Accesa logo dark

Understanding and Implementing the Digital Resilience Act (DORA)

Learn more about the Digital Resilience Act (DORA) and why organisations should align with this regulation issued by the European Commission. 

Understanding and Implementing the Digital Resilience Act (DORA)

What is the Digital Resilience Act (DORA)? 

Effective on January 2025, DORA stands for Digital Operational Resilience Act (REGULATION (EU) 2022/2554 and DIRECTIVE (EU) 2022/2556), issued by the European Commission that aims to enhance the digital operational resilience of the financial sector, ensuring that financial entities can withstand, respond to, and recover from ICT-related disruptions and threats.  

It entered into force on January 16th, 2023, and will apply as of January 17th, 2025. This means that financial entities and ICT service providers must comply with its requirements by that date. 

DORA sets out a common framework for managing, testing, and reporting on the ICT (Information and Communication Technology) risks those financial entities face. This includes principles and requirements on ICT risk management frameworks, ICT third-party risk management, and digital operational resilience testing.  

DORA also establishes oversight and cooperation mechanisms for ICT service providers, which include cloud computing, software, and data providers focusing on monitoring third-party risk providers and ensure key contractual provisions are in place. 

Why should you align with DORA regulations? 

Non-compliance with DORA carries substantial penalties, making it imperative for financial institutions to ensure their operational resilience.   

Financial institutions could face fines up to 2% of their total annual worldwide turnover or up to 1% of the company’s average daily turnover worldwide.  

Individuals could also face fines of up to €1,000,000.  

Other potential consequences may include remedial measures, public reprimands, withdrawal of authorisation, compensation for damages, etc. 

Aligning with DORA requirements is not only a legal obligation for financial entities operating within the EU, but also offers a strategic advantage.  

By adhering to DORA financial entities demonstrate strong commitment to digital operational resilience. This reduces the likelihood and impact of disruptions to operations and services, ensures strong and efficient processes to manage ICT risks, helps prevent and mitigate cyberattacks and other disruptions, and maintains the quality and continuity of their services. 

This compliance strengthens operational efficiencies, cost savings, and a competitive advantage in the industry

Moreover, being aligned with DORA enhances trust and confidence from customers, regulators, and partners, boosting reputation and competitiveness in the market. It also fosters consumer confidence by protecting their financial assets and minimising systemic risk. 

Scope and applicability 

DORA applies to a wide range of financial entities operating in the EU, including but not limited to banks, insurance companies, investment firms, payment service providers, crypto-asset service providers.  

It also encompasses market infrastructures and ICT service providers that offer essential services to these financial entities, such as cloud computing, software, and data analytics. Both financial entities and ICT service providers must comply with rules and standards regarding ICT risk management, incident reporting, testing, and oversight. 

 

DORA - Impact.png

DORA’s key 5 pillars 

 

DORA - 5 pillars.png

 

DORA is based on five key pillars that cover the main aspects of digital resilience.  

These are: 

ICT Risk Management: Financial entities and their ICT service providers must establish and implement sound and effective ICT risk management frameworks, policies, and procedures, as well as allocate adequate resources and staff for this purpose.  

This pillar promotes a risk-based approach, requiring regular risk identification, follow-up, and protection mechanisms to minimize the impact of ICT risks. 

ICT-Related incident reporting: DORA requires implementation of an effective incident management process. Financial entities and subsequently their ICT service providers need to ensure consistent monitoring, handling, and follow-up of ICT-related incidents.  

They must identify root causes, prevent incidents from recurring, and must report any major incident to the relevant competent authorities within a specified timeframe and format.  

The time limits for reporting include an initial notification within 4 hours after classification and 24 hours after detection of the incident 72 hours for an intermediate report, and 1 month for the final report. 

Testing of operational resilience: Financial entities and their ICT service providers must conduct regular testing of their ICT systems and tools, using scenarios that reflect realistic and severe threats and vulnerabilities to assess protections and identify potential weaknesses.

Critical functions and services need advanced penetration tests, such as Threat-Led Penetration Tests (TLPT), that match the specific threats each financial entity faces at least every three years. 

ICT Third-party Risk Management: DORA sets out detailed protocols for the entire lifecycle management of ICT third-party providers, from the onset of contractual agreements to their conclusion.  

Financial institutions are obliged to conduct a rigorous selection and evaluation of their ICT providers, ensuring comprehensive due diligence and effective management of the risks inherent in outsourcing essential IT services. Key requirements include preliminary assessments prior to contracting, adherence to supervisory conditions, continuous risk evaluations, rights to audit, and explicit conditions for service termination.  

These provisions, central points to DORA’s framework, are expected to be the most demanding in terms of implementation. Their primary objective is to prevent any disruption or degradation in the quality of financial services due to the involvement of ICT third-party providers. 

Information sharing agreements: DORA encourages financial entities and ICT service providers to form communities and share cyber threat information, promotes the exchange of indicators, tactics, techniques, and procedures to prevent and recover from cyber threats.  

Financial entities are required to establish information sharing agreements focused on enhancing digital operational resilience and increasing awareness of cyber threats DORA demands that all EU operations maintain a steady level of ICT and cyber resilience maturity. Some actions need to be taken in advance, such as conducting thorough gap assessments as soon as possible and measuring maturity against DORA to identify areas that require more investment and priority. 

Strategies for the Effective Implementation of DORA 

Implementing DORA requires a holistic and coordinated approach that involves a broad spectrum of stakeholders including executive leadership, ICT personnel, compliance and risk management teams, auditors, and regulatory bodies.  

The following are essential steps to ensure alignment with DORA’s objectives:  

Gap Analysis: Undertake a thorough analysis to assess the current state of ICT risk management and pinpoint the areas requiring enhancement. 

Developing an Action Plan: Craft a tailored action plan to bridge identified gaps and achieve compliance with DORA’s stipulations, considering the unique characteristics and requirements of each financial institution and ICT service provider.  

Implementing the Action Plan: Proceed to update or develop new ICT risk management frameworks, policies, and protocols. This includes conducting ICT risk assessments and testing, establishing enhanced ICT incident reporting and escalation processes, revising and renegotiating contracts and oversight mechanisms with ICT third-party and fostering information sharing and cooperation networks and platforms. 

Ongoing Monitoring and Reviewing: Maintain tracking of implementation progress and the effectiveness of ICT risk management measures, systematically reporting outcomes and insights to all relevant stakeholders. 

Accesa’s Implementation Approach to DORA 

Accesa is dedicated to assisting financial entities in achieving compliance with the Digital Operational Resilience Act (DORA).  

Our approach begins with a detailed gap analysis to ensure alignment with DORA requirements, focusing on its five pillars. We have established a DORA Compliance Team, comprising various stakeholders from all relevant functions including IT & Information Security, Client Partners and Delivery, Compliance, Risk, Legal, etc. This team is developing DORA Roadmap, outlining timelines and milestones with monthly updates on progress. 

To evaluate DORA's impact on our services, we have created dedicated checklists for projects involving our clients in the financial industry, integrated them into our daily business operations, and prioritised for relevant projects. So, we maintain a comprehensive inventory of all services provided to financial entities, detailing the information and ICT assets involved.  

We are ready to align our policies and procedures with our clients’ policies and processes to ensure compliance with DORA and our client’s requirements. We can assist our clients in performing risk assessments for significant changes in network and information systems that affect ICT-supported business functions or assets.  

Additionally, we can map the configurations and interdependencies of critical information and ICT assets used in our services to financial entities. Aligning backup, restoration, and recovery procedures with our clients’ requirements is a priority for us, based on our project inventory.  

We also ensure that our business continuity policies and plans are in sync with those of our clients and are periodically tested. As part of our resilience measures, depending on the defined criticality of the functions, we can provide consulting and implementation services to ensure that our customers are compliant. 

Our Security Incident Management Policy and related incident reporting and management processes were enhanced to meet DORA and client’s standards, with incident classification criteria for priority assessment.  

We have established a Security Communication Policy that includes DORA requirements, and we are enhancing our due diligence process to manage ICT third-party risks throughout the service lifecycle. Contracts with IT partners are amended to ensure service continuity in case of early termination and to establish back-to-back contractual arrangements related to DORA. 

Our structured approach ensures that our clients in the financial sector will be well-prepared for DORA compliance, minimising risks and enhancing operational resilience.  

The partnership with Accesa will ensure seamless and effective navigation through DORA’s requirements for our clients.