DORA Regulation – Digital Operational Resilience Act
In an increasingly digitalised world, the security and resilience of the financial sector have become critical priorities. The EU has responded by introducing the Digital Operational Resilience Act (DORA), a regulation designed to strengthen the digital operational capabilities and cybersecurity of financial institutions.
What is DORA?
DORA seeks to enhance the digital operability and resilience of companies in the financial sector, maintaining consumer and investor confidence in financial markets. As an EU regulation, it is directly applicable across member states without needing to be transposed into national law. DORA establishes a uniform European rulebook for digital resilience and cybersecurity in finance, setting strict requirements to prepare financial institutions for digital disruptions and security incidents.
Why is Digital Resilience Important?
Digital resilience refers to an organisation’s ability to recover from digital attacks and remain adaptable to future threats. Given the rising number of cyberattacks, digital resilience has become a priority.
- Types of attacks: These include theft of IT equipment and data, industrial espionage (both digital and analogue), and sabotage. Cyberattacks account for 72% of total damages.
- Extent of impact: 2023 saw a 72% increase in data breaches since 2021, which held the previous all-time record. Around the world, a data breach cost £4.88 million on average in 2024.
- Origins: Many attacks are attributed to organised crime, particularly from Russia and China.
- International dimension: Security authorities often face challenges in preventing or prosecuting cyberattacks originating abroad. Cybercrime is expected to grow by 15% in 2024, reaching a global total of £10 trillion by the end of 2025.
Concept of “Resilience”
Originally from psychology, resilience describes the capacity of systems to absorb external shocks. In business, it refers to an organisation’s ability to withstand disruptions without compromising essential functions. Since the 1990s, the concept has been applied to businesses, and from 2001, it has become a key term in political science, particularly in relation to terrorism and crime. More recently, it has gained importance in addressing the impacts of climate change.
Objectives and Motivations of DORA
A key objective of DORA is to improve the anticipatory capacity of financial institutions. This involves the early identification of potential crises, incidents, or changes, allowing for proactive preparation and minimisation of negative impacts.
DORA also aims to enhance the resilience of financial institutions, ensuring that basic operations continue during crises to maintain stability and mitigate damage. Furthermore, the regulation focuses on improving recovery capabilities, enabling institutions to bounce back quickly and minimise long-term operational impacts.
What’s New with DORA?
Objective
DORA aims to harmonise European and national standards to strengthen the digital operational resilience of financial service providers and ICT third-party service providers. This harmonisation seeks to establish a robust security level that addresses vulnerabilities in digital infrastructure.
Need for Action
Particular attention is required in ICT risk management, the development of risk strategies, and the mechanisms used by ICT third parties to identify and manage risks.
Challenges
The new DORA regulation presents several challenges, especially regarding the broad subject areas that affect numerous stakeholders in the financial services and ICT sectors. The short implementation timeframe until January 2025 necessitates rapid harmonisation of definitions and finalisation of technical regulatory standards.
Who is Affected by DORA?
DORA is primarily aimed at the European financial system. In the UK it affects all companies regulated by The Financial Conduct Authority, including:
- Banks and insurance companies
- Securities firms (such as brokers)
- Payment service providers, including e-money institutions
- Credit institutions and financial service providers subject to BaFin regulations
Additionally, companies in the ICT sector (i.e. companies from the information and communications technology sector) offering services to the financial market may be classified as critical providers and subject to direct oversight by supervisory authorities. In addition, a central reporting register for incidents or providers will be implemented. This means that all IHK service providers who address the financial services market in Europe should also be aware of the DORA regulation and its effects on their own systems.
Implementation Deadline
Although DORA came into force on 17 January 2023, financial institutions have until 17 January 2025 to comply with the new requirements.
Main Components of DORA
The Digital Operational Resilience Act (DORA) includes several key areas, such as:
- ICT Risk Management: Institutions must implement comprehensive risk management frameworks for ICT-related risks.
- Incident Reporting: Financial institutions must report and document ICT-related incidents, such as cyberattacks or data loss.
- Operational Resilience Testing: Regular testing of digital resilience through penetration testing, scenario analysis, and emergency exercises.
- Third-Party Risk Management: Ensuring sound management of relationships with ICT service providers, including security standards in contracts.
- Monitoring Critical Service Providers: A framework for monitoring critical ICT third-party providers to ensure compliance with security and resilience requirements.
New Requirements Compared to Existing Regulations
DORA introduces new measures and principles compared to existing regulatory requirements, aiming to enhance the digital operational resilience of financial institutions. These new requirements cover various aspects of ICT risk management, third-party management, and the monitoring of critical service providers. Below is an overview of the new requirements under DORA:
1. ICT Risk Management
Financial institutions must implement comprehensive ICT risk management, covering the identification, assessment, monitoring, and mitigation of ICT risks.
2. ICT-related Incidents
Financial institutions are required to report and document ICT-related incidents, such as cyberattacks, data loss, and other security breaches that may affect operational resilience.
3. Testing Digital Operational Resilience
Regular testing of digital operational resilience is mandatory. This includes penetration testing, scenario analyses, and emergency drills to assess resilience against ICT risks.
4. Key Principles for Effective ICT Third-party Risk Management
Financial institutions must ensure that their relationships with third-party providers are well managed. This involves identifying and assessing the risks associated with outsourcing ICT services. Contracts with third parties should include clear provisions regarding the security standards and procedures they must adhere to.
5. Monitoring Framework for Critical ICT Third-party Service Providers
A framework must be established to monitor critical ICT third-party service providers, ensuring their compliance with agreed contractual security and resilience requirements.
6. Information-sharing Agreements (Optional)
Financial institutions may enter into information-sharing agreements with other institutions or authorities to increase awareness of threats and vulnerabilities.
The Role of IT Service Providers in Relation to DORA
IT service providers like d.velop can make a significant contribution to the implementation of the DORA requirements. Their main task is to ensure the DORA readiness of their own products and solutions, so that customers can rely on d.velop systems when reviewing their IT landscapes. After initial consultations with independent experts, d.velop is already well positioned to meet these demands. This reflects our self-image as a European software manufacturer offering a product portfolio that meets the highest regulatory standards. For instance, BaFin, the top regulator of the German financial industry, relies on d.velop solutions across the company.
Frequently Asked Questions (FAQ)
Companies often ask the same questions regarding the new DORA regulation. We have collected and answered the most important ones for you.
DORA is an EU law designed to strengthen financial institutions’ protection against cyberattacks and IT issues. It outlines rules for secure and resilient financial sector IT systems.
DORA applies to all companies in the European financial system, especially those regulated by the Regulated by The Financial Conduct Authority in the UK.
– Enhanced protection against cyberattacks
– Stronger IT systems with fewer outages
– Standardised EU-wide regulations
– Improved management of IT risks
DORA is crucial as it bolsters the security of financial firms’ IT systems, helping to mitigate the rising threat of cyberattacks in. In 2023, cybercrime complaints led to £12.5 billion in losses, which is a £2 billion increase from 2022. This is more than triple the amount lost in 2019, even though the number of complaints only doubled in that time.
Software Demo
Get to know the d.velop software
Request your personalised live demo of the d.velop software with just a few clicks. Let us show you the software live and ask your questions directly. Simply fill out the form and we will get back to you.