Understanding the Digital Operational Resilience Act (DORA)

Category: News
Published: 10th June 2024

< Back to Media
Man looking at a laptop screen

The Digital Operational Resilience Act (DORA) was proposed by the European Commission in September 2020 and will apply as of the 17th January 2025. It is essential that financial organisations start preparing now to ensure compliance, come 2025.


DORA’s objectives

DORA aims to strengthen the security of the financial sector in Europe by ensuring that banks, insurance companies and investment firms, are resilient against cyberattacks and incidents. The legislation covers, ICT risk management, ICT third-party risk management, digital operational resilience testing, ICT related incidents, information sharing, and an oversight framework for critical ICT third-party providers. To be compliant with DORA you must anticipate and mitigate reasonable identifiable issues, such as email business compromise. Therefore, having DMARC at reject status, enhanced inbound security with email threat detection, security awareness training for staff, and utilising spoof domain recognition is now an essential requirement.


DORA’s Scope

DORA applies to financial organisations and the third-party vendors in their supply chain. This means that even if you are not in the financial industry, DORA will likely still impact you. The supply chain links span across many different industries, and so third-party vendors such as, ICT vendors, data centres, and providers of digital services will also have to be DORA compliant.

The reason that DORA also applies to third party vendors is that the financial services sector is highly interconnected, meaning that issues within one organisation can have widespread effects. In November 2023, the Bank of America fell victim of a data breach after their supply chain was hacked via their IT consulting and service provider. It is thought that over 57,000 pieces of personal data including social security numbers and bank details were exposed. As financial institutions possess massive amounts of personal data such as, dates of birth, addresses, account numbers, security questions, and national insurance numbers, it is vital to secure the supply chain.


Key requirements under DORA

One of the key requirements under DORA is ICT risk management. There needs to be consistent risk assessments and regular testing across the industry. This goes beyond just the financial organisation itself to their third-party suppliers. It is key that the organisations are not only reviewing their own risk factors but also those of their supply chain. Beyond the original testing, there needs to be a clear way for staff to report ICT related incidents. These incidents need to be categorised, investigated, and followed up, and any major incidents should be passed on to the relevant authority.

Another significant requirement of DORA is that the financial industry must now carry out advanced penetration testing every three years, and annual essential ICT systems and application testing, as a minimum. This testing does not need to be done internally if the organisation does not have the resources. There are external parties who will run the testing and generate comprehensive reports giving full visibility of an organisations risks and vulnerabilities. The legislation also aims to encourage the industry to share knowledge where possible, to increase the resilience industry wide.


Global Implications

Despite DORA being a European legislation, it will have implications globally as any business with offices in the EU or that operates in the EU market must comply with DORA, no matter where their organisation is based. The legislation mandates that businesses identify and address any reasonably identifiable circumstances that could compromise their digital operational security and have safeguarding practices in place to mitigate cyber risks.


Why you should comply with DORA now

By complying with DORA, businesses can strengthen their supply chains and ensure resilience against cyberattacks. Despite, the regulations not being enforced until January 2025 the DORA regulations are best practise and a lack of compliance leaves you vulnerable. Non-compliance with DORA come January 2025 will lead to severe consequences, including damage to your brand and reputation, the designated regulators will also be enforcing regulatory fines that could be up to 2% of your annual worldwide turnover or 1% of your daily average turnover worldwide, criminal sanctions, and litigation. So, it is essential that organisations make themselves DORA compliant as soon as possible as there are only 6 months left before the requirement becomes legislation. Even if you think DORA does not apply to you, double check, DORA spans across all UK businesses that supply an EU financial institution in any form.


The responsibility for compliance lies with board members and directors, who must understand and mitigate risks effectively. By adhering to DORA’s provisions, businesses can protect their operations, secure sensitive data, and maintain continuity in an increasingly digital world. Preparing for DORA now will ensure compliance and safeguard your organisation against the significant risks posed by cyber threats.