Stape
Search
Try for free

Digital Operational Resilience Act (DORA) explained

Published
Dec 19, 2024

You should know about the Digital Operational Resilience Act (DORA) if you work in digital operations. This law helps financial institutions and key service providers prepare for cyberattacks or system failures. How does this affect your business? DORA ensures your operations stay stable and running smoothly during the challenges a digital environment faces.

This article explains DORA's key points, from its objectives and compliance requirements to how it affects both EU and non-EU businesses. Whether you work within the EU or with EU-based clients, understanding DORA is crucial for maintaining resilience in a world that is getting more and more digitalized. We will also mention how server-side tracking is affected by DORA and how Stape approaches the new regulation.

What is DORA?

The DORA regulation, is a landmark EU regulation. It is designed to strengthen IT security and operational resilience for European financial institutions. It went into effect on January 16, 2023. DORA compliance becomes mandatory on January 17, 2025. DORA is recognized as an effective tool for managing digital risks in the financial sector.

NIS2 and DORA are two key frameworks for cybersecurity and digital resilience. The first, NIS2, focuses on facilitating security measures for essential services in the EU. The second, the Digital Operational Resilience Act aims to strengthen the operational endurance of the  financial institutions. Together, they play a crucial role in protecting Europe's digital infrastructure from emerging cyber threats.

In September 2023, the European Commission clarified the relationship between these two frameworks in its NIS2 Directive:

  • The NIS2 Directive targets critical sectors such as energy, transport, water supply, healthcare, and digital infrastructure. It seeks to protect these vital services by introducing stricter cybersecurity requirements and improving incident response capabilities.
  • In contrast, DORA is crafted for the financial sector, covering institutions such as banks, insurance companies, and investment firms. It establishes comprehensive requirements for managing risks related to information and communication technology (ICT), ensuring financial institutions can withstand, respond to, and recover from ICT-related disruptions.

As a result, financial institutions and ICT service providers within the EU must comply with DORA’s requirements by January 17, 2025. Each EU member state is responsible for ensuring compliance, and designated regulatory authorities are empowered to mandate specific security measures and address already-known vulnerabilities.

Failure to comply with the regulation may result in severe penalties. For "critical" ICT providers designated by the European Commission, non-compliance can lead to fines of up to 1% of their average daily global turnover for the previous financial year.

Why is DORA important?

The financial sector, both globally and within Europe, is experiencing a surge in cyberattacks, which are part of a broader rise in global cyber threats.

Europe has introduced the Digital Operational Resilience Act to address this. The goal is to build a single system for cyber resilience and ensure financial stability across the EU. DORA promotes proactive practices that help organizations mitigate the impact of cyber threats on their ICT systems.

DORA focuses on unifying regulations across Europe. In the past, individual countries had separate approaches with varying rules and oversight. By addressing this lack of cohesion, DORA introduces a consistent approach that supports Europe’s aim for greater legislative and economic synchronization.

For financial institutions and other affected entities, DORA provides the added benefit of more apparent legal obligations regarding cybersecurity and resilience. This clarity extends across borders, offering consistent guidance and reducing uncertainty regarding cyber threats.

Purpose and objectives of DORA

To understand DORA compliance better, let’s look at DORA objectives closely.

DORA has two primary objectives:

  1. Establish comprehensive ICT risk management practices for the financial sector, including standards for risk assessments, incident reporting, and resilience testing.
  2. Harmonize ICT risk management regulations across EU member states, create a level playing field, and reduce compliance challenges for financial entities operating in multiple EU countries.

Before DORA, fragmented national regulations made compliance difficult for cross-border financial institutions. DORA addresses this by introducing uniform regulatory standards, minimizing confusion, and enhancing security across the EU’s financial sector.

Who does DORA apply to?

DORA Act applies to over 22,000 financial institutions and ICT services working within the EU, and the ICT infrastructure supports them outside the EU. It impacts various financial systems, including:

  • Banks
  • Insurance companies
  • Investment firms
  • Payment processors
  • Stock exchanges
  • Market infrastructure entities
  • Credit rating agencies
  • Crypto-asset service providers

Moreover, DORA extends to critical ICT service providers supporting these institutions. Organizations must identify dependencies on third-party ICT providers and diversify to avoid over-reliance on a single or limited group of suppliers.

DORA requirements explained

Key DORA requirements are as follows:

1. ICT risk reduction

Under Article 5, DORA mandates the establishment of a robust, comprehensive, and well-documented ICT risk management framework integral to an institution's overall risk management system. Key elements include:

  • Risk identification and assessment. Regular evaluation and documentation of ICT risks, including those arising from third-party dependencies.
  • Protection and prevention measures: Strategies, policies, and tools to safeguard systems and data, such as passwordless access solutions to mitigate phishing risks, must be implemented.
  • Detection mechanisms. Leveraging technologies to identify anomalies and potential security incidents quickly.
  • Response and recovery planning. Developing business continuity and crisis management plans.
  • Training and improvement. Continuously improving systems based on past incidents and testing outcomes.

DORA also requires appointing a responsible party for ICT risk management oversight, ensuring clear accountability and effective governance.

2. Incident reporting

Incident management and reporting are central aspects of DORA. Institutions need to set up systems to track and categorize ICT-related incidents.Under Article 15, organizations must submit:

  • An initial report within a defined timeframe after identifying a significant incident.
  • An interim report if the incident’s status significantly changes.
  • A final report after completing root cause analysis and assessing the incident's impact.

Additionally, under Articles 16–20, the organizations are required to:

  • Classify ICT incidents based on predefined impact levels.
  • Use standardized templates for reporting incidents to regulatory authorities.
  • Notify end-users and clients promptly about serious incidents and measures to mitigate impacts.
  • Ensure reports are submitted by the end of the working day or within four hours of the next business day if the incident occurs shortly before the day ends.

3. Testing Digital Operational Resilience

Under Article 21, DORA mandates regular testing of ICT risk management systems to ensure their effectiveness. Testing steps include:

  • Vulnerability assessments. Regular scans to identify weaknesses in systems and applications.
  • Network and infrastructure security evaluation. Testing network defenses.
  • Application security testing. Assessing software used for critical business functions.
  • Scenario-based testing. Simulating various cyber threat scenarios to evaluate response capabilities.
  • Threat-led penetration testing. Advanced testing for critical financial institutions, conducted at least once every three years.

Additionally, Article 23 requires organizations to perform penetration testing for ICT processes supporting critical functions, including outsourced services.

4. Third-party risk management

Recognizing the importance of ICT service providers, DORA introduces strict third-party risk management requirements, including:

  • Due diligence. Evaluating ICT providers before entering contracts.
  • Contractual guarantees include provisions on security, incident reporting, and audit rights in agreements.
  • Ongoing monitoring. Regular assessment of third-party performance and security measures.
  • Exit strategies. If needed, develop plans to transition from one provider to another.

DORA also establishes oversight frameworks for critical third-party ICT providers, enabling EU supervisory bodies to monitor compliance directly.

5. Information sharing

DORA encourages collaboration between trusted financial organizations to:

  • Raise awareness of ICT-related risks.
  • Minimize the spread of ICT threat vectors.
  • Share defensive strategies, mitigation techniques, and threat intelligence.

Implementation of DORA

Preparing for DORA compliance

Achieving DORA compliance may seem complex, but it becomes manageable with a straightforward approach. Review your cybersecurity practices and risk management plan to find areas to improve. Regular training for all employees, including leaders, is essential to create a strong and prepared team.

Review contracts with ICT service providers to ensure they meet DORA’s standards. Create a comprehensive inventory of all agreements, including cloud services and software providers, to identify dependencies and mitigate risks. By taking these strategic steps, your organization can strengthen its operational resilience and align with DORA’s requirements.

By adhering to these measures, organizations can meet DORA’s high standards for ICT risk management and operational resilience.

DORA UK vs DORA EU: are there any differences?

The DORA regulation introduces European unified resilience standards, which UK businesses should be aware of.

UK-regulated firms must manage operational risks responsibly and effectively and ensure their affairs are organized with robust risk management systems. The Financial Conduct Authority (FCA) rules outline this obligation, which includes provisions on management and governance, risk management, internal controls, business continuity, contingency planning, and outsourcing practices.

These existing requirements are now being expanded with new provisions targeting operational resilience. The DORA cyber security framework further strengthens these measures, ensuring firms address ICT risks comprehensively and protect against digital threats. The updated regime introduces requirements for certain types of firms and proposes extending them to include service providers not regulated by the FCA.

UK Operational Resilience regime

The UK operational resilience regime takes a broader approach to operational risks than the EU’s DORA. It emphasizes a firm's ability to withstand disruptions—not just those arising from digital or ICT incidents.

The framework applies to banks, insurers, and significant investment firms. If they meet specific criteria, asset managers may also be included.

Unlike DORA, the UK framework considers a broader range of risks and takes a more comprehensive approach to resilience.

The UK's framework covers fewer organizations than DORA but takes a broader view of resilience. It looks beyond digital risks and focuses on helping businesses handle disruptions from any source.

Future of Digital Operational Resilience

What is DORA compliance? Is it another regulation or an opportunity to rethink how businesses tackle resilience and cybersecurity? For many, it’s a fresh start—a chance to replace scattered systems with a unified approach that builds trust and stability in the digital world.

DORA compliance challenges businesses to adopt a proactive mindset, address ICT risks, and ensure resilience across the entire supply chain, including third-party service providers. DORA pushes organizations to make their operations more resilient to cyber threats and aligned with Europe’s vision for a secure and interconnected economy.

The actual value of DORA compliance depends on how businesses respond. Will they see it as a challenge or an opportunity to strengthen resilience and gain a competitive advantage? Time will tell.

DORA and server-side tracking

Server-side tracking helps businesses meet regulations like DORA by improving data security and reliability. Stape is working to meet DORA standards when they take effect. 

Stape is ISO 27001, HIPAA, and GDPR compliant, to protect data and ensure privacy. We’re committed to staying up-to-date with new regulations and providing secure, reliable tracking solutions. Stape is a safe and dependable partner for any business that wants to protect its data while getting the most out of its tracking setup.

FAQs

What are the DORA technical standards?

DORA sets mandatory technical standards for financial institutions and their key third-party ICT service providers to integrate into their systems by January 17, 2025.

DORA outlines its technical requirements across four key areas:

  • ICT risk management and governance. It is necessary to establish robust frameworks for managing technology-related risks.
  • Incident response and reporting. It is necessary to ensure effective processes for handling and reporting ICT incidents.
  • Digital operational resilience testing. Regular testing is necessary to assess the resilience of ICT systems.
  • Third-party risk management. It is necessary to strengthen oversight of external technology providers.

While DORA encourages information sharing to foster collective resilience, it remains voluntary.

The requirements will be applied proportionally, with smaller entities having fewer obligations than larger financial institutions. While specific Regulatory Technical Standards (RTSs) and Implementing Technical Standards (ITSs) are still being developed, the legislation already sets clear expectations for compliance.

Are there any penalties for non-compliance with DORA?

Once the DORA standards are finalized and the January 2025 deadline arrives, the designated regulators in each EU member state, referred to as "competent authorities,” will enforce them. These authorities will have the power to require financial entities to implement specific security measures to address vulnerabilities to meet the DORA compliance requirements. They will also determine penalties for non-compliance. Such penalties include administrative and, in some cases, criminal sanctions based on each country’s discretion.

The European Commission classifies ICT providers as "critical," and oversight will be handled directly by lead overseers from the European Supervisory Authorities (ESAs). Like competent authorities, these lead overseers can mandate security improvements, enforce remediation efforts, and impose penalties for non-compliance. 

How does DORA differ from other cybersecurity regulations?

DORA is one of many significant cybersecurity regulations that will take effect in the coming years. The NIS2 Directive, which becomes applicable in October 2024, also establishes digital security requirements for European businesses and organizations.

DORA EU compliance is designed to standardize operational resilience and cybersecurity practices within the financial sector across all member states. DORA is tailored to the financial sector, ensuring its needs are addressed. NIS2 has a broader reach, covering all critical sectors, such as energy, healthcare, and transportation.

DORA's legal approach differs from that of NIS2. DORA is an Act that applies uniformly across all EU member states, while NIS2, as a Directive, must be transposed into the national laws of each member state.

While both focus on improving IT security, DORA will take precedence in the financial sector, serving as the primary regulatory framework.

Can non-EU businesses working with EU institutions be affected by DORA?

The EU DORA Act substantially impacts financial organizations outside the EU, particularly those serving or operating in the EU market.

These entities must meet DORA's standards to maintain market access and continue working with EU-based clients. This means increased compliance costs, operational adjustments, and possible strategy shifts.

DORA also impacts non-EU organizations by including them in the supply chains of EU financial institutions, enforcing strict requirements across the entire ecosystem.

As a result, DORA's influence extends beyond the EU. It shapes the global financial sector and emphasizes the importance of operational resilience worldwide.

To sum up

In a world where cyber threats become more frequent and intense, we must do what it takes to build a strong shield against them. Regulations like DORA help businesses prepare for the risks and handle them correspondingly. The aim of DORA is to keep systems safe, protect customer data, and function during unstable times. 

Resources

Try Stape for all things server-sideright now!