Digital Operational Resilience Act (DORA): 6 Steps to Prepare for 2024-25
EU’s newest framework, DORA, is set to take effect January 17, 2025 and non-compliance can cost you up to €10 million! Here’s what it means for your business.
Financial institutions are the second-highest target for cyber attacks globally, with each breach costing an average of $6.08 million in 2024. The increasing frequency and severity of these attacks puts global financial stability at risk — exposing vulnerabilities and escalating financial losses. To combat this, the European Union (EU) introduced the Digital Operational Resilience Act (DORA) on January 16, 2023, setting a new benchmark for operational resilience in financial entities.
As we’re fast approaching the enforcement date of DORA, January 17, 2025, it's crucial for businesses to grasp the ins and outs of this groundbreaking regulation, including its requirements, timeline, penalties for non-compliance, and steps you should take to fully prepare.
What is the Digital Operational Resilience Act?
Introduced by the European Council, DORA is a regulatory framework to enhance the operational resilience of financial entities against digital disruptions. DORA aims to equip financial institutions and their third-party providers with the tools they need to withstand, respond to, and bounce back from ICT, or Information and Communication Technology, incidents like cyberattacks and system failures.
DORA is part of the EU's broader strategy to safeguard financial stability by mandating comprehensive risk management, incident reporting, and ICT resilience measures across the sector.
Who does DORA apply to?
DORA applies to a wide range of financial entities operating within the EU, including but not limited to:
- Banks
- FinTech
- Investment firms
- Payment institutions
- Insurance companies
- Credit rating agencies
- Crowdfunding service providers
- Third-party ICT service providers, such as cloud computing firms, that support the operations of financial institutions
This broad application means that virtually every financial entity within the EU must align its operations with DORA’s requirements to ensure continuous operational resilience.
Learn more about security reviews in the finance industry and how you can keep your organization safe.
DORA implementation timeline
The EU has granted a 24-month implementation timeline for financial institutions to comply with DORA. This extended period is designed to help organizations fully adapt to the new regulatory framework and integrate comprehensive measures for operational resilience.
- Entry into force: DORA officially entered into force on January 16, 2023, setting the regulatory framework in motion.
- Transitional period: Financial entities have a transitional period until January 17, 2025, to align their operations with DORA’s requirements.
- Compliance deadline: By January 17, 2025, all financial institutions within the EU must fully comply with DORA, having implemented the necessary measures to ensure operational resilience.
A recent study by Deloitte revealed a concerning trend: only 29% of the surveyed financial entities had a structured roadmap in place to achieve compliance with DORA. Most institutions started addressing DORA requirements in 2023, with some pushing their efforts into 2024.
6 pillars of DORA
DORA’s primary focus is to strengthen the operational resilience of financial institutions. This framework harmonizes other security and risk management regulations that already apply to entities across the EU, like the Global AI resolution and GDPR.
The six main focus areas are:
- ICT risk management: Having robust frameworks to identify, assess, and mitigate ICT risks, ensuring systems are secure and resilient.
- ICT incident reporting: Establishing clear procedures and mandating timely reporting of ICT-related incidents to authorities.
- Digital operational resilience testing: Regularly testing ICT systems through stress and penetration tests to identify and fix vulnerabilities.
- Information and intelligence sharing: Encouraging financial institutions to share threat and incident information, enhancing collective security and preparedness.
- ICT third-party risk management: Managing and monitoring risks from third-party vendors to ensure their resilience aligns with the institution's standards.
- Oversight of critical third-party providers: Implementing stringent oversight of essential third-party providers to ensure they do not pose hidden risks.
DORA requirements: 6 steps for preparation
Navigating new compliance requirements can be complex and overwhelming. Here are six manageable steps to help you prepare for DORA with confidence, breaking down each requirement into manageable tasks that ensure your organization is fully equipped to meet these new standards.
1 - Establish an ICT risk management framework
Financial entities must develop a comprehensive ICT risk management framework that identifies, assesses, and mitigates ICT risks. This framework should encompass all aspects of the organization’s ICT environment, from hardware and software to data and personnel.
- Identify and assess: Catalog all critical assets and assess potential risks and vulnerabilities within the ICT environment.
- Mitigate and monitor: Create mitigation strategies, such as implementing firewalls, encryption and access controls. Set up continuous monitoring for real-time threat detection.
- Document and update: Regularly document and update your risk management framework to reflect new threats and changes.
2 - Establish incident reporting processes and procedures
DORA requires financial institutions to have clear procedures in place for reporting ICT-related incidents. These processes should enable quick identification, assessment, and communication of incidents, ensuring that relevant authorities and stakeholders are informed promptly.
- Define and classify: Establish clear definitions for incident types and create communication channels for reporting.
- Develop and train: Outline response protocols and provide regular training for employees on incident handling.
- Test and refine: Conduct drills to test the reporting process and refine procedures based on feedback.
3 - Test your ICT system regularly
Regular testing of your ICT systems is essential to ensure they can withstand potential disruptions. DORA mandates that financial institutions conduct periodic testing, including penetration tests and vulnerability assessments, to identify and address weaknesses in their systems.
- Schedule and simulate: Set a regular testing schedule, including penetration tests and simulated cyberattacks.
- Evaluate and remediate: Analyze test results to identify system weaknesses and implement necessary fixes.
- Review and update: Continuously review testing protocols to stay aligned with emerging threats and best practices.
4 - Establish a third-party risk management system
Given the reliance on third-party service providers, DORA requires financial institutions to manage and monitor the risks associated with these external partners. This includes conducting due diligence, assessing the resilience of third-party systems, and ensuring that contracts include provisions for operational resilience.
- Assess and monitor: Conduct initial and ongoing assessments of third-party vendors' resilience and risk management.
- Contract and plan: Ensure contracts enforce resilience standards and develop contingency plans for vendor failures.
- Register and review: Maintain a risk register for third-party relationships and periodically review their performance.
Explore key strategies for effective vendor risk management and secure your business.
5 - Establish a clear governance structure
DORA mandates a clear governance structure to oversee the ICT risk management framework. This structure should include defined roles and responsibilities, ensuring that all levels of the organization are engaged in maintaining operational resilience.
- Define and assign: Clearly outline roles and responsibilities for ICT risk management within the organization.
- Oversee and report: Set up a governance committee and ensure proper reporting lines to senior management.
- Measure and adjust: Implement accountability measures and regularly review governance structures for effectiveness.
6 - Establish processes for information sharing
Effective information sharing is vital for responding to ICT incidents. DORA requires financial institutions to establish processes for sharing information about threats, vulnerabilities, and incidents both within the organization and with relevant external stakeholders.
- Identify and secure: Determine key stakeholders for information sharing and develop secure sharing protocols.
- Collaborate and automate: Engage in industry collaboration and implement automated tools for real-time sharing.
- Protect and comply: Ensure confidentiality and compliance with privacy regulations in all information-sharing activities.
DORA violations and fines: Penalties for non-compliance
DORA violations are broad and can encompass any failure to comply with the act’s requirements. This includes both direct actions, such as failing to report an incident, and indirect actions, like inadequate third-party oversight.
The scope of violations is extensive, covering:
- All ICT-related processes and systems: Every aspect of a financial entity’s digital operations is subject to DORA compliance.
- Third-party providers: Critical third-party providers that play a role in the financial institution’s ICT framework are also subject to these regulations.
- Cross-border activities: Financial institutions operating across EU member states must ensure compliance with DORA in every jurisdiction they operate in.
Fines and penalties: What’s at stake?
The penalties for non-compliance with DORA are severe and can have a significant financial impact.
- Monetary fines: Penalties for DORA violations can reach up to 10% of an entity’s annual turnover or €10 million, whichever is higher. A single violation can result in substantial financial loss.
- Operational restrictions: In addition to fines, regulatory authorities may impose operational restrictions on non-compliant entities, limiting their ability to conduct business until compliance is achieved.
- Reputational damage: Beyond the direct financial penalties, DORA violations can lead to reputational damage, eroding customer trust and investor confidence, and potentially leading to long-term financial consequences.
While DORA’s operational restrictions and penalties are focused on financial institutions in the EU, their impact can ripple globally. Any company providing ICT services to such businesses in the EU must comply with DORA, regardless of location, and face penalties or operational restrictions for non-compliance.
Mistakes to avoid while preparing for DORA
1 - Delaying implementing your DORA roadmap
The transitional period may seem ample, but delaying action can lead to rushed implementations and potential non-compliance. Begin preparations early to ensure all requirements are met before the 2025 deadline.
2 - Assuming other compliance frameworks cover everything
DORA has specific requirements that may not be fully covered by other regulatory frameworks like NIS 2 or ISO 27001. It’s crucial to thoroughly assess your compliance efforts to ensure that DORA-specific mandates are addressed.
3 - Supplier failure, service deterioration, and concentration risks
Over-reliance on a single supplier or third-party service provider can lead to risks. Ensure that you diversify your third-party engagements and include robust resilience clauses in your contracts to mitigate potential service disruptions.
Simplify and speed up DORA compliance
While a two-year implementation time might seem enough — the January 2025 deadline is quickly approaching. Additionally, the complexities and stringent requirements of DORA may require substantial time to assess and address the gaps.
SecurityPal can streamline your compliance journey, ensuring a faster path to readiness. We offer comprehensive third-party vendor assessments and rigorous oversight of critical third-party providers to mitigate hidden risks. Leveraging our 150+ globally certified security experts and deep industry insights, we’ll help you navigate DORA effectively.
Ready to get started? Secure your vendor partnerships with SecurityPal Vendor Assess.