The Digital Operational Resilience Act (DORA) is a significant European Union regulation designed to enhance the digital resilience of the EU’s financial sector. Coming into effect on January 17, 2025, DORA mandates standardized measures for risk management, incident reporting, resilience testing, and oversight of third-party providers, creating a unified approach to cyber resilience across the EU.
Complying with DORA requires substantial investments, careful coordination and significant adaptability, which has posed some challenges for financial institutions and their service providers alike. Let’s unpack some of the key fundamentals around DORA and explain how a cyber risk quantification tool can assist in meeting it, head on.
Why Was DORA Created?
DORA emerged in response to the financial sector’s growing reliance on digital technologies and the corresponding rise in cyber risks, cyberattacks, and IT disruptions that could threaten not only individual institutions but the entire sector’s stability. Part of the EU Digital Finance Package, DORA focuses on operational resilience to protect the sector from IT-related and cyber risks.
Who Does DORA Apply To?
DORA applies to a broad range of financial entities within the EU, including banks, insurance firms, investment firms, credit institutions, payment processors, alternative investment funds, crypto service providers, exchanges, clearing houses, pension funds, and crowdfunding services. It also applies to critical third-party Information and Communications Technology (ICT) service providers like cloud service companies and data centers — even those based outside the EU who serve EU-based financial entities.
What Are DORA’s Requirements?
DORA’s core objective is ensuring financial entities can withstand, respond to, and recover from cyber incidents and IT disruptions. It mandates compliance across risk management, incident reporting, operational resilience testing, third-party risk management, and information sharing.
To comply, financial entities must create robust frameworks for managing ICT-related risks: identify critical ICT assets, implement security measures, and conduct regular vulnerability assessments. They are required to report significant ICT-related incidents to their national competent authorities (NCAs) promptly, allowing regulators to monitor threats and respond effectively. DORA emphasizes resilience testing, such as vulnerability assessments, penetration testing, and simulations, to identify and address weaknesses before they cause real disruptions.
Crucially, financial institutions will have to ensure their third-party providers comply with DORA standards, including through formalized contracts, regular assessments, and resilience standards that align with those of the financial institutions they serve. DORA also encourages the sharing of information on cyber threats among financial institutions, fostering collective intelligence to strengthen the sector’s overall resilience.
Why Is All This Important?
DORA addresses the increasing vulnerability of the financial sector to cyber threats, which have grown in frequency and sophistication: Over the past decade, nearly a fifth of all cyberattacks were aimed at financial firms, with banks being the most vulnerable of all. Incidents targeting banks, insurers, and other financial firms can have far-reaching consequences, threatening the stability of the EU’s economy. DORA aims to create a resilient financial sector that can withstand and recover from such disruptions.
Additionally, DORA unifies regulatory standards across the EU. Previously, individual EU member states had varying regulations for managing cyber risks, leading to fragmented and inconsistent levels of resilience. By establishing a standardized framework, DORA ensures that all financial entities in the EU operate under the same set of rules, creating a level playing field and facilitating cross-border operations within the EU.
Finally, DORA’s comprehensive focus on operational resilience and third-party risk management could set a model for regulatory frameworks in other regions, emphasizing both continuity and robust vendor oversight in a globally connected digital economy.
Complying, However, Is a Challenge
Despite its benefits for the greater good, complying with DORA presents challenges for financial institutions, revolving mainly around costs and workload. Indeed, in surveys that took place during 2024, only a third of financial institutions expressed confidence they could fulfill the regulations by the deadline. Here’s why:
- Implementing DORA’s requirements demands investment in new technology, specialized staff, and ongoing resilience testing, all of which can be costly, particularly for smaller financial institutions and third-party providers.
- DORA’s emphasis on monitoring third-party providers makes compliance not only costly but also complex: Financial institutions must assess and monitor their providers’ resilience, an intricate task when dealing with multiple vendors.
- There’s also a burden on human resources: DORA’s incident reporting requirements could lead to increased workload, particularly during high cyber activity periods. Efficient reporting mechanisms and additional resources may be needed, which can strain operations and divert attention from other critical tasks.
- Adaptation to new resilience testing standards, like threat-led penetration testing, may be challenging for some institutions to implement. Developing internal capabilities or hiring specialists require time and financial resources.
- Finally, DORA introduces new oversight mechanisms that will require close coordination between financial entities and National Competent Authorities (NCAs). Establishing effective reporting protocols and relationships with NCAs will also require extra administrative resources.
How Can a CRQ Tool Help with DORA Compliance?
CYE’s cyber risk quantification platform, Hyver, provides data-driven insights for impactful decision-making and supports compliance across the range of the regulatory framework’s key pillars. It also facilitates effective stakeholder communication with the board and management and assists with building resilience in line with DORA’s regulatory objectives.
Want to learn more about how Hyver can help you comply with DORA? Contact us.
