The Digital Operational Resilience ACT (DORA) regulation turns into enforceable within the European Union on 17 January 2025. With stress testing on 109 banks already underway by the European Central Financial institution (ECB), the remainder of the EU monetary sector ought to observe swimsuit to keep away from dashing by means of last-minute compliance efforts.
This text outlines the DORA compliance necessities, together with a helpful guidelines that can assist you pave a path to compliance earlier than the deadline.
What’s DORA?
The Digital Operational Resilience ACT, or DORA, is an EU regulation that goals to ascertain digital operational resilience throughout the monetary ecosystem to cut back enterprise disruptions within the occasion of a cyberattack or information breach. DORA enhances present EU cybersecurity laws, such because the GDPR and NIS2 Directive.
Who should adjust to the DORA regulation?
All monetary establishments doing enterprise within the EU member states should adjust to the DORA necessities, together with:
The Monetary Providers IndustryPayment establishmentsFunding firmsInsurance companiesCredit score businessesCrypto-asset service providersCrowdfunding service providersData analytics and audit servicesFintechBuying and selling venuesFinancial system providersCredit institutionsThird-party distributors who present data and communication expertise (ICT) providers for finance establishments should additionally obtain DORA compliance.
Use this free DORA danger evaluation template to trace every vendor’s alignment with the DORA commonplace.
DORA compliance dates
The DORA laws turned efficient on 16 January 2023, permitting a 24-month implementation interval for in-scope organizations.
On 17 January 2024, the three European supervisory authorities, the EBA (European Banking Authority), EIOPA (European Insurance coverage and Occupational Pensions Authority), and ESMA (European Securities and Markets Authority), finalized drafted Regulatory Technical Requirements (RTS) outlining ICT danger administration necessities below DORA.
Affected establishments have till 17 January 2025 to adjust to DORA necessities.
On 3 January 2024, the European Central Financial institution (ECB) introduced the graduation of digital operational resilience testing throughout 109 banks within the EU.
Discover ways to adjust to the third-party danger necessities of DORA >
What are the penalties for DORA non-compliance?
Enforcement of penalties for DORA non-compliance falls within the arms of designated regulators in every EU state, generally known as “competent authorities. Potential consequences for non-compliance include administrative fines, remedial measures, public reprimands, withdrawal of authorization, and compensation for damages incurred.
In-scope entities that don’t comply with the DORA are subject to penalty payments of up to 1% of the average daily worldwide turnover in the preceding business year.
DORA compliance requirements
The DORA regulation consists of five key pillars that set out requirements for finance entities to withstand, respond to, and recover from ICT-related threats. Below are the five pillars of DORA compliance.
1. ICT risk management
Finance entities are required to establish and maintain comprehensive ICT risk management frameworks. These frameworks should cover all stages of an ICT system’s lifecycle and include appropriate cybersecurity measures for cyber threat identification, protection, detection, response, and recovery plans within the organization and throughout the supply chain. This pillar also mandates continuous testing and monitoring to ensure the ongoing effectiveness of the implemented measures.
2. ICT incident reporting
Firms must report major ICT-related incidents to their respective regulators promptly. The aim is to enable a better understanding of the ICT risk landscape across the financial sector and encourage a coordinated response to major incidents.
3. Digital operational resilience testing
DORA mandates that firms conduct regular testing to assess their capacity to withstand various types of ICT disruptions. This pillar requires in-scope entities to undergo routine threat-led penetration testing (TLPT) to simulate cyberattacks and assess their cybersecurity defenses.
4. ICT third-party risk management
DORA introduces rules for managing cyber risks from outsourcing critical financial operations to third-party ICT service providers. The DORA third-party risk management requirements stipulates that finance entities must subject ICT third-party service providers to proper oversight and due diligence processes. They should also ensure that third-party risk management processes are in place to reduce the likelihood of major incidents like data breaches.
5. Information and intelligence sharing
DORA encourages the sharing of cyber threat information and intelligence among finance entities. This collaboration aims to enhance the sector’s ability to identify, protect against, respond to, and recover from ICT-related incidents. The regulation provides an information-sharing framework while ensuring data protection remains a priority.
By establishing these pillars, DORA aims to standardize and strengthen the digital operational resilience of the EU’s financial sector, ensuring that it remains robust, competitive, and capable of handling the evolving landscape of ICT risks.
DORA compliance checklist
The Digital Operational Compliance Act is a comprehensive regulatory framework that requires finance entities to take a structured approach to implementation. This checklist maps out key actions to take to achieve DORA compliance faster.
1. Determine DORA scope
▢ Refer to Article 2 of the DORA legislation to determine if your organization is an in-scope entity, i.e., a finance institution or critical ICT service provider to a financial institution.
2. Perform a DORA gap analysis
▢ Conduct a maturity assessment against the DORA compliance requirements to identify gaps across all ICT systems.
▢ Assess your ICT third-party risk by conducting vendor risk assessments.
💡 How UpGuard helps
UpGuard offers a free DORA assessment workbook that maps relevant controls from the NIST CSF and ISO 27001 frameworks to the DORA requirements. The UpGuard platform automates compliance mapping and reporting for these frameworks for you and your vendors.
ISO 27001 compliance reporting feature in the UpGuard platform3. Create a remediation roadmap
▢ Use assessment findings to identify compliance gaps and create a roadmap of remediation activities.
💡Compliance tip: ‘The roadmap should include identified actions on a yearly timeline (e.g., divided into quarters), based on action priority and feasibility.’ – Cindy Ruan, Governance Risk and Compliance Specialist💡 How UpGuard helps
UpGuard includes automated remediation workflows that enable you to request vendor remediation based on automated scanning and questionnaire responses.
Vendor risk remediation summary in the UpGuard platform
4. Identify critical third-party ICT providers
▢ Refer to Article 31 of the DORA requirements to understand which of your third-party ICT providers are deemed ‘critical’ and must also comply.
💡 How UpGuard helps
UpGuard helps you find, track, and monitor the security posture of any organization instantly. You can categorize vendors, compare them against industry benchmarks, and see how their security posture changes over time.
UpGuard vendor ratings5. Implement a threat-led penetration testing (TLPT) framework
As per Article 26 of the DORA regulation, financial entities must conduct TLPT testing at least every three years.
▢ Use an approved TLPT framework, such as TIBER-EU.
▢ Ensure your TLPT framework covers several or all critical functions of the financial entity.
▢ Define the scope of the TLPT framework and receive approval of the scope by a competent authority (as defined in Article 46 of the DORA).
▢ When ICT third-party service providers are deemed in-scope for TLPT testing, take the necessary measures and safeguards to ensure the service provider’s participation.
▢ Perform testing on live production systems.
▢ Ensure testing is carried out at least every three years, depending on risk portfolio and operational circumstances.
▢ Submit a summary of relevant findings, corrective action plans, and documentation demonstrating that the test meets requirements.
💡 Compliance tip: ‘TLPT is also known as Red Team Testing or “Red Teaming” within the business. It’s a managed (and approved) try by moral hackers to compromise an entity’s techniques and general cyber resilience by simulating the ways, methods, and procedures (TTPs) of real-life menace actors.’ – Cindy Ruan, Governance Threat and Compliance Specialist6. Develop an incident response plan
Article 17 of the DORA requires monetary entities to outline, set up, and implement an ICT-related incident administration course of to detect, handle, and notify ICT-related incidents.
▢ Put in place early warning indicators.
▢ Set up procedures for figuring out, monitoring, logging, and classifying ICT-related incidents.
▢ Assign roles and obligations for incident administration.
▢ Create plans for communication and notification of ICT-related incidents between all key stakeholders and senior administration.
▢ Report main ICT-related incidents to related senior administration and the administration physique.
💡Compliance tip: ‘Test your incident response and disaster recovery plans or strategies by performing tabletop exercises (such as simulating a disaster or incident) to evaluate their effectiveness. The outcomes of the exercises should be documented and reviewed so that organizations can understand how to improve their internal processes.’ – Cindy Ruan, Governance Threat and Compliance Specialist💡 How Cybersecurity helps
Cybersecurity notifies you of exterior vulnerabilities and exposures placing you and your distributors in danger with real-time safety score alerts.
Cybersecurity safety ratings7. Repeatedly monitor ICT techniques
In keeping with Article 8 of the DORA, monetary entities should repeatedly establish all sources of danger as a part of an ICT danger administration framework.
▢ Establish, classify, and correctly doc ICT enterprise features, data property, roles, and dependencies.
▢ Assess cyber threats and vulnerabilities related to ICT-supported enterprise features.
▢ Carry out further danger assessments upon main adjustments within the community or infrastructure.
▢ Keep inventories of data property, processes that rely upon ICT third-party service suppliers, and legacy ICT techniques and applied sciences.
▢ Carry out common ICT danger assessments on all legacy ICT techniques.
💡 How Cybersecurity helps
Cybersecurity repeatedly screens your exterior assault floor to establish vulnerabilities, detect adjustments, and uncover potential threats across the clock.
Breakdown of recognized exterior dangers by criticality within the Cybersecurity platform8. Perceive the obligations of the Board
Article 5 of the DORA stipulates that board administrators and government administration should settle for final accountability for managing ICT danger and making certain digital operational resilience.
▢ Set data safety insurance policies to make sure the upkeep of knowledge safety.
▢ Outline roles and obligations for ICT-related features and the institution of governance preparations.
▢ Outline and approve a digital operational resilience technique.
▢ Evaluation and approve ICT enterprise continuity plans, ICT inside audit plans, and using ICT providers supplied by third events.
▢ Sustain-to-date on the newest information and expertise about ICT dangers.
▢ Allocate ample price range to ICT sources, safety consciousness packages, and digital operational resilience coaching.
💡 How Cybersecurity helps
With Cybersecurity, you possibly can generate downloadable PDFs that summarize your safety posture and that of your distributors. The stories present a high-level overview appropriate for gaining buy-in with non-technical stakeholders.
Board Abstract Report within the Cybersecurity platformHow Cybersecurity helps organizations adjust to the DORA framework
Cybersecurity offers automated compliance mapping and reporting in opposition to DORA by means of NIST CSF and ISO 27001 for you and your distributors. Assess your DORA compliance in the present day. Begin your free 7-day trial.
