dora

The DORA regulation

The DORA regulation (Digital Operational Resilience Act) is a key topic for professionals in the financial sector, particularly in the context of regulations and legal requirements.

It is therefore important to understand the most significant aspects related to DORA. Additionally, it is useful to learn about the history of the regulation.

Most importantly, it is essential to know what obligations and requirements arising from DORA you need to be aware of. This is exactly what we will discuss in today’s article.

Furthermore, we will provide some practical tips on interpreting and implementing the regulation.

What is the DORA regulation?

The DORA regulation stands for Digital Operational Resilience Actwhich pertains to digital operational resilienceIt aims to enhance the financial sector's resilience to threats associated with digital technology. It includes the introduction of uniform standards for IT risk management, resilience testing against cyberattacks, and requirements concerning outsourcing technological services.

History and Purpose of Introducing the DORA Regulation

In 2020, the European Commission presented a project to strengthen the financial sector's resilience to digital threats. The main goals and motives behind the introduction of the DORA regulation are:

  • Increasing the security and stability of the financial sector,
  • Protecting clients and investors from the negative impacts of IT incidents,
  • Ensuring uniform standards for IT/ICT risk management and testing resilience against cyberattacks,
  • Introducing requirements concerning the outsourcing of technological services.

The regulation came into effect on January 16, 2023. Entities subject to DORA have until January 17, 2025, to prepare for the new requirements.

Domain experts – the people who work daily in the processes we automate in IT projects – are an irreplaceable source of information about how a given business process actually operates, how it flows, and what is needed in their day-to-day work.

Fot. kreska_ / Agata Krajewska

Scope of the DORA Regulation: To Whom Does It Apply?

DORA encompasses a wide range of entities in the financial sector, including:

  • Banks
  • Payment institutions,
  • Insurance institutions,
  • Investment firms,
  • Fund managers,
  • Exchanges,
  • Trading platforms,
  • Central securities depositories,
  • Other entities providing financial services.

It is worth noting that the scope of DORA also includes technology service providers. These are companies that provide services to entities in the financial sector. Therefore, not only financial institutions but also their IT service providers must comply with the requirements set out in this regulation.

Moreover, in the case of non-compliance with the obligations arising from the DORA regulation, these entities may face various consequences. For example, this could include financial penalties or restrictions on conducting business.

Obligations Arising from the DORA Regulation

The obligations arising from the DORA regulation include a range of actions. Entities subject to this regulation must undertake them to enhance their resilience against digital threats.

The basic obligations of DORA include, among others:

  • Implementation of an IT risk management strategy. The strategy should be tailored to the specific nature of the entity’s operations.

  • Ensuring an appropriate level of data security. This concerns the protection of personal data as well as confidential information.

  • Conducting regular cyber resilience tests. These tests help verify the effectiveness of security measures.

  • Monitoring and reporting IT incidents. This enables the entity to respond quickly to threats.

  • Compliance with requirements regarding the outsourcing of technology services. This includes proper risk management when using external service providers.

  • Security documentation. It should be based on identified risks.

What Are the Consequences of Non-Compliance with the DORA Regulation?

The description of potential consequences for violating the DORA regulation covers several areas.

  • Primarily, these may include financial penalties. They can reach up to several percent of the entity’s annual revenue.

  • Additionally, entities may face operational restrictions. These can include suspension or revocation of licenses.

  • Furthermore, there is an obligation to implement corrective actions. These are aimed at addressing any irregularities.

  • Moreover, violating DORA regulations can damage the entity’s reputation. This affects both clients and investors.

Examples of penalties for non-compliance with DORA can be severe. For instance, a bank that fails to conduct proper cyber resilience tests may be fined. Additionally, sanctions may apply to a payment institution that does not ensure an adequate level of data security for its clients.

Therefore, compliance with the obligations arising from the DORA regulation is crucial for all entities in the financial sector as well as technology service providers. Moreover, it helps companies avoid negative legal, financial, and reputational consequences.

Fot. kreska_ / Agata Krajewska

How to Meet DORA Requirements: Practical Tips

To comply with the requirements of the DORA regulation, the entities covered by it should take specific actions. First and foremost, an IT risk analysis should be conducted. This allows for the identification of potential threats to data security. Additionally, the analysis helps to highlight risks within IT systems.

Next, it is advisable to implement appropriate IT risk management policies and procedures. These should be tailored to the specifics of the business and to the previously identified threats. Equally important is providing regular IT security training for employees. Such training raises awareness of digital threats and also teaches ways to minimize them.

Moreover, regular cyber resilience tests should be conducted. These tests assess the effectiveness of security measures and, if necessary, allow for the implementation of required changes. Additionally, entities should monitor and report IT incidents, enabling a rapid response to threats and minimizing their impact.

Finally, it is important to collaborate with technology service providers. Such collaboration enables effective management of the risks associated with using their services.

But where to start?

To achieve organizational compliance with DORA regulations, the first steps should be:

  • Identifying processes,
  • Identifying IT resources (systems, technical infrastructure),
  • Reviewing and cataloguing contracts with third parties responsible for ICT infrastructure (Information and Communications Technology).

Fot. kreska_ / Agata Krajewska

The DORA regulations impact various aspects of the daily operations of entities covered by this regulation. For example, DORA has a tangible effect on the practical functioning of companies:

  1. First, implementing an IT risk management strategy requires continuous monitoring and analysis of potential threats. This makes it possible to better protect IT systems from attacks.

  2. Second, ensuring an appropriate level of data security may require investments in modern technologies. Additionally, employee training in the protection of personal data and confidential information is necessary.

  3. Another aspect is regular cyber resilience testing. These tests allow for the identification of weak points in IT systems and, moreover, enable the implementation of necessary changes to enhance security.

  4. Furthermore, monitoring and reporting IT incidents allows for rapid response to threats, minimizing their impact on the entity’s operations.

  5. Finally, complying with requirements regarding the outsourcing of technology services may lead to changes in the collaboration model with IT providers. It also introduces additional safeguards that reduce the risks associated with using external service providers.

In summary, the DORA regulation introduces a series of important requirements for entities operating in the financial sector. These requirements aim to increase the security of IT systems and protect personal and confidential data. Therefore, properly understanding and fulfilling these requirements is crucial to avoid the negative consequences of non-compliance with DORA.

Do you want to prepare thoroughly and ensure compliance with all requirements?

Contact us. Our experienced experts have many years of experience in information security, risk management, and business continuity. As a result, they support financial entities subject to DORA regulation. Additionally, they assist in the subsequent stages of compliance assessment and support reporting on compliance with DORA requirements:

  1. Process analysis in terms of BIA,

  2. Development or updating of ICT risk management, zarządzania ryzykiem ICT,

  3. Creation of process assessment matrices, criticality catalogues, and ICT risks,

  4. Preparation of a summary report for further reporting processes and the development of security documentation.  

We collaborate with many leading solution providers in the field of security. Therefore, we have knowledge of applied and possible automation and support tools for security in the organization.

Is your organization compliant with DORA?

At Finture, we also provide advisory services to help organizations prepare for the Digital Operational Resilience Act. We conduct BIA (Business Impact Analysis), define RTO (Recovery Time Objective) and RPO (Recovery Point Objective). Furthermore, we develop procedures based on ISO 31000 and NIST.
800-53.

Learn about the service

Interesting? Feel free to share!