contractual requirements, and monitoring third-party performance.
-
Incident Report
Moving to Chapter III of the Digital Operational Resilience Act you will see that, unfortunately, it is not getting easier for the financial sector. Incident report and proper responses to ICT incidents is another pillar of an act. Under DORA regulations financial sector is required to have a whole new management system that will monitor ICT vulnerabilities and incidents and report to the needed authorities. The main idea behind this is to train the financial sector’s ability to recover from cyber threats since it is a well-known fact that most ransomware attacks are focused on it. Having proper management and ICT reporting will help to reduce threats that the financial sector has been tenderly growing for many years while not having proper regulations act.
-
Resilience testing
How would you know that you are not able to run a marathon if you have never tried? Probably you know this despite the fact of not doing it, but the idea is that without testing yourself you would probably never know what your limit is. The same idea is represented in Chapter IV of DORA. DORA supports the view of financial institutions to test their ICT risk management frameworks through resilience testing. This can include vulnerability assessments, open-source analyses, and penetration testing.
Since DNA follows the trends of EU regulations, we currently offer our clients not only conventional manual pen-testing but also our new Vonahi pen-testing service. This enables small and medium size companies to carry out an annual penetration test, where many of them would have been unable to afford it previously. You can learn more about this innovative new service here.
-
Third-Party Risks
In the next chapter of DORA main goal is that the third parties who are financial sector partners compliant to DORA. The financial sector itself should ensure, that every third party whom they are working with on a regular basis also adopts high standards of digital security. DORA goes even further in trying to achieve next-level resilience. Right now all the contracts with ICT third parties shall include mandatory points to ensure these providers are compliant with EU standards for risk management and cyber-risk reporting.
-
Information Sharing
There is no room for solo players in the Chapter VI of DORA. This chapter encourages the sharing of information and threat intelligence amongst the EU financial community. In other words, sharing the ideas of common vulnerabilities and possible cyber-attacks can help the financial sector not only to reduce it but also build a new level of resilience for it. The benefit of sharing is caring ideas, as you, can also be relevant even in the cold-hearted financial world. A collaborative environment benefits the entire industry by enabling organizations to join forces against advanced cyber criminals and stay a step ahead. By building a collective pool of knowledge within the same industry, there is a greater probability of anticipating cyber risks and being well-prepared to respond to them.
Challenges Meeting the Dora Regulations
As you can see the main idea of DORA regulations is to create a safe and reliable environment inside the financial sector. However, what are the main challenges that can prevent this from happening and what are the reasons why it never happened before?
Of course, the main issue as always is money. As with any law getting DORA compliance could be a challenging task. This could include huge investments in technology itself and internal and external processes.
Another challenge is the complexity of the regulations. Managing ICT risks and ensuring compliance with DORA can be complex, particularly for smaller financial entities with limited resources and of course limited financial abilities. For smaller businesses, getting DORA compliance can be a tough call, but for those who already embraced GDPR, this could be an easier task, even though it still requires effort and financial resources.
DORA represents a significant step forward in the EU’s efforts to enhance the cybersecurity and operational resilience of its financial sector. By mandating comprehensive risk management frameworks, regular testing, and robust third-party risk management practices, DORA aims to ensure that financial entities can effectively respond to and recover from ICT-related disruptions, thereby safeguarding the stability and security of the broader financial system.