In a rapidly evolving threat landscape, The European Union has taken a proactive approach to addressing cyber risks in the finance industry by introducing the EU Digital Operational Resilience Act (DORA). DORA aims to establish a unified framework for ICT risk management, incident reporting, resilience testing, threat intelligence sharing, and third-party risk management. DORA compliance will ensure financial entities can continue operations during a cyber attack.
With cyber resilience stress tests commencing in 2024, financial institutions must ensure compliance sooner rather than later.
This article explains what DORA is, its scope, its objectives, and how to meet the DORA compliance requirements.
What is DORA?
The Digital Operational Resilience Act (DORA) is an EU regulation introduced by the European Council to establish technical standards across financial institutions and ICT service providers to strengthen their cybersecurity and operational resilience.
DORA regulation summary
The DORA regulatory framework was brought forward by the European Parliament as an objective Information and Communication Technology (ICT) risk management standard in Europe. Various national regulatory initiatives have been attempted to achieve some semblance of unification, but this has only further fragmented the financial sector's approach to cybersecurity. It works alongside EU regulations, including the Network and Information Security Directive (NISD) and the General Data Protection Regulation (GDPR).
The new regulation aims to replace multiple ICT risk management frameworks, with a single unified approach for mitigating all ICT-related incidents in Europe's financial industry. This is an intentional response to the European Commission’s Digital Finance Strategy.
The DORA standards also aim to bolster operational resilience within the financial industry so that business continuity can be guaranteed even while an organization's ICT suffers disruptions - such as during a cyberattack.
DORA is also forcing Critical ICT Third-Party service providers (CTPPs) to conform to regulatory standards, a requirement that will be supervised by one of the three European Supervisory Authorities (ESAs):
- The European Banking Authority (EBA)
- The European Insurance and Occupational Pensions Authority (EIOPA)
- The European Securities and Markets Authority (ESMA)
Compliance will be assessed through inspections (off-site and on-site), and the request of specific information - such as ICT service details, incident reporting logs, and details of implemented cyber risk defenses.
Learn how to comply with the third-party requirements of DORA >
Why is the DORA legislation important for cybersecurity?
There is an increasing need for operational resilience following the recent proliferation of cyberattacks targeting Europe's financial sector. This is a result of a global rise in cyberattack events.
While cyberattacks cannot be avoided, financial stability in Europe can be still achieved if organizations mitigate the impact of cyber threats on Information and Communication Technology (ICT).
You can track each vendor alignment against the DORA standard with this free DORA risk assessment template.
When will the DORA framework come into effect?
On 17 January 2024, the European Council published the final draft of the Regulatory Technical Standards (RTS) under DORA, providing the first set of rules for ICT and third-party risk management and incident classification. Impacted organizations now have until 17 January 2025 to comply with DORA’s requirements.
DORA timeline
Below is a timeline of the key milestones/dates for the DORA legislation:
- 24 September 2020: A draft of the DORA regulation was published by the European Commission.
- 3 January 2024: The European Central Bank (ECB) announced it will cyber resilience stress tests on 109 directly supervised banks in 2024. This exercise will assess how well banks can respond to and recover from cyber attacks.
- 16 January 2023: DORA entered into force, giving in-scope entities a 24-month transitional period for implementation.
- 17 January 2024: The European Council published the final draft of the Regulatory Technical Standards (RTS) under DORA, providing the first set of rules for ICT and third-party risk management and incident classification.
- 17 January 2025: Final deadline for impacted organizations to comply with DORA’s requirements.
DORA requirements: Who must comply?
DORA will impact all financial entities regulated at the European Union level including:
- The Financial Services Industry
- Payment institutions
- Investment firms
- Insurance companies
- Credit rating agencies
- Crypto-asset service providers
- Crowdfunding service providers
- Data analytics and audit services
- Fintech
- Trading venues
- Financial system providers
- Credit institutions
Third-party ICT service providers for financial entities are also within scope of DORA requirements.
What are the penalties for DORA non-compliance?
Penalties for DORA non-compliance falls are enforcable by designated regulators in each EU state, known as “competent authorities. Potential consequences for non-compliance range from administrative fines, remedial measures, public reprimands, withdrawal of authorization, and compensation for damages incurred.
In-scope entities that don’t comply with the DORA are subject to penalty payments of up to 1% of the average daily worldwide turnover in the preceding business year.
What are the DORA pillars of compliance?
There are 5 pillars of DORA compliance requirements, as listed below:
- ICT Risk Management
- ICT Incident Reporting
- Digital Operational Resilience Testing
- Information and Intelligence Sharing
- ICT Third-Party Risk Management
Pillar 1: ICT Risk Management
Financial entities must create and follow an ICT risk management framework supporting a business continuity strategy, recovery policies, and communication strategies.
Establishing a reliable communication channel between key stakeholders and senior management is important. This new requirement builds upon existing guidelines, such as the EBA's guidelines on ICT and security risk management.
Stakeholders will shoulder the responsibility of ensuring business continuity by being involved in the following duties:
- Setting the degree of risk and impact tolerance for ICT disruptions.
- Developing and approving business continuity strategies.
- Developing and approving disaster recovery plans.
- Specifying security controls for all critical assets.
Response and recovery strategies should involve more than just a series of policies. The strict expectation of uninterrupted business operations will require the establishment of Information and Communication Technology redundancies to take over disrupted processes.
The investment into such a system, which should also include backup and restoration networks, will require the input of stakeholders.
Pillar 2: ICT Incident Reporting
DORA guidelines will create a more streamlined reporting channel for reporting major ICT-related incidents which is a welcomed consolidation of the current multiple reporting requirements.
Reporting trigger events should be reduced and reporting templates will be harmonized.
This is a step towards a completely streamlined reporting channel leading to a single EU-hub instead of multiple National Competent Authorities (NCAs).
The EU-hub will collect all reports of major ICT-related events impacting financial entities. The gathered data will reveal any common vulnerability trends across the financial sector to support the further optimization of ICT resilience and security.
According to the new EU reporting rules, all financial firms must submit a root cause report within one month of a major ICT-Incident.
Financial entities must implement reliable early warning indicators of ICT disruptions to support timely submission of such reports.
Pillar 3: Digital Operational Resilience Testing
To ensure the reliability of established ICT defenses, financial entities must undergo regular digital operations resilience testing conducted by independent parties - either internal or external.
These regular tests should be included in a digital resistance testing program comprising of the following details:
- Testing methodologies
- Testing procedures and tools
- Frequency of resilience tests
- Prioritization strategy for testing policies
This isn't a new requirement. Threat-Led Penetration Testing (TLPT) frameworks are currently mandatory for certain Financial Market Infrastructures (FMIs). DORA will expand testing requirements across the financial services sector, increasing the number of entities required to conduct mandatory testing.
The details of this expanded reporting criteria will be outlined by European Supervisory Authorities (ESAs) in a second legislation expected to be published by the end of 2021.
DORA's builds upon the cross-border testing recognition process of the voluntary TIBER-EU framework developed by the European Central Bank (ECB). This encourages the recognition of reliance tests across EU member states to reduce duplicate testing.
This could also reduce the complexity and compliance cost of financial entities already undergoing this testing process.
Pillar 4: Information and Threat Intelligence Sharing
DORA will permit and encourage the exchange of cyber threat information between entities within trusted financial communities. The objective of such information sharing is to raise awareness of new cyber threats, reliable data protection solutions, threat intelligence, and operational resilience tactics.
Pillar 5: ICT Third-Party Risk Management
This is probably the most challenging pillar of the DORA. Cloud Service Providers (CSPs) will be forced to comply with regulators if they are classified as 'critical.'
Some of the factors that would classify a Third-Party service provider as critical include:
- Degree of substitutability - Critical CSPs are more difficult to replace in the event of an operational disruption (either occurring internally or in the vendor's environment).
- The number of financial entities relying on the CSP for operational continuity.
Financial entities must have robust contractual arrangements in place with ICT service providers. Such arrangements should cover important functions, such as data protection and, audits, incident management. Entities must also map all their third-party dependencies
ESAs will monitor the compliance of critical CSP through both on-site and off-site inspections. Lead overseers could impose a non-compliance fine of up to 1% of daily worldwide turnover.
These compliance requirements will not supersede or replace existing regulations such as the General Data Protection Regulation (GDPR).
It's important to understand that the burden of DORA compliance does not completely fall on critical third-party providers. Financial Service entities must implement Third-Party risk programs to prevent operational disruptions caused by supply chain attacks and third-party breaches.
DORA compliance checklist
2025 is fast approaching, and financial entities within the scope of the European Commission need to start preparing for DORA's risk management requirements now.
The following DORA compliance checklist will help your organization prepare to meet the DORA requirements.
1. Perform a DORA gap analysis
Impacted organizations should conduct a maturity assessment against DORA's requirements to determine all compliance gaps across ICT systems.
2. Create a remediation roadmap
Put together a roadmap of remediation activities based on assessment findings to address identified gaps.
💡Compliance tip: ‘The roadmap should include identified actions on a yearly timeline (e.g., divided into quarters), based on action priority and feasibility.’ - Cindy Ruan, Governance Risk and Compliance Specialist
3. Determine if you'll be classified as 'critical.'
ICT third-party providers must determine if they'll fall under the critical category. This will require an evaluation of all the characteristics that define criticality, in accordance with Article 31 of DORA.
Third-party providers that fall under this category must start planning how they will ensure oversight framework compliance - a strategy that could involve the establishment of dedicated regulatory teams and data security software.
Financial firms must also determine which third-party cloud service providers will be classified as critical. Security teams can track the compliance status of these vendors using third-party attack surface monitoring software.
All non-critical vendors should be mapped to alternate outsourcing options in the event of an ICT incident impacting each vendor.
4. Implement a threat-led penetration testing framework (TLPT)
Financial entities not currently implementing TLPT must source independent providers for this service, as per Article 26 of the DORA regulation.
Entities must monitor the activity of ESAs closely for advanced exposure to testing requirements when the details become available.
💡 Compliance tip: ‘TLPT is also known as Red Team Testing or “Red Teaming” in the industry. It’s a controlled (and authorized) attempt by ethical hackers to compromise an entity’s systems and overall cyber resilience by simulating the tactics, techniques and procedures (TTPs) of real-life threat actors.’ - Cindy Ruan, Governance Risk and Compliance Specialist
5. Assess incident response and recovery strategies
Current response and recovery strategies must be measured against DORA's requirements with a specific focus on the legislation's incident reporting process under Article 17.
Finance entities will likely need to optimize their current resource allocations and modify their internal reporting channels to align with DORA’s reporting process.
💡Compliance tip: ‘Test your incident response and disaster recovery plans or strategies by performing tabletop exercises (such as simulating a disaster or incident) to evaluate their effectiveness. The outcomes of the exercises should be documented and reviewed so that organizations can understand how to improve their internal processes.’ - Cindy Ruan, Governance Risk and Compliance Specialist
DORA compliance mapping
The DORA regulatory framework is built around five main pillars: governance, risk management, incident reporting, digital operational resilience testing, and information and intelligence sharing. Both the NIST Cybersecurity Framework (CSF) and ISO 27001 can be mapped to these pillars to help organizations align their cybersecurity and resilience practices with DORA requirements.
UpGuard has developed a DORA maturity assessment workbook that maps relevant controls from the NIST CSF and ISO 27001 to the five main pillars of the DORA.
DORA NIST CSF mapping
The NIST Cybersecurity Framework provides a framework, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations prevent, detect, and respond to cyber threats and cyber attacks, it was designed to improve cybersecurity and risk management communications among internal and external stakeholders.
- ICT Risk Management: The NIST CSF provides a comprehensive approach to identifying, assessing, and managing cybersecurity risk within the Govern Function. This corresponds with the DORA pillar of risk management by emphasizing continuous risk assessment and the implementation of protective measures.
- Incident Response & Reporting: The Respond and Recover Functions focus on response planning, communications, and analysis, which supports DORA's incident reporting pillar by encouraging timely detection and reporting of cybersecurity incidents to relevant stakeholders. It also supports the development of recovery capabilities to ensure organizations have processes in place to restore functions and services.
- Digital Operational Resilience Testing: The Identify and Protect Functions support resilience planning activities including identifying critical assets, capacity planning, and recovery activities. These activities may form part of resilience testing strategies to identify vulnerabilities and enhance cybersecurity measures. This supports DORA's pillar on resilience testing by fostering an environment of regular assessments and adjustments to security practices.
- ICT Third-Party Risk Management: Management of supply chain risks is supported via the Govern, Identify, and Protect functions within the NIST CSF. Subcategories within these Functions align with DORA’s requirements for supply chain risk management and secure best practices with regard to planning and performing due diligence on third parties.
- Information Sharing: The NIST CSF has documented sharing information subcategories to improve cybersecurity practices within the Govern, Identify, Respond, and Recover Functions. These align with DORA’s pillar on information and intelligence sharing by fostering collaboration and sharing of insights on cyber threats and vulnerabilities.
DORA ISO 27001 mapping
ISO 27001 is the leading international standard for regulating data security through a code of practice for information security management. ISO comprises a set of standards covering different aspects of information security including information security management systems, information technology, information security techniques, and information security requirements.
- ICT Risk Management: ISO 27001 requires organizations to assess information security risks and implement appropriate controls to mitigate them, documented within the risk assessment and treatment methodology. This approach is a requirement in Clauses 6 and 8 within the ISO 27001 security standard and is in line with DORA’s requirement for systematic risk management processes to identify, evaluate, monitor, and mitigate information security risks.
- Incident Response & Reporting: ISO 27001 has defined controls for managing information security incidents and improvements, which align with DORA’s incident reporting pillar by ensuring incidents are assessed, documented, and reported in accordance with regulatory and business needs.
- Digital Operational Resilience Testing: ISO 27001 has defined controls which outline requirements for business continuity planning and readiness, which aligns with the focus of this DORA pillar on testing and improving operational resilience.
- ICT Third-Party Risk Management: ISO 27001 has defined controls for managing information security with third parties and suppliers. This supports DORA’s compliance requirements to ensure third-party obligations are managed and defined in agreements and contracts.
- Information Sharing: ISO 27001 has defined several controls relating to sharing information or threat intelligence with external and internal parties. This supports DORA’s requirements for external information-sharing mechanisms.
How UpGuard helps organizations comply with the DORA framework
UpGuard provides automatic compliance mapping and reporting against DORA through NIST CSF and ISO 27001 for you and your vendors. Assess your DORA compliance today. Start your free 7-day trial.