The Digital Operational Resilience Act (Regulation (EU) 2022/2554) dramatically increases the cyber security burden of financial services entities operating in the EU or serving the EU business community. In short, every EU financial entity will need to build and maintain a robust cyber security program.
What is DORA (The Digital Operational Resilience Act)?
The Digital Operational Resilience Act (DORA) is a new EU regulation aimed at strengthening the IT security of financial entities such as banks, insurance companies and investment firms. DORA harmonizes the rules relating to operational resilience for the financial sector entities and Information and Communication Technology (ICT) third-party service providers. DORA goes into effect on January 17, 2025.
What entities must comply with DORA?
DORA applies to 20 different types of financial entities and ICT third-party service providers in the European Union (EU). Some of these include:
- Banks
- Insurance companies
- Investment firms
- Crypto-asset service providers
- Payment service providers
- Trading platforms
- Stock exchanges
- Fintech companies
- Alternative investment fund managers
- Central counterparties
The EU estimates that over 22,000 businesses may be impacted by DORA requirements. This does not include the overall impact on service providers, which will be required to adjust their cyber programs to also meet the cyber requirements.. While DORA primarily applies to EU organizations, it affects US-based organizations that provide financial services in the EU or offer third-party services to EU financial services companies.
What are the penalties for non-compliance?
Entities that are not compliant with DORA’s requirements at that time may face severe fines and penalties. Firms that violate DORA’s requirements face fines of up to two percent of their total annual worldwide turnover, and an individual faces a maximum fine of 1,000,000 (EU) euro.
What are the key cyber requirements of DORA?
DORA requires financial institutions to develop a robust cyber security program that secures the financial information of EU Residents. DORA is designed to streamline a variety of EU regulations into a single, cohesive regulatory framework. It is similar to GLBA in the United States.
DORA Covers Six Key Areas of Cyber Resilience
Cyber Risk Management – Organizations must establish and maintain an IT Risk Management Framework that properly identifies, prioritizes and treats information security risk. A critical focus of DORA is on the risk of Third Party Service Providers (TPSP).
System Testing – DORA compliance requires organizations to continually test operations and systems. These tests include, at a minimum, vulnerability testing and system penetration testing. For ongoing compliance, internal cyber controls must also be monitored.
Third Party Risk Management – DORA compliance requires organization to establish and manage a Third Party Risk Management Program. This program must include ongoing due-diligence regarding the cyber risk of third-party service providers. The Regulation also requires organizations to review and potentially update Service Provider Contracts to ensure ongoing compliance of DORA within the supply chain.
Note: DORA has a special provision for the oversight of Third Parties that are considered “Critical” according to DORA requirements.
Cyber Incident Management – DORA compliance requires organizations to develop and maintain an Incident Response and Recovery Program. This includes a complete set of written security policies, procedures and plans that support incident response. According to DORA, organizations must follow specific Standards for the Classification of Cyber Incidents.
Information Sharing – DORA compliance requires organization to participate in Information Sharing Networks to facility cooperation between entities. The United States established similar requirements for NIST-CSF to enhance security of the Critical Infrastructure. These networks will likely take months to establish.
Technical Implementation – As part of the DORA rollout, the EU will continue to develop a set of Related Technical Standards (“RTS”) that provide greater definition and guidance for the implementation of various cyber controls. The standards are likely to follow established industry best practices for cyber security such as those established for ISO 27002 and NIST CSF in the Unites States.
Streamline DORA Compliance
Organizations can dramatically reduce the cost and time of DORA compliance by leveraging compliance automation tools like ComplianceShield. Some examples include:
DORA Control Library – Quickly establish an Information Security Control Framework that addresses all key cyber requirements of DORA. All Cyber Framework controls are linked to Cyber Risks and Cyber Security Policies.
Security Policy Template Library – ComplianceShield contains a complete library of Information Security Policies that address all key elements of DORA.
IT Risk Management – The ComplianceShield Risk Wizard enables organizations to quickly develop an ICT Risk management program that complies with key DORA requirements.
Third Party Vendor Oversight – ComplianceShield offers a complete Vendor Risk Management Program. Organizations can quickly define, document and implement a TPRM using pre-built policies, vendor assessments and third party assessment automation.
Incident Response and Recovery – ComplianceShield supports Incident Response tracking and resolution, including an Incident Response Policy template and related Incident Response Procedure
A free trial of ComplianceShield is available for any organization that must comply with DORA.