DORA Compliance: Ensuring Operational Resilience for Financial Entities

In an increasingly interconnected and data-driven digital realm, ensuring the resilience of digital operations has become imperative for organizations, especially those in the financial industry. Consequently, the European Union introduced the Digital Operational Resilience Act (DORA) to strengthen financial entities' information systems, network security, and risk management practices.

DORA establishes a unified regulatory framework for the security of network and information systems utilized by entities in the financial sector and essential third parties that provide ICT (information and communication technology) related services, including cloud platforms and data analytics.

DORA defines ICT risk as ‘any reasonably identifiable circumstance related to the use of network and information systems that, if materialized, may compromise the security of the network and information systems, of any technology-dependent tool or process, of operations and processes, or the provision of services by producing adverse effects in the digital or physical environment.’

In an increasingly digital economy, DORA compliance is essential for protecting financial entities from cyberattacks, operational disruptions, and system failures. DORA also helps organizations maintain operational resilience, improve risk management and security posture, and comply with evolving regulations.

This guide explores DORA's significance, its key components, and obligations that organizations must abide by to meet its requirements and remain resilient in an evolving digital landscape.

What is the Digital Operational Resilience Act (DORA)?

The EU introduced DORA as a regulatory framework to enhance financial entities' operational resilience and cybersecurity against evolving threats. DORA came into effect on January 16, 2023, and will apply starting January 17, 2025. DORA aims to:

• Ensure financial entities can withstand, respond to, and recover from digital disruptions, such as cyberattacks or system failures.
• Establish uniform standards across the EU for managing information technology (IT) risks, incident reporting, and outsourcing to third-party technology providers.
• Protect the financial system's stability in an increasingly digitalized world by enforcing these measures.

Importance of DORA

DORA is crucial as it ensures financial entities can resist and recover from digital disruptions by bolstering cybersecurity and operational resilience within the industry. It harmonizes cybersecurity requirements throughout the EU and establishes clear EU standards pertaining to contractual arrangements concluded with ICT third-party service providers. As financial services become more digitized, DORA helps ensure the financial system's stability and strengthens its capacity to swiftly and safely respond to the evolving cyber threat landscape.

Who Must Comply with DORA?

Article 2 of DORA outlines DORA’s scope. It applies to a wide range of entities in the financial sector, ensuring they are prepared for and can recover from operational disruptions. The following entities must comply with DORA:

1. Financial Entities: This includes credit institutions, payment institutions, account information service providers, electronic money institutions, and investment firms.
2. Financial Market Infrastructure: This includes central securities depositories, central counterparties, trading venues, trade repositories, managers of alternative investment funds, management companies, data reporting service providers, insurance and reinsurance undertakings, insurance intermediaries, reinsurance intermediaries, ancillary insurance intermediaries, and credit rating agencies.
3. Crypto-Asset Service Providers: Include firms offering crypto-asset services within the EU.
4. ICT Third-Party Service Providers: This includes ICT third-party service providers that provide information and ICT services, such as cloud computing services, software data analytics services, and data center services, to financial entities.
5. Other Financial Entities: This includes institutions for occupational retirement provision, administrators of critical benchmarks, crowdfunding service providers, and securitization repositories.

How Does DORA Impact Your Organization?

DORA mandates specific requirements to enhance digital resilience and cybersecurity for financial entities providing financial services.

Key Obligations of Financial Entities Under DORA

DORA significantly impacts financial entities by enforcing stricter requirements for managing digital risks and assuring operational resilience. Financial entities must:

A. Establish an ICT Risk Management Framework

Under Article 6, DORA requires financial entities to establish a robust and detailed Information and Communication Technology (ICT) risk management framework, enabling them to handle ICT risk in a timely, effective, and comprehensive manner and ensure a high degree of digital operational resilience.

The ICT risk management framework must be recorded, periodically reviewed, and internally audited by auditors with the necessary expertise. They also need a multi-vendor ICT strategy and, if appropriate, a digital operational resilience strategy. Even if the responsibilities are outsourced, financial entities must nonetheless confirm that the ICT risk management criteria are being followed.

B. Maintain and Use Updated ICT Systems to Address and Manage ICT Risks

Under Article 7, DORA requires financial entities to handle and manage ICT risks. Financial entities must employ and maintain modern, dependable ICT systems capable of processing data for activities and services enough to manage peak orders, robust enough to handle increased processing requirements in the face of adversity, and adequate for the scale of their operations.

C. Identify, Assess, and Manage ICT Risks

Under Article 8, DORA requires financial entities to identify, classify, and accurately record ICT business operations, information assets, roles, and dependencies. Additionally, they must assess cyber threats, and vulnerabilities, conduct risk assessments, and maintain information asset inventories.

D. Protect ICT Systems

Under Article 9, DORA requires financial entities to protect ICT systems by implementing access controls and robust authentication procedures, creating and documenting an information security policy, and implementing patch and update policies.

E. Detect to Ensure Security

Under Article 10, DORA requires financial entities to implement tools to swiftly identify suspicious activity, establish systems to efficiently detect and verify trade reports for accuracy, conduct frequent testing, and allocate adequate resources and capabilities to track user behavior and the incidence of ICT anomalies.

F. Establish Response and Recovery Plans

Under Article 11, DORA requires financial entities to implement comprehensive ICT business continuity policy, response, and recovery plans, designate a crisis management role, conduct impact analysis and test plans annually, and maintain records of activities.

G. Develop and Document Backup and Restoration Policies and Procedures

Under Article 12, DORA requires financial entities to set up backup solutions that can be initiated without impacting data integrity or security.

H. Cyber Threat Identification & Incident Analysis

Under Article 13, DORA requires financial entities to have adequate resources to identify and assess cyber threats and vulnerabilities and conduct incident assessments after significant ICT-related occurrences.

I. Establish a Crisis Communication Plan

Under Article 13, DORA requires financial entities to develop a crisis communication strategy to appropriately notify clients, partners, and the public, when necessary, about significant ICT-related incidents or vulnerabilities. Internal and external communication policies must also be established for employees and external stakeholders. Additionally, one or more individuals must be assigned to carry out public and media functions for ICT-related incidents.

J. Establish an ICT-related Incident Management Process

Under Article 17, DORA requires financial entities to establish early warning indicators and identification procedures, track, log, and classify ICT-related incidents, assign roles and responsibilities, develop communication and notification plans, implement ICT-related incident response procedures, and report significant ICT-related incidents to relevant senior management and the management body.

K. Classify ICT-related Incidents and Cyber Threats

Under Article 18, DORA requires financial entities to classify cyber threats and ICT-related events according to the number of clients impacted, the volume of transactions impacted, the duration of the incident, and the data losses involved.

L. Notify Major ICT-related Incidents

Under Article 19, DORA requires financial entities to notify the appropriate responsible authorities of significant ICT-related occurrences within a specific time.

Key Obligations for ICT Service Providers Under DORA

ICT service providers are subject to specific obligations under DORA to ensure financial entities’ operational resilience and minimize risks to the financial sector. These obligations are as follows:

1. Assistance During ICT Incidents

Under Article 30(2)(f), the ICT third-party service provider is required to assist the financial entity in handling ICT issues related to the services being provided to the financial entity, either for free or at a predetermined cost.

2. Cooperation with Authorities

According to Article 30(2)(g), the ICT third-party service provider must collaborate with the competent authorities as well as the resolution authorities and designated representatives of the financial entities.

3. Notice and Reporting Obligations

Article 30(3)(b) obligates ICT third-party service providers to comply with notice periods and reporting requirements where financial entities must be promptly notified about any developments that may materially impact their ability to provide agreed service levels of the ICT services supporting critical or important functions.

4. Participation in TLPT

Under Article 30(3)(d), the ICT third-party service provider is required to participate and fully cooperate in the financial entity’s Threat-Led Penetration Testing (TLPT) as referred to in Article 26 (Advanced testing of ICT tools, systems, and processes based on TLPT) and Article 27 (Requirements for testers for the carrying out of TLPT).

5. Business Continuity and ICT Security Requirements

As per Article 30(3)(c), ICT third-party service providers are required to implement and regularly test business contingency plans to ensure operational resilience. Additionally, they must establish and maintain ICT security measures, tools, and policies that provide an appropriate level of security for the services they offer to financial entities. These measures must align with the financial entity’s regulatory framework to safeguard data integrity, confidentiality, and availability.

6. Cooperation During Inspections and Audits

According to Article 30(3)(e)(iii), the ICT third-party service providers must fully cooperate during onsite inspections and audits conducted by competent authorities, the Lead Overseer (the entity responsible for overseeing critical ICT third-party service providers), the financial entity, or appointed third parties.

DORA’s Non-Compliance Penalties

​​DORA establishes a robust framework for enforcing compliance within the EU financial sector. DORA’s Articles 50 to 54 outline penalties for non-compliance with DORA. These include:

• Article 50: Administrative penalties and remedial measures — grants competent authorities all supervisory, investigatory, and sanctioning powers necessary to fulfill their duties under DORA. Article 50 authorizes competent authorities to: (a) access and copy relevant documents; (b) conduct onsite inspections, including interviews and recorded explanations; and (c) mandate corrective actions for breaches. Furthermore, the EU member states are obligated to establish and enforce proportionate administrative penalties and remedial measures for DORA violations.
• Article 51: Exercise of the power to impose administrative penalties and remedial measures — specifies that penalties imposed by the competent authorities shall be proportionate to the violation, taking into account factors such as the materiality, gravity, and duration of the breach, the degree of responsibility of the violator, any profits gained or losses avoided, the violator’s cooperation, and their history of previous breaches.
• Article 52: Criminal penalties — allows the EU member states not to establish regulations for administrative penalties or remedial actions for violations that are already subject to criminal penalties under their national law.
• Article 54: Publication of administrative penalties — requires competent authorities to promptly publish any decision imposing an administrative penalty on their official websites, provided that no appeal is possible after the penalty recipient has been notified of the decision. This article also allows for anonymous or delayed publication, if necessary, with information retained for a period not exceeding five years.

DORA Legislation Timeline

The DORA legislation timeline illustrates its essential phases from development to enforcement. Here’s a breakdown of the main dates in the DORA timeline:

• 24 September 2020 – The European Commission introduced the DORA proposal as part of its Digital Finance Package (DFP), which seeks to strengthen the financial sector's digital resilience.
• 28 November 2022 –The European Parliament and Council finally adopted DORA, finishing the legislative text after the European Parliament voted to support the act on November 10, 2022.
• 27 December 2022 – DORA was published in the Official Journal of the European Union, marking the beginning of the countdown for its adoption.
• 16 January 2023 – DORA officially entered into force, providing financial entities and ICT providers a two-year transition period to prepare for DORA compliance.
• 17 January 2025 – DORA’s requirements become fully applicable. By this date, all financial entities, third-party ICT providers, and related entities must comply with DORA’s provisions.

DORA Compliance Checklist

Financial entities and ICT providers must follow the DORA compliance checklist to ensure swift business continuity. This includes:

• Implementing a robust ICT framework to identify, assess, monitor, and manage ICT-related risks;
• Developing ICT governance and oversight for ICT risk management at the senior management and board level;
• Implementing incident reporting practices to detect, classify, and report significant ICT-related incidents.
• Engaging in regular operational resilience testing, including penetration testing, vulnerability assessments, and scenario-based testing.
• Ensuring oversight of third-party ICT providers to assess their compliance with DORA standards;
• Developing business continuity and disaster recovery plans in case of ICT disruptions;
• Establishing information-sharing practices about cyber threats and vulnerabilities with relevant stakeholders and authorities to improve collective resilience;
• Documenting and auditing readiness by maintaining testing results and incident reports;
• Fostering a compliance culture and training employees on DORA requirements, ICT risks, and operational resilience practices.

How Securiti Helps Ensure DORA Compliance

Securiti emerges as a pivotal catalyst for organizations seeking to navigate and comply with the Digital Operational Resilience Act (DORA). Securiti provides a suite of automation modules that help comply with DORA’s provisions and fortify security posture against potential cyber threats.

Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. Securiti provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.

Request a demo to learn more.

Frequently Asked Questions