As financial institutions race to keep up with digital transformation, they’re met with a harsh reality: the more digital they go, the more exposed they are to cyber threats.
To combat these threats, new cybersecurity regulations are becoming more prominent. For financial entities in the European Union, The Digital Operational Resilience Act (DORA) was created to strengthen companies’ cybersecurity and operational resilience.
What is the DORA Act?Â
The DORA Act is a European Union regulation that was put in place to ensure financial entities can withstand, respond to, and recover from ICT-related disruptions. It’s all about maintaining operational continuity and stability for the financial sector.
The act was entered into force on January 16, 2023, and will apply as of January 17, 2025.
Key to the act is the protection of Information and Communication Technology (ICT) systems. For the purposes of DORA, ICT refers to all digital technologies that go into storage, processing, and transmission of a financial entity’s data. This includes cloud computing services, networks, traditional IT systems, and digital platforms that are used for financial operations, customer interactions and data analytics.
Think of DORA like another framework such as NIST, which can help build a truly resilient digital ecosystem.
Let’s explore DORA’s 5 five critical requirements while offering actionable strategies and examples for CISOs and security leaders to stay compliant and boost defenses.
What is operational resilience?Â
At its core, DORA stresses the need for operational resilience, which requires financial institutions to have the systems and protocols to withstand and recover from any disruption.
With threats like cyberattacks, natural disasters, and power outages, operational resilience is a must-have.
Here’s an example: Imagine a CISO at a financial services firm is facing a ransomware attack that disrupts core operations. Recovery time objectives (RTOs) and recovery point objectives (RPOs) have been pre-defined and multiple practice scenario-based tests had been conducted in the months leading up to the attack. This has prepared the security team to isolate affected systems and quickly redirect workflows to unaffected servers, enabling the team to restore critical services—such as client data access—within agreed limits. The firm can continue serving customers while minimizing damage.
How can organizations measure resilience? To ensure operational continuity, organizations need clear benchmarks, like:
RTOs and RPOs: Set limits on acceptable downtime and data loss to minimize operational impact.
Scenario testing: Simulations that challenge response capabilities, helping reveal weak spots before real crises arise.
Supply chain resilience: Beyond internal systems, resilience must extend to third-party providers. Financial institutions rely on a network of vendors, and any weak link can impact and potentially jeopardize resilience across the board.
Regulatory compliance metrics: To meet regulatory standards, compliance objectives should be built into their business continuity strategy.
Building resilience prepares organizations for disruptions, but staying prepared requires vigilant risk management.
ICT Risk Management Requirement
DORA’s ICT Risk Management requirement emphasizes a proactive stance against cyber threats. This means continuously assessing systems and implementing appropriate protections to address risks before they escalate.
Consider a CSO responsible for assessing risks posed by outdated software in their ICT environment. Knowing this could be an entry point for cyber criminals, they conduct a risk assessment to identify the most vulnerable applications and systems. Policies are then created to enforce regular patching and updates, ensuring all high-risk applications are protected against known threats. By continuously monitoring and revisiting this policy, the CSO is effectively reducing the organization’s risk.
DORA’s keys to risk management Â
Risk assessments: Frequent reviews of ICT systems help organizations identify vulnerabilities and prevent threats before they impact operations.
Policies and controls: Strong policies, covering everything from preventive security to response protocols, are cruicial for consistent and effective cybersecurity management.
Incident response and recovery: A well-designed incident response plan allows for fast recovery from ICT disruptions, ensuring operations remain secure and compliant.
Incident Reporting Requirement
Transparency and accountability are crucial under DORA, as the regulation mandates that financial institutions report significant cybersecurity incidents within a tight 72-hour window.
This reporting ensures regulatory bodies can monitor industry-wide threats and respond proactively.
Consider a CISO dealing with a significant data breach that exposed sensitive client data. They face the challenge of reporting this incident within the 72-hour deadline. The incident response team conducts a quick but thorough impact assessment, documenting all relevant details and shares them with the regulatory authorities. They also prepare a communication plan for clients affected by the breach. With a clear incident reporting protocol in place, the CISO meets the regulatory requirements while maintaining transparency with both clients and authorities.
DORA’s keys to incident reportingÂ
Reporting thresholds: Establishing clear thresholds for reportable incidents ensures that only significant disruptions are escalated to regulatory authorities.
Materiality assessments: Financial entities must determine the severity of each incident, gauging its potential impact on both operations and compliance.
Incident documentation: Comprehensive records of each incident, including type, impact, and mitigation efforts, support compliance and help with future prevention strategies.
While timely reporting addresses immediate incidents, resilience hinges on regular testing.
Digital Operational Resilience Testing Requirement
To ensure that systems can withstand disruptions, DORA requires financial institutions to conduct regular resilience testing. Testing is a great way to prove that resilience protocols are working as intended and instilinstill confidence that operations can continue through a crisis.
Let’s say a CSO decides to conduct a scenario-based test that simulates a Distributed Denial of Service (DDoS) attack targeting online banking services. The test reveals a weak point in the organization’s load balancing configuration, which could lead to a service outage if exploited. Acting on this insight, the CSO works with the IT team to reconfigure the load balancers, thus protecting the network against potential DDoS attacks and reinforcing operational resilience.
DORA’s keys to operational resilience testing Â
Penetration testing: Conducting simulated attacks through penetration testing helps identify system weaknesses, enabling organizations to take preemptive action.
Scenario-based testing: Diverse simulations test an organization’s responses to a range of disruptions, from cyber incidents to infrastructure failures. These drills reveal areas where additional controls or training may be necessary.
Testing frequency and vigor: Scheduling tests in frequency and vigor that match the organization’s size and complexity reinforce resilience and meet DORA’s standards for preparedness.
Preparedness within the organization is essential, but resilience doesn’t stop there—it extends to third-party providers.
ICT Third-Party Risk Monitoring Requirement
With financial institutions increasingly dependent on external ICT services, DORA mandates active monitoring of any third-party risks. This requirement makes sure that security isn’t compromised by vendors or partners and maintains resilience across the extended network.
Consider a CISO evaluating a new third-party cloud provider that hosts sensitive customer data. During due diligence, the CISO’s team discovers gaps in the provider’s security protocol that could put data at risk. The CISO negotiates specific contract clauses requiring regular audits and security upgrades from the provider. Additionally, the agreement includes provisions for quarterly security reviews, allowing the organization to ensure ongoing compliance and data protection.
DORA’s keys to third-party risk monitoring Â
Due diligence: Before contracting with ICT service providers, thorough due diligence on their security practices is critical. Evaluating vendors’ security measures and compliance levels reduces the risk of exposure.
Contractual security provisions: Embedding security and resilience clauses within contracts allows organizations to hold providers accountable for protecting data and systems.
Ongoing monitoring: Regular audits and reviews of third-party services help ensure that providers remain aligned with the organization’s ICT risk standards.
Securing the extended network builds an organization’s resilience foundation, but staying ahead of threats also means collaborating and sharing intelligence.
Information Sharing and Intelligence Requirement
Information sharing is a powerful tool for staying ahead of threats. DORA encourages financial institutions to collaborate with peers, regulatory bodies, and cybersecurity organizations to make it easier to identify and address emerging risks.
For example, a CSO joins a local cybersecurity consortium where member organizations share threat intelligence and best practices. One day, the CSO learns through the group about a new phishing scheme targeting financial institutions. Using this information, they implement additional email security filters and bring employees up to speed on the latest phishing tactics as a preemptive strike against a known threat.
DORA’s keys to sharing and intelligenceÂ
Collaborative platforms: Joining networks for information-sharing can accelerate responses to new threats and foster collective preparedness across the financial sector.
Protecting shared data: Maintaining confidentiality in shared data maintains trust within collaborative networks, encouraging more widespread participation and buy-in.
Using shared intelligence: Integrating shared threat data into internal risk management improves overall preparedness, helping organizations adopt more adaptive cybersecurity practices.
A collaborative approach strengthens resilience across the sector, but individual organizations must also maintain internal rigor. This final step is all about embracing a culture of resilience and compliance—an area where the right technology can make a substantial difference.
The TL;DR: Key Takeaways Â
DORA reinforces the importance of resilience and cybersecurity across the digital financial landscape. To comply with DORA, organizations must commit to strong ICT risk management and resilience practices, extending vigilance to third-party providers and embracing the collaborative benefits of information sharing.
For financial institutions looking for a simplified path to compliance and resilience, Concentric AI can help with data security, governance, and compliance with regulations like DORA and many others.