What is DORA (Digital Operational Resilience Act)?

The Digital Operational Resilience Act(DORA), introduced by the European Union, will come into effect in the financial sector from January 2025. Its purpose is to establish a comprehensive regulatory framework to assist financial institutions in effectively addressing and managing cybersecurity threats. DORA will have a significant impact not only on the financial industry but also on its IT service providers. Depending on their current cybersecurity measures, some organisations may need to make substantial efforts to ensure compliance with the new regulations.

The DORA framework was purposefully designed by its creators to empower financial institutions to sustain their operations in the event of cyber attacks. This approach emphasises continuous intervention in security operations, prioritising ongoing resilience over one-time fixes. Regulators will rely on DORA as a vital tool to evaluate and scrutinise businesses' strategies and plans for maintaining resilience against risks, highlighting the importance of compliance.

The Five Pillars of DORA

1. ICT risk management

DORA provides financial companies with harmonised and EU-wide requirements for ICT risk management. New and stricter, but also for the first time concrete requirements are placed on ICT governance and organiSation, on the ICT risk management framework, on ICT systems, protocols and applications and on further developments of ICT systems as well as on learning processes. These requirements are intended to help maintain or, if necessary, restore the functionality of financial companies, particularly with regard to cyber risks.

2. Management of ICT third-party risks

DORA requires financial companies to assess and monitor ICT third-party risks – throughout the entire life cycle of the purchase. An important prerequisite for this is that a risk analysis and due diligence is carried out before the contract is concluded. In addition, DORA specifies the minimum requirements that apply to the content of contracts with ICT third parties and that all ICT contractual relationships must be entered in an information register (similar to the outsourcing register). The information register must be submitted to the supervisory authority on request.

3. ICT incident reporting        

DORA contains the obligation to implement a management process which, in addition to handling ICT-related incidents, also includes the monitoring, logging, classification and, if necessary, reporting of ICT-related incidents.

4. Testing digital operational resilience

With DORA, financial companies must constantly monitor and test their information and communication technology by establishing a risk-based, proportional testing program. Such a test program should, for example, analyse open source software, check network security and physical security in financial companies and include gap analyses, scenario-based tests, compatibility tests and penetration tests. In this way, financial companies should recognise, among other things, how prepared they are for ICT incidents and where they may have weaknesses in their digital operational resilience.

5. Information exchanges and cyber exercises

To strengthen the digital operational resilience of the European financial sector, DORA encourages financial firms to share information and intelligence on cyber threats. Financial undertakings must notify the competent supervisory authority as soon as their participation in such information sharing agreements has been confirmed or ends.

BaFin and the Deutsche Bundesbank are already preparing for DORA and are working on adapting their supervisory and administrative practices and implementing IT processes and systems within the framework of DORA. In future, BaFin will become the national reporting hub for ICT incidents in the financial sector. Furthermore, BaFin will receive notifications within the scope of ICT third-party management, which institutions and companies are obliged to do, and analySe them with regard to potential risks for the financial sector.

Who Does The DORA Regulation Apply to?

The Digital Operational Resilience Act (DORA) applies to a wide range of financial institutions operating within the European Union. This regulation aims to ensure that these entities have strong ICT risk management frameworks and can withstand, respond to, and recover from ICT-related disruptions.

The entities subject to DORA include credit institutions such as banks, investment firms, insurance and reinsurance companies, payment service providers, electronic money institutions, central securities depositories(CSDs), trading venues, central counterparties (CCPs), administrators of critical benchmarks, crypto-asset service providers, crowdfunding service providers, management companies, data reporting service providers, and third-party ICT service providers including cloud computing services, software, and data analytics services critical to financial entity operations.

The list is not exhaustive, but it provides an example of organisations that must implement DORA.

The DORA Timeline & What you Need To Know

The Digital Operational Resilience Act (DORA) is a significant regulatory framework established by the European Union that plays a crucial role in enhancing the digital operational resilience of financial institutions.

In November 2022, a significant milestone was attained for the Digital OperationalResilience Act (DORA) as the European Parliament and the Council of the European Union reached a provisional agreement. This accord represented a pivotal advancement towards the formal adoption of DORA, poised to substantially bolster the digital operational resilience of the financial sector within the European Union.

In September 2023, the European Supervisory Authorities (ESAs), comprising the European Banking Authority (EBA), the European Insurance and OccupationalPensions Authority (EIOPA), and the European Securities and Markets Authority(ESMA), achieved a significant milestone by concluding a public consultation on the initial set of Regulatory Technical Standards (RTS) and ImplementingTechnical Standards (ITS) under the Digital Operational Resilience Act (DORA).

In January 2024, the European Supervisory Authorities (ESAs), comprising the European Banking Authority (EBA), the European Insurance and OccupationalPensions Authority (EIOPA), and the European Securities and Markets Authority(ESMA), issued the initial set of finalised draft technical standards under the Digital Operational Resilience Act (DORA). These standards are specifically crafted to fortify the digital operational resilience of the European Union's financial sector.

The consultation regarding the second batch of policy mandates under DORA concluded in March 2024. This batch encompasses a range of Regulatory Technical Standards(RTS) and implementation Technical Standards (ITS), in addition to guidelines(GL) addressing critical facets of ICT risk management and operational resilience.

In July 2024, the European Supervisory Authorities (ESAs), which encompass the EBA, EIOPA, and ESMA, delivered the ultimate version of multiple regulatory technical standards (RTS) and implementing technical standards (ITS) of the Digital Operational Resilience Act (DORA) to the European Commission. This submission denoted a pivotal stride towards ensuring the adoption and enforcement of the standards by the scheduled full implementation date.

The Digital Operational Resilience Act (DORA) will be fully enforced across the European Union by January 2025. All financial entities within the scope of DORA must comply with the new standards for ICT risk management, incident reporting, digital operational resilience testing, and third-party risk management.

‍

DORA Focused Penetration Testing

Pentest People follows a consultant-led methodology for penetration testing to ensure compliance with DORA standards. We conduct manual penetration testing to realistically simulate cyber attacks and identify vulnerabilities that may compromise the resilience of financial systems.

Our approach allows us to evaluate the effectiveness of current security measures and provide valuable recommendations to strengthen defences against cyber threats.

With our consultant-led approach, you'll have an expert to help mitigate risks associated with identified vulnerabilities. Pentest People offers comprehensive reports outlining findings, recommendations, and actionable insights, underpinned with advanced technology and delivered through our Secure Portal. These reports empower organisations to prioritise remediation efforts and improve their security posture.

Speak with one of our team today and make sure you're taking the right steps to comply with DORA.

In Summary

The Digital Operational Resilience Act(DORA) will come into mandated effect in January 2025. Introduced by the European Union, this regulatory framework aims to enhance financial institutions' cybersecurity and operational resilience. DORA ensures that these entities can effectively address and manage cybersecurity threats through robust ICT risk management, incident reporting, digital operational resilience testing, and third-party risk management. This regulation will significantly impact financial institutions and their IT service providers, necessitating substantial efforts from some organisations to achieve compliance.

The framework prioritises continuous security operations and resilience over one-time fixes. Regulators will use DORA as a critical tool to evaluate and scrutinise businesses' resilience strategies against risks, emphasising the importance of ongoing compliance. Pentest People offers comprehensive DORA compliance auditing aligned with the regulation's five pillars: risk management, incident response, resilience testing, third-party risk management, and information sharing. Their consultant-led methodology ensures thorough penetration testing, realistic simulation of cyber attacks, and identification of vulnerabilities, providing valuable recommendations to enhance the security posture of financial systems.

DORA applies to various financial institutions, including banks, investment firms, insurance companies, payment service providers, and ICT third-party service providers. The regulatory timeline included significant milestones: a provisional agreement in November2022, a public consultation on initial technical standards in September 2023, the issuance of finalised draft technical standards in January 2024, and the conclusion of the second batch of policy mandates in March 2024. The final regulatory standards were submitted to the European Commission in July 2024, ensuring adoption and enforcement by January 2025.