The Digital Operations Resilience Act (DORA)

Background

The European Union (EU) has a wide range of regulations and directives which are regularly updated and expanded.  Currently, an area of particular focus is the regulations and directives associated with cyber security.  Although the UK is no longer in the EU and, therefore, drafts its own cyber security legislation, EU legislation is still potentially applicable to organisations if they have offices or do business within the EU.  So, for many organisations, it is important to understand the nature of new and updated EU legislation and how it applies to their business and industry sector.

One example of new EU cybersecurity legislation is the Digital Operational Resilience Act (DORA) which was formally approved by the European Parliament in November 2022 and becomes enforceable in January 2025.

What Is DORA?

Financial organisations have traditionally managed much of their operational risk via measures that ensure they are financially sound, and there are multiple EU and member state laws and regulations that help govern and assure this.  However, information and communications technology (ICT) incidents and inadequate operational resilience also have the potential to severely disrupt financial organisations even if they have adequate capital to mitigate most types of financial risk.  

DORA is the EU’s response to addressing this issue.  The Act requires financial organisations and associated critical ICT service providers to implement processes to limit the impact and likelihood of risks associated with ICT incidents.  DORA has been designed to be applicable to a wide range of organisations in the financial sector including banks, insurance companies, investment firms, pension companies and credit rating agencies operating within the EU as well as the ICT service providers that support them.

‍

The Structure of DORA

DORA has five core pillars relating to ICT and cybersecurity which aim to provide a comprehensive digital resiliency framework for financial organisations.  These five core pillars can be summarised as follows:

‍

ICT risk management and governance

This pillar requires you to develop a comprehensive risk management framework that should include:

• Identifying and classifying critical ICT assets and their dependencies
• Ensuring ICT systems are appropriately resilient
• Proactively monitoring ICT risks to enable preventative and protective measures to be implemented
• Implementing measures to detect anomalous activities
• Implementing business continuity and disaster recovery policies and plans
• Establishing procedures to review and learn from external ICT events as well as the organisation’s own ICT incidents.

ICT related incident reporting

DORA requires you to implement processes to monitor, document and classify ICT related incidents.  It also requires you to ensure incidents are appropriately reported to the relevant authorities and that initial, intermediate, and final ICT incident reports are submitted to the organisation’s users and clients.

Digital operational resilience testing

This pillar requires you to ensure ICT resilience is periodically tested, and any identified issues resolved.  The extent of this testing needs to be appropriate to the organisation’s size, business, and risk profile.  Periodic threat-led penetration testing is also required if organisations have a high level of risk exposure.

ICT third-party risk

DORA requires you to ensure that ICT services delivered by third parties are:

• Managed and monitored in a consistent and comprehensive manner
• Governed by appropriately detailed contractual documentation
• Assessed for risk and that any identified risks are effectively managed.

Information sharing

DORA recommends that you collaborate with trusted communities of other financial organisations to securely share information to help:

• Improve organisations’ digital operational resilience
• Raise awareness of ICT risks and threats
• Support organisations’ cybersecurity strategies and procedures.

It should be noted that if your organisation is already conformant to ISO 27001 (the International Standard for Information Security Management Systems) and/or ISO 22301 (the International Standard for Business Continuity Management Systems), you should already be meeting many of DORA’s broad requirements.  However, DORA has a number of very specific requirements that are being formalised in a set of standards documentation (see below), so if yours is a financial organisation and you believe it may fall in scope of the Act, you will be well advised to conduct a gap analysis to check your current processes’ compliance with DORA and implement a program to resolve any identified issues.

If your organisation is an ICT service provider that has been designated as critical by the European Supervisory Authorities (ESAs), the regulators that oversee the EU financial system, you will also need to conduct an in-depth assessment of DORA obligations as it is likely that contractual requirements around such areas as allowing your financial clients unrestricted right of access, inspection and audit may prove challenging.

What is DORA’s Current Status?

As already mentioned, DORA becomes enforceable in January 2025. However, it is very important to understand that at the time of writing (February 2024), key details of the regulations are still being determined by the European Commission.

The ESAs have just published draft regulatory technical standards (RTS) and implementing technical standards (ITS) for formal review by the European Commission.  These standards provide specific details on how DORA’s core pillars should be implemented.  For example, there is an RTS which specifies the structure of both a general and simplified ICT risk management framework, an RTS that specifies the ICT related incident classification scheme, and an RTS that specifies how ICT third party service providers should be managed.  

In addition to this, an ITS has been drafted which specifies the ICT service provider documentation that should be maintained by financial organisations.  This ITS is likely to be crucial to the European Commission in helping it to determine which service providers are going to be in scope of the oversight framework it is required to implement by DORA.

This means that currently, although we have a good understanding of DORA’s broad requirements and how international standards such as ISO 27001 and ISO 22301 could help to meet these, until the European Commission formally approves and publishes the RTS’ and ITS’ we cannot be entirely certain of exactly how DORA’s core pillars will need to be implemented.

So, watch this space!

DORA Enforcement

Once the January 2025 enforcement deadline is reached, enforcement will fall to designated regulators in each EU member state.  These designated regulators (known as competent authorities) will be able to request that financial organisations take specific security measures and remediate vulnerabilities.  EU member states will also be able to impose administrative and criminal penalties on organisations that fail to comply. The nature of these penalties will be decided by each member state.  

ICT service providers classified as critical by the European Commission will be directly supervised by the ESAs.  Like competent authorities, the ESAs will be able to request that financial organisations take specific security measures and remediate vulnerabilities.  ESAs will be able to fine non-compliant ICT service providers up to 1% of their average daily worldwide turnover.