The Digital Operational Resilience Act (DORA)

The newly adopted Digital Operational Resilience Act (DORA) for financial services entities is here. But what action does your business need to take for you to comply with the legislation?

The European Union (EU) has formally adopted its latest operational resilience legislation, DORA. The new legislation will place additional reporting requirements on financial institutions and their critical suppliers.

A deadline of 17th January 2025 has been set for those affected to ensure they are compliant, and organisations must act now to guard against evolving risks.

DORA explained

DORA builds on existing institutional EU requirements. This in response to market-wide, ongoing digital transformation and evolution of new associated risks.

The Act aims to set uniform requirements for the operational resilience of almost all financial entities operating in the EU. Importantly, it also applies to critical third parties that provide ICT-related (information and communication technologies) services to the FS sector. For example, cloud platforms, professional services, or data analytics.

DORA also mandates that all participants in the financial system have the necessary safeguards in place to mitigate attacks and other risks. This will include supplier failure, service deterioration, and concentration risk.

DORA and You

The reach of DORA is set to be far broader than any previous regulation. This will impact any financial institution or critical providers that need access to or operate within the EU market.

In addition to financial services organisations, the European Supervisory Authorities (ESAs) is an organisation that is responsible for the supervision of EU financial markets. The ESAs will be able to designate critical ICT third-party service providers based on criteria. This criteria can include sustainability and the impact possible if they experienced a large operational failure.

DORA in the UK

As DORA is an EU legislation, it may not always apply directly to UK organisations. However, as many firms in the UK have operations within the EU, DORA may affect you. Even if you supply EU financial institutions from the UK, you’ll be in the scope of DORA. Below is the list of businesses that are in scope:

• Financial services and insurance
• Lenders
• Fintech
• Trading venues
• Financial system providers
• Crowdfunding
• Crypto financial services supply chain
• Investment firms
• Payments
• Credit rating agencies

What do I need to do?

Risk Management

DORA lays out frameworks and guidelines for risk management within the financial sector. The increase of digital transformation and connectivity means that EU market regulators are keen to safeguard Financial Services and Insurance companies. This includes protecting their supply chains and customers from increasing cyber-attacks.

These guidelines aim to help organisations build more mature risk management programmes and improve operational resiliency.

DORA Roadmap

1. Scope – determine whether your business or your IT providers are within the DORA remit.
2. Carry out a readiness assessment – do your current standards and procedures meet the DORA standard?
3. Resource Assignment – understand what resources will be needed to achieve compliance.
4. Create your DORA Framework to ensure governance and management. Security controls and testing plans must be put in place.
5. Reporting – polices and procedures must be devised to adequately evidence demonstrable compliance.

Fortis DPC can guide you on your compliance journey to help financial service businesses prepare for DORA.

Our DORA Readiness Assessment is designed to support financial institutions and critical third parties looking to obtain DORA compliance.

Cyber Threat Intelligence

Threat intelligence is an important element to protecting your business. ISO27001:2022 requires this and DORA does also. Educating your teams about emerging and current threats is simply good practice and makes a great deal of sense.

Regulations such as DORA and its potential fines for non-compliance bring another risk to organisations. However, regardless of regulatory pressure, understanding your digital risk and attack surface is vital for organisations to better prevent, respond to, and recover from ICT-related disruptions and threats.

Insight into cyber threats facing their organisation is invaluable. As publicly accessible information increasingly becomes the entry point for attackers on the attack timeline, external threat intelligence provides a nearly real-time understanding of what an organisation’s external security posture looks like.

DORA’s requirements continue the cyber regulatory theme pushing organisations to better understand the unique risks and threats facing their organisation. Chapter 1, Article 7 of DORA requires financial entities to identify all sources of ICT risk. This particularly relates to business exposure, and the systems and tools used.

External threat intelligence is clearly highly useful in this regard. Continuous use built into risk management processes will enable organisations to build a strong digital posture. This will assist in demonstrating DORA compliance to the authorities.

The Countdown is underway

With the deadline for complying with the EU’s Digital Operational Resilience Act (DORA) set for 17 January 2025, pressure is mounting for financial institutions and service providers across the industry.

Tasked with implementing yet another new set of policies and protocols to reduce cyber security risk and improve operational resilience, small and medium-sized organisations are particularly on edge. Many recognise that achieving compliance may be more than their limited resources can bear.

Don’t worry, we can help you. With a sound strategy, a solid governance framework, and trusted tools and partners in place, there’s still time to achieve compliance.