The Digital Operational Resilience Act (DORA) is the EU law on digital operational resilience for financial entities. DORA aims to achieve a uniform high level of digital resilience across the EU. It sets out uniform requirements for information networks and systems that support financial business processes.
DORA mandates comprehensive requirements for protection, detection, isolation, recovery, and remediation when a security incident occurs. Additionally, the framework includes thorough risk and incident management, sharing of cyber threats and vulnerabilities, stipulations for resilience testing, and the obligation to report incidents to the relevant authorities.
We have published the DORA requirements framework for Cyberday in autumn 2024 - you can activate it from the "edit frameworks" section of the Organisation dashboard. In this blog, we'll take a more comprehensive look at what DORA is and what it contains, who the requirements framework actually applies to, and take a peek what DORA looks like when it's inside Cyberday. So let's get started!
As the digital landscape continues to expand, the financial sector faces relentless pressure to safeguard against cyber threats. Enter the Digital Operational Resilience Act, a legislative effort introduced by the European Union to fortify the cyber resilience of financial institutions. Established on December 14, 2022, DORA marks a fundamental shift in how financial entities are required to manage digital threats.
DORA shows that financial institutions need to focus on operational risks, and not just financial ones. DORA isn’t just another rule to follow—it's a chance for financial companies to boost their digital defenses. By putting DORA into practice, financial institutions can standardize their response to IT breakdowns or cyber attacks, making the financial system stronger and more resilient.
The countdown to DORA is ongoing, as Act is set to be operational by January 17, 2025. As organizations gear up to meet these critical requirements, they have a vital opportunity to refine and elevate their cybersecurity measures. By taking a proactive stance, they ensure not only regulatory compliance but also reinforce trust and stability across the digital terrain. Embracing DORA means understanding its details and improving defenses against cyber threats.
The scope of DORA encompasses a wide range of financial entities operating within the European Union, also including non-EU entities. Its goal is to ensure that these entities can withstand, respond to, and recover from all types of Information and Communication Technology (ICT) disruptions and threats. Here’s more detailed breakdown of DORA’s scope:
DORA emphasizes not only safeguarding technical infrastructure but also maintaining digital operational resilience, making it crucial for entities to address both digital threats and operational risks. DORA applies to a broad range of financial institutions, including but not limited to:
DORA’s scope is wide, but it's primary focus is on entities with a direct or significant impact on the EU’s financial system, so certain smaller entities or non-core financial institutions may not fall within its requirements. These can be for example small and micro enterprises (SMEs) in certain non-core financial sectors who don’t handle significant volumes of sensitive financial data, and ICT service providers who are offering non-critical or non-core services to the financial sector.
The regulation is designed to ensure that all these entities have consistent cybersecurity measures, regardless of their size or nature, focusing on their operational resilience against ICT risks.
The Digital Operational Resilience Act is a regulatory framework from the European Union focused on strengthening the cybersecurity and operational resilience of financial entities within the EU. While DORA isn't a cybersecurity framework per se, it lays out a regulatory framework that integrates elements of various well-known cybersecurity principles and practices. Essentially, DORA enhances digital operational resilience within the financial sector. But what specific actions does it take to achieve this?
Establishes requirements for managing Information and Communication Technology (ICT) risks, including setting up governance frameworks, conducting risk assessments, and implementing controls to mitigate identified risks.
By aligning financial institutions and their suppliers with unified standards and requirements like ISO 27001 standard and NIST CSF, it strengthens defenses against an evolving threat landscape. This consistency simplifies compliance and ensures that no institution is left exposed to cyber risks. Chapter II consists of a broad theme, and introduces requirements for information security in general. Some of the articles to be highlighted include:
Article 9a: Protection: This article specifically addresses the protection of information systems; companies must constantly monitor and control their ICT systems to ensure security, minimise risks and prepare for the worst. Measures may include for example access management, encryption of backup data and physical protection measures.
Article 9b: Prevention: As the first part is about protection, second part of Article 9 outlines the requirements for financial entities to protect and prevent risks to their ICT systems. Measures to prevent risks can include for example defining access rights, personnel awareness, as well as file management.
financial entities shall develop and document an information security policy defining rules to protect the availability, authenticity, integrity and confidentiality of data, information assets and ICT assets, including those of their customers, where applicable.
Article 10: Detection: Financial entities need to implement measures to rapidly detect any issues or vulnerabilities in their ICT networks. These mechanisms should incorporate multi-layered controls, clearly defined alert thresholds, and automated notifications to support incident response.
Chapter III mandates a standardized approach for reporting significant ICT-related incidents to the relevant authorities. It aims to ensure timely and accurate communication of incidents that could affect financial stability or consumers.
DORA enhances incident response by streamlining reporting and response processes, enabling companies to act quickly and effectively.
Dora requires regular testing of the operational resilience of ICT systems, which can involve vulnerability assessments, penetration testing, and threat-led penetration testing (TLPT).
Ensuring that systems are resilient to attacks is a primary focus, DORA requires entities to conduct rigorous digital operational resilience testing. This means regular and thorough assessments to validate the effectiveness of security measures, ensuring weaknesses are identified and mitigated promptly.
This focuses on managing risks associated with third-party ICT service providers. It includes rules around outsourcing, monitoring, and risk assessments of third-party relationships, and ensuring that these providers also adhere to the principles of security and resilience.
DORA strengthens third-party risk management by enforcing strict oversight and assessment of ICT providers, ensuring that outsourced partners meet the same security standards and reducing vulnerabilities in the interconnected financial ecosystem.
Chapter VI encourages financial entities to share threat intelligence and information on cyber threats, incidents, and vulnerabilities within the sector, promoting a collaborative defense against cyber risks. Mandatory information sharing helps organizations learn from incidents, reducing impact and preventing future occurrences.
DORA takes a broad, risk-based approach, requiring entities to adopt robust cybersecurity practices, aligning well with globally recognised frameworks such as ISO 27001, NIST CSF, and CIS Controls, while also addressing the specific needs of the financial sector.
As previously mentioned, DORA is available to work with on Cyberday. In Cyberday, Dora consists of 5 clauses and 42 requirements which are split down to prioritized policies and tasks. On Cyberday you will also find many other frameworks mentioned in this blog, such as the ISO 27001 standard and the NIST cybersecurity framework. You can therefore work on DORA in its own right, or in combination with other available frameworks. If you haven't had a chance to try Cyberday yet, take a free 14-day trial here.
DORA serves as both a regulatory guide and a collaborative standard, unifying financial sector processes to address shared digital resilience challenges. Its clear guidelines on risk management, incident reporting, and resilience testing enable organizations of all sizes to approach cybersecurity with confidence, fostering a proactive and consistent defense against evolving threats.
Ultimately, DORA doesn't just lay down guidelines—it actively builds a collaborative ecosystem where entities are better prepared to counteract cyber threats, safeguard data, and maintain the trust of their stakeholders. For institutions navigating the complexities of digital threats, DORA is a steadfast ally in their cybersecurity strategy.
Is Cyberday missing a framework you'd like to work on? DORA was published on Cyberday thanks to the wishes of our users. Our team is constantly working on making new frameworks available, so wish for your favourite, your wish may come true ⭐️ To the frameworks.
Elevate Your Knowledge with Exclusive Access to Weekly Webinars, Video Courses, Help Articles, and Blogs.
