In today’s financial services landscape, digital security and resilience are critical. Financial institutions are increasingly targeted by sophisticated cyber threats that can disrupt operations, compromise client data, and damage reputations. For example, denial-of-service attacks targeting FIs grew by 154% from 2022 to 2023, The Wall Street Journal reports; U.S. cases of data violations due to financial services cyberattacks increased from 268 to a shocking 744 from 2022 to 2023 as well, according to Statista.
The European Union (EU) implemented the Digital Operational Resilience Act (DORA) in response to these and other growing security and resilience issues across global markets, including in the financial services space. It is a transformative regulatory framework that elevates cybersecurity standards across the EU financial services sector, with clear implications in United States as well.
While mandated on January 16, 2023; the “go live” date for DORA is fast approaching. In fact, DORA goes into effect on January 17, 2025. In this article, we illustrate key aspects of the regulation and their practical implications for financial firms, including those in the United States. We recommend seven techniques to help financial firms prepare their organizations for DORA as well.
What is DORA?
Enacted to fortify the digital resilience of financial institutions, the Digital Operational Resilience Act (DORA) mandates comprehensive measures to manage information and communication technology (ICT) risks, enhance third-party risk management, and ensure robust reporting capabilities. This regulation is not limited to firms based in Europe; any organization engaging in financial transactions or investment activities involving the EU is subject to its stringent compliance requirements.
Specifically, DORA sets high standards for several operational and security-related activities, such as minimizing downtime, conducting swift root cause analyses, and improving recovery time objectives (RTOs). By codifying essential cyber hygiene practices into law, DORA aims to ensure that financial firms can swiftly and effectively respond to ICT-related incidents, preserving critical functions and maintaining public trust.
The ESAs Release Technical Standards Under DORA
In January 2024, the three European Supervisory Authorities—the EBA, EIOPA, and ESMA, collectively known as the ESAs—published the first final draft technical standards under DORA. The joint final draft technical standards include:
- Regulatory Technical Standards (RTS) on ICT risk management framework and simplified ICT risk management framework;
- RTS on criteria for classifying ICT-related incidents;
- RTS specifying policy on ICT services supporting critical functions by ICT third-party service providers (TPPs); and
- Implementing Technical Standards (ITS) to establish templates for the register of information.
These aim to enhance the digital operational resilience of the EU financial sector by strengthening financial entities’ ICT and third-party risk management and incident reporting frameworks.
Preparing Your Firm For DORA
The regulatory framework is complex, requiring firms to meet stringent requirements in a relatively short timeline. This introduction sets the stage for a deeper dive into the actionable steps firms must take to prepare for DORA, ensuring sustained operational resilience and compliance. Here are the seven actions that firms should take now to prepare.
1. Conduct a Comprehensive Risk Assessment
To comply with DORA, financial firms must understand their potential exposure to ICT risks across critical business functions and processes, such as retail banking, corporate financing, and securities trading. They must also assess the resilience of essential third-party relationships in support of these functions.
By conducting an exhaustive risk assessment well ahead of time, financial institutions can identify any gaps between current security measures and those required by DORA. This exercise is also critical for defining the scope, frequency, and depth of incident response plans needed to comply with DORA.
2. Develop a Comprehensive Incident Response Plan
DORA requires financial institutions to react swiftly and effectively when faced with ICT-related incidents that could compromise the integrity of critical operations, undermine consumer confidence, or adversely impact markets. Firms must develop comprehensive incident response plans that document all necessary actions, responsibilities, procedures, and escalation protocols for different types of events.
To prepare for DORA compliance, firms should review their current incident management practices against best practices found in frameworks such as NIST SP 800-61 and ISO/IEC 27035. This helps identify potential areas for improvement and provides a roadmap for strengthening incident response capabilities in preparation for DORA compliance.
3. Strengthen Third-Party Risk Management
DORA places significant emphasis on third-party risk management, requiring financial institutions to have a robust governance framework that enables effective oversight of risks associated with outsourced services. Firms must exercise due diligence when selecting and managing third parties, taking into account the criticality of functions supported by these entities.
To comply with DORA, firms can review their existing third-party risk management policies and procedures against industry best practices such as those outlined in ISO/IEC 27036, which discusses supplier relationships. This helps identify any gaps and provides guidance on how to strengthen third-party risk management processes.
4. Implement a Robust Cybersecurity Program
DORA requires financial institutions to have a comprehensive, risk-based cybersecurity program that includes measures to prevent, detect, respond to, and recover from information security incidents. Firms must regularly test their cybersecurity controls to ensure they are effective against current and emerging threats.
To comply with DORA, firms should review their current cybersecurity program against industry best practices, such as those outlined in the NIST Cybersecurity Framework. This can help identify any gaps and provide guidance for strengthening cybersecurity capabilities to meet DORA requirements.
5. Establish a Robust Incident Reporting Process
DORA requires financial institutions to report significant ICT-related incidents to their national competent authorities (NCAs) within strict timelines. To comply with this requirement, firms must establish an efficient incident reporting process that enables timely and accurate communication of incidents to the appropriate regulatory bodies.
To prepare for DORA compliance, firms should review their current incident reporting processes against regulatory requirements and industry best practices, such as those outlined in the EBA Guidelines on incident reporting. The right processes can help firms meet reporting deadlines and avoid penalties for non-compliance with DORA.
6. Invest in Resilient ICT Infrastructure
DORA requires financial institutions to have robust, resilient ICT infrastructures that are capable of withstanding disruptions caused by cyber threats, technology failures, or natural disasters. Firms must invest in secure and reliable technologies to support critical business functions and minimize the potential impact of incidents.
To comply with DORA, firms should review their current ICT infrastructure against best practices outlined in frameworks such as ISO/IEC 27001: Information Security Management Systems (ISMS) and NIST SP 800-53: Security and Privacy Controls for Information Systems and Organizations. Resilient IT infrastructure can help financial institutions meet DORA requirements and maintain business continuity in the face of disruptions.
7. Train Employees on Cybersecurity Best Practices
DORA requires financial institutions to have a well-trained workforce that understands the importance of cybersecurity and their role in protecting critical operations from cyber threats. Firms must provide regular training on best practices for securely handling sensitive information, detecting social engineering attacks, and responding to incidents.
To comply with DORA, firms should review their current cybersecurity training program against recommendations outlined in industry standards such as ISO/IEC 27002, which emphasizes best practices related to cybersecurity; and NIST SP800-50, which helps organizations formalize IT security awareness and training. Financial firms can use these resources to strengthen employee cybersecurity knowledge and meet DORA requirements.
DORA Solutions for All Financial Firms
Whether you operate in the European Union, United States, or both, DORA compliance is a critical concern for your financial institution. By prioritizing the areas outlined in this article, firms can develop robust cybersecurity practices and meet DORA requirements to meet their regulatory obligations, protect their operations and maintain consumer trust.
Partner with Option One Technologies for DORA Compliance
Ensure your firm is fully prepared for DORA compliance by partnering with Option One Technologies. Reach out to our expert team today to develop a tailored cybersecurity strategy that meets all regulatory requirements and safeguards your operations.