How to Prepare for the Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) entered into force in January 2023, and financial organisations will be expected to comply with the regulation as of January 2025. If you’re unsure of what DORA is or how your organisation should be preparing for it, this blog will give you the 101 of what you need to know and what you should do to strengthen your cyber security posture and avoid penalties for non-compliance.

Financial organisations are operating in an increasingly hostile digital landscape. With the potential risk of a bank, insurance company or investment firm and its customers suffering downtime or data loss as the result of a cyber-attack at an all-time high, and recognising the sector’s increasing dependence on technology, the European Union (EU) has introduced the Digital Operational Resilience Act (DORA) to strengthen IT security and enhance the sector’s overall resilience.

This blog is for organisations who will be impacted by DORA. Read on if you’d like to learn about DORA, how it will be enforced, and what you should be doing to prepare for it applying as of January 2025.

Let’s get started.

What is DORA?

So, what actually is DORA? DORA is a legislative framework proposed to enhance the operational resilience of financial services in the EU. Its primary objective is to safeguard the continuity of financial services, protect end-users, and bolster the stability of financial markets by setting out clear requirements for digital operational resilience.

DORA has five key pillars:

  • Risk Management. DORA emphasises the importance of robust risk management practices across the digital landscape. It requires financial entities to identify, assess, and mitigate risks to ensure the uninterrupted provision of critical services.
  • Third-Party Risk Management. DORA also requires financial entities to monitor the risks they face from third-party providers and ensure there are contractual provisions in place that promote secure working practices.
  • ICT Incident Reporting and Management. Under DORA, financial entities are obligated to report significant incidents that could impact the continuity of their services promptly. Timely reporting enables authorities to respond swiftly, minimising disruptions and potential harm to consumers and markets.
  • Digital Operational Resilience Testing. Regular testing and evaluation of resilience measures are integral to DORA. Financial entities must conduct stress tests and scenario-based exercises to assess their preparedness for various disruptions and refine their response strategies accordingly.
  • Information Sharing. DORA promotes collaboration and information sharing among relevant stakeholders to improve collective response capabilities during critical incidents or other disruptions.

Although not a formal pillar, governance sits at the heart of DORA. The first technical article of the regulation relates to governance, and governance forms an essential element of risk management.

Why is DORA Being Introduced?

The EU has introduced DORA in recognition of the interconnectedness and dependency on digital services by the finance sector; with cyber threats becoming more sophisticated and prevalent, ensuring the resilience of digital infrastructures is absolutely imperative. DORA aims to address this by establishing a comprehensive regulatory framework that fosters resilience, transparency, and accountability within the financial services ecosystem.

Who is Impacted by DORA?

DORA impacts financial entities that deliver digital services in the EU. This means that if your organisation operates within EU countries, it will be impacted by DORA.

Its scope includes but is not limited to banks, insurance companies, investment firms, critical ICT third-party service providers including cloud computing service providers providing ICT services to financial entities, and electronic money institutions.

By applying to diverse financial entities, DORA seeks to create a level playing field and ensure consistent standards of operational resilience across the financial landscape.

How will DORA be Enforced?

DORA will be enforced by EU countries’ regulatory authorities, such as BaFin in Germany and the AMF in France. To enforce compliance with DORA, regulatory authorities will be empowered to:

  • Conduct audits and inspections to assess adherence to DORA requirements.
  • Impose penalties and sanctions for non-compliance, including fines and operational restrictions.
  • Provide guidance and support to assist financial entities in meeting their obligations under DORA.
  • Foster international cooperation and coordination to address cross-border implications of digital operational resilience.

Within DORA there are articles related to administrative and even criminal penalties for non-compliance, although there are at the time of writing no confirmed financial penalties that have been defined.

Of course, specific regulatory penalties are only one part of the damage non-compliance can cause. In the highly competitive finance industry, non-compliance can cause reputational damage that can result in tangible loss of consumer confidence – resulting in potential losses much greater than any fine a regulatory body may impose.

How Should You Respond to DORA?

To comply with DORA, organisations will be asked to upload a self-assessment that auditors from regulatory bodies will review and provide feedback on. These self-assessments will need to be evidenced, and this is where your organisation’s preparation for DORA will come into play.

Non-compliant self-assessments will receive a set of remediation activities and a timeline to complete them, and the failure to do so will result in penalties. So, the better your organisation’s cyber hygiene, the easier it will be for you to align with DORA’s requirements first time.

This may require a shift in approach for financial organisations, many of which are strong on overall risk management but less focused specifically on cyber risk management.

Six Degrees can deliver a gap analysis against DORA that will provide you with the insights you need to align your organisation to the regulation’s requirements ahead of January 2025.

How Six Degrees Can Help

DORA is a regulation, but the five key pillars of DORA are relevant to any organisation handling digital information. At Six Degrees, our Cyber Security Assurance team contains experts in DORA who can provide guidance on its requirements from both a technology perspective and a governance and risk angle. We can provide financial organisations with the technology and advice they need to optimise their cyber security postures, and ensure that their people, skills, technologies, and security practices are suited to the regulatory and best practice frameworks that they want to align with.

If you need support in preparing for DORA, or if you’d like to explore how your organisation can take steps to enhance its overall cyber security posture, speak to your Account Manager or contact us to learn more.

Subscribe to the newsletter today

Related posts

Six Degrees Appoints Chief Revenue Officer

Six Degrees Appoints Chief Revenue Officer

Six Degrees has appointed Brendan Lynch as Chief…

How to Prepare for the Digital Operational Resilience Act (DORA)

How to Prepare for the Digital Operational…

The Digital Operational Resilience Act (DORA) entered into…

Cloud Readiness Assessment

Cloud Readiness Assessment

Cloud Readiness Assessment Accelerate your cloud journey with…

Six Degrees Partners with New City College to Educate and Inspire Future Tech Professionals

Six Degrees Partners with New City College…

Six Degrees’ cloud and cyber security experts are…