You should know about the Digital Operational Resilience Act (DORA) if you work in digital operations. This law helps financial institutions and key service providers prepare for cyberattacks or system failures. How does this affect your business? DORA ensures your operations stay stable and running smoothly during the challenges a digital environment faces.
This article explains DORA's key points, from its objectives and compliance requirements to how it affects both EU and non-EU businesses. Whether you work within the EU or with EU-based clients, understanding DORA is crucial for maintaining resilience in a world that is getting more and more digitalized. We will also mention how server-side tracking is affected by DORA and how Stape approaches the new regulation.
The DORA regulation, is a landmark EU regulation. It is designed to strengthen IT security and operational resilience for European financial institutions. It went into effect on January 16, 2023. DORA compliance becomes mandatory on January 17, 2025. DORA is recognized as an effective tool for managing digital risks in the financial sector.
NIS2 and DORA are two key frameworks for cybersecurity and digital resilience. The first, NIS2, focuses on facilitating security measures for essential services in the EU. The second, the Digital Operational Resilience Act aims to strengthen the operational endurance of the financial institutions. Together, they play a crucial role in protecting Europe's digital infrastructure from emerging cyber threats.
In September 2023, the European Commission clarified the relationship between these two frameworks in its NIS2 Directive:
As a result, financial institutions and ICT service providers within the EU must comply with DORA’s requirements by January 17, 2025. Each EU member state is responsible for ensuring compliance, and designated regulatory authorities are empowered to mandate specific security measures and address already-known vulnerabilities.
Failure to comply with the regulation may result in severe penalties. For "critical" ICT providers designated by the European Commission, non-compliance can lead to fines of up to 1% of their average daily global turnover for the previous financial year.
The financial sector, both globally and within Europe, is experiencing a surge in cyberattacks, which are part of a broader rise in global cyber threats.
Europe has introduced the Digital Operational Resilience Act to address this. The goal is to build a single system for cyber resilience and ensure financial stability across the EU. DORA promotes proactive practices that help organizations mitigate the impact of cyber threats on their ICT systems.
DORA focuses on unifying regulations across Europe. In the past, individual countries had separate approaches with varying rules and oversight. By addressing this lack of cohesion, DORA introduces a consistent approach that supports Europe’s aim for greater legislative and economic synchronization.
For financial institutions and other affected entities, DORA provides the added benefit of more apparent legal obligations regarding cybersecurity and resilience. This clarity extends across borders, offering consistent guidance and reducing uncertainty regarding cyber threats.
To understand DORA compliance better, let’s look at DORA objectives closely.
DORA has two primary objectives:
Before DORA, fragmented national regulations made compliance difficult for cross-border financial institutions. DORA addresses this by introducing uniform regulatory standards, minimizing confusion, and enhancing security across the EU’s financial sector.
DORA Act applies to over 22,000 financial institutions and ICT services working within the EU, and the ICT infrastructure supports them outside the EU. It impacts various financial systems, including:
Moreover, DORA extends to critical ICT service providers supporting these institutions. Organizations must identify dependencies on third-party ICT providers and diversify to avoid over-reliance on a single or limited group of suppliers.
Key DORA requirements are as follows:
Under Article 5, DORA mandates the establishment of a robust, comprehensive, and well-documented ICT risk management framework integral to an institution's overall risk management system. Key elements include:
DORA also requires appointing a responsible party for ICT risk management oversight, ensuring clear accountability and effective governance.
Incident management and reporting are central aspects of DORA. Institutions need to set up systems to track and categorize ICT-related incidents.Under Article 15, organizations must submit:
Additionally, under Articles 16–20, the organizations are required to:
Under Article 21, DORA mandates regular testing of ICT risk management systems to ensure their effectiveness. Testing steps include:
Additionally, Article 23 requires organizations to perform penetration testing for ICT processes supporting critical functions, including outsourced services.
Recognizing the importance of ICT service providers, DORA introduces strict third-party risk management requirements, including:
DORA also establishes oversight frameworks for critical third-party ICT providers, enabling EU supervisory bodies to monitor compliance directly.
5. Information sharing
DORA encourages collaboration between trusted financial organizations to:
Preparing for DORA compliance
Achieving DORA compliance may seem complex, but it becomes manageable with a straightforward approach. Review your cybersecurity practices and risk management plan to find areas to improve. Regular training for all employees, including leaders, is essential to create a strong and prepared team.
Review contracts with ICT service providers to ensure they meet DORA’s standards. Create a comprehensive inventory of all agreements, including cloud services and software providers, to identify dependencies and mitigate risks. By taking these strategic steps, your organization can strengthen its operational resilience and align with DORA’s requirements.
By adhering to these measures, organizations can meet DORA’s high standards for ICT risk management and operational resilience.
The DORA regulation introduces European unified resilience standards, which UK businesses should be aware of.
UK-regulated firms must manage operational risks responsibly and effectively and ensure their affairs are organized with robust risk management systems. The Financial Conduct Authority (FCA) rules outline this obligation, which includes provisions on management and governance, risk management, internal controls, business continuity, contingency planning, and outsourcing practices.
These existing requirements are now being expanded with new provisions targeting operational resilience. The DORA cyber security framework further strengthens these measures, ensuring firms address ICT risks comprehensively and protect against digital threats. The updated regime introduces requirements for certain types of firms and proposes extending them to include service providers not regulated by the FCA.
UK Operational Resilience regime
The UK operational resilience regime takes a broader approach to operational risks than the EU’s DORA. It emphasizes a firm's ability to withstand disruptions—not just those arising from digital or ICT incidents.
The framework applies to banks, insurers, and significant investment firms. If they meet specific criteria, asset managers may also be included.
Unlike DORA, the UK framework considers a broader range of risks and takes a more comprehensive approach to resilience.
The UK's framework covers fewer organizations than DORA but takes a broader view of resilience. It looks beyond digital risks and focuses on helping businesses handle disruptions from any source.
What is DORA compliance? Is it another regulation or an opportunity to rethink how businesses tackle resilience and cybersecurity? For many, it’s a fresh start—a chance to replace scattered systems with a unified approach that builds trust and stability in the digital world.
DORA compliance challenges businesses to adopt a proactive mindset, address ICT risks, and ensure resilience across the entire supply chain, including third-party service providers. DORA pushes organizations to make their operations more resilient to cyber threats and aligned with Europe’s vision for a secure and interconnected economy.
The actual value of DORA compliance depends on how businesses respond. Will they see it as a challenge or an opportunity to strengthen resilience and gain a competitive advantage? Time will tell.
Server-side tracking helps businesses meet regulations like DORA by improving data security and reliability. Stape is working to meet DORA standards when they take effect.
Stape is ISO 27001, HIPAA, and GDPR compliant, to protect data and ensure privacy. We’re committed to staying up-to-date with new regulations and providing secure, reliable tracking solutions. Stape is a safe and dependable partner for any business that wants to protect its data while getting the most out of its tracking setup.
What are the DORA technical standards?
DORA sets mandatory technical standards for financial institutions and their key third-party ICT service providers to integrate into their systems by January 17, 2025.
DORA outlines its technical requirements across four key areas:
While DORA encourages information sharing to foster collective resilience, it remains voluntary.
The requirements will be applied proportionally, with smaller entities having fewer obligations than larger financial institutions. While specific Regulatory Technical Standards (RTSs) and Implementing Technical Standards (ITSs) are still being developed, the legislation already sets clear expectations for compliance.
Are there any penalties for non-compliance with DORA?
Once the DORA standards are finalized and the January 2025 deadline arrives, the designated regulators in each EU member state, referred to as "competent authorities,” will enforce them. These authorities will have the power to require financial entities to implement specific security measures to address vulnerabilities to meet the DORA compliance requirements. They will also determine penalties for non-compliance. Such penalties include administrative and, in some cases, criminal sanctions based on each country’s discretion.
The European Commission classifies ICT providers as "critical," and oversight will be handled directly by lead overseers from the European Supervisory Authorities (ESAs). Like competent authorities, these lead overseers can mandate security improvements, enforce remediation efforts, and impose penalties for non-compliance.
How does DORA differ from other cybersecurity regulations?
DORA is one of many significant cybersecurity regulations that will take effect in the coming years. The NIS2 Directive, which becomes applicable in October 2024, also establishes digital security requirements for European businesses and organizations.
DORA EU compliance is designed to standardize operational resilience and cybersecurity practices within the financial sector across all member states. DORA is tailored to the financial sector, ensuring its needs are addressed. NIS2 has a broader reach, covering all critical sectors, such as energy, healthcare, and transportation.
DORA's legal approach differs from that of NIS2. DORA is an Act that applies uniformly across all EU member states, while NIS2, as a Directive, must be transposed into the national laws of each member state.
While both focus on improving IT security, DORA will take precedence in the financial sector, serving as the primary regulatory framework.
Can non-EU businesses working with EU institutions be affected by DORA?
The EU DORA Act substantially impacts financial organizations outside the EU, particularly those serving or operating in the EU market.
These entities must meet DORA's standards to maintain market access and continue working with EU-based clients. This means increased compliance costs, operational adjustments, and possible strategy shifts.
DORA also impacts non-EU organizations by including them in the supply chains of EU financial institutions, enforcing strict requirements across the entire ecosystem.
As a result, DORA's influence extends beyond the EU. It shapes the global financial sector and emphasizes the importance of operational resilience worldwide.
In a world where cyber threats become more frequent and intense, we must do what it takes to build a strong shield against them. Regulations like DORA help businesses prepare for the risks and handle them correspondingly. The aim of DORA is to keep systems safe, protect customer data, and function during unstable times.
You can do it for free at Stape! Click Try for free and explore the advantages!