If you’re looking for answers to all your DORA questions, then this ‘Introduction to DORA’ is just for you.
As security compliance specialists working in the financial sector for over 20+ years we know how painful it can be for companies to adopt a new regulation. With so much conflicting information online, we created this introduction to answer the ‘Who, What and Why’ questions of The Digital Operational Resilience Act (DORA).
So let’s dive in…
What is DORA?
The Digital Operational Resilience Act (DORA) is an EU regulation that introduces a uniform information security framework for regulated companies operating in the financial sector and companies supplying technical services to those financial entities.
The standardised framework aims to prevent cyber threats whilst strengthening the financial sector’s resilience to ICT (Information and communication technology) related incidents. The aim being that organisations in the sector can withstand, respond and recover from incidents whilst minimising the impact to critical and important business functions. As a consequence DORA places great emphasis on controls to prevent incidents and operational resilience testing to minimise the impact of incidents.
Similar to existing information security standards, such as, ISO 27001, NIST and SOC 2, DORA outlines a risk management process, however, whilst the aforementioned are optional standards, DORA is legislation that entered into force across the EU on the 16th January 2023 and will apply as of 17 January 2025.
Non-compliance with DORA may result in significant fines which is why the legislation is being likened to GDPR.
Why has DORA been introduced?
The EU is concerned that whilst financial risk management has improved since the financial crisis, the same is not true for information security risk management. Cyber security threats have increased and although guidelines have been issued by authorities including the EBA, until now, there has not been a single standard in place for all financial entities operating in the EU.
By introducing a single consistent supervisory approach across a wide range of financial market participants, DORA ensures convergence and harmonisation of security and resilience practices across organisations operating in the European Union (EU). DORA also goes further by introducing legislation, clear accountability, more detailed requirements and significant fines for non-compliance.
ICT operational resilience and outsourcing risk has been on the agenda for global regulators for many years with a particular concern about the increasing interconnectivity and concentration risks that have formed due to significant reliance on key third-party solutions.
This quote from DORA highlights this:
“The European Systemic Risk Board (ESRB) reaffirmed in a 2020 report addressing systemic cyber risk how the existing high level of interconnectedness across financial entities, financial markets and financial market infrastructures, and particularly the interdependencies of their ICT systems, could constitute a systemic vulnerability because localised cyber incidents could quickly spread from any of the approximately 22 000 Union financial entities to the entire financial system, unhindered by geographical boundaries. Serious ICT breaches that occur in the financial sector do not merely affect financial entities taken in isolation. They also smooth the way for the propagation of localised vulnerabilities across the financial transmission channels and potentially trigger adverse consequences for the stability of the Union’s financial system, such as generating liquidity runs and an overall loss of confidence and trust in financial markets”
DORA’s timeline
16th Jan 2023
DORA has already entered into force
17th Jan 2024
A number of Final Reports on draft Regulatory Technical Standards (RTS) were released providing guidance on the implementation of DORA
17th Jul 2024
Additional Regulatory Technical Standards (RTS) are due to be released providing additional guidance on areas including, but not limited to, the format of reports for major incidents and the criteria used to designate third-party service providers as critical (CTPPs)
17th Jan 2025
Organisations have been granted a transition period until January 2025 to achieve full compliance
Does my business have to comply with DORA legislation
Who does DORA apply to?
DORA applies to more than 22,000 regulated financial entities and ICT third-party service providers (TPSPs) operating within the European Union and extends to many organisations delivering technology services from outside the EU.
Regulated companies in scope include; credit institutions, payment institutions, account information service providers, electronic money institutions, investment companies, insurance companies, crypto-asset service providers, exchanges and clearing houses, alternative fund managers, pension, and credit rating agencies.
While the rules cover all financial entities, their applicability will depend on the size of the entity, its activity and the overall risk to which it is subjected. Further details on the scope can be found here.
How can Adoptech prepare your company for DORA?
Expertise
Adoptech professionals offer extensive expertise in compliance, legal, information security, operational resilience and third-party risk management to both the financial sector and ICT providers. The team offers comprehensive solutions to help companies navigate the complexities of DORA implementation and establish robust frameworks for ongoing compliance and resilience.
Our services are underpinned by secure, state-of-the art technology solutions that ensure ongoing compliance is effective and efficient.
Automation
We believe that the future of compliance is automated. The founding team spent many years automating trading flows and building automated RegTech solutions. The same approach, combining a technology-first mindset with expertise is being applied to DORA.
Within our platform, users can conduct a gap analysis, define roles and responsibilities, assign tasks, monitor risks, track controls, oversee third-parties, and generate various mandatory DORA reports and policies.
Audit & Compliance
Demonstrate your organisation’s commitment to digital operational resilience and provide valuable insights and assurance to senior management, regulators and stakeholders with a comprehensive DORA report.
Trusted audit companies conduct an independent audit covering the five areas of DORA, generating a detailed DORA audit report. This independent report, along with the annual review on ICT risk management, forms a robust demonstration of your organisation’s dedication to DORA compliance.
Insights & Value
Cost-effectiveness. Despite the imposition of an audit, consider the potential cost of a data breach. In 2021, a single data breach cost, on average, $4.2 million—a figure that continues to rise annually.
Regulatory compliance. Unlike SOC 2, ISO 27001, and NIST compliance, DORA compliance is mandatory by law. Non-compliance can lead to substantial fines. Critical third-party technology providers can face fines of up to 1% of their average daily worldwide turnover, per day until compliance is achieved, with fines possible for up to six months.
Peace of mind. Successfully passing a DORA audit provides assurance that your organisation has implemented controls to ensure operational resilience, safeguarding your business and customer data.
Customer demand. Protecting data from unauthorised access is a priority for your clients, having a DORA report can help build trust with customers whether you are a financial institution or a fintech.
A DORA report offers valuable insights into your organisation’s risk and security posture, management of third-party risks, governance of internal controls, readiness for incidents and more.
Where can I learn more?
If you want to know more about the DORA regulations and understand how you can automate compliance through the Adoptech compliance platform, contact us today.
The Regulation’s official reference is Regulation (EU) 2022/2554.
The text of the regulation is available from here.
A more user-friendly, hyperlinked, and searchable (unofficial) version has been published here.
Find more of our latest news posts here.