With the Digital Operational Resilience Act (DORA) coming into effect on the 17th of January 2025, the deadline for compliance is fast approaching.
DORA is a piece of legislation introduced by the European Union specifically for the Financial Services Sector. It aims to bolster cyber defences across Europe’s critical fiscal entities and ensure the minimum acceptable security standard is met by all.
It is important to note that DORA is not just a one-off compliance exercise, but an ongoing obligation that may require a fundamental overhaul of current processes. Increased EU supervisory activities will demand a solid foundation in risk management, encouraging organisations to move away from reactionary practices driven by breaches and compliance. DORA therefore must be met with the adoption of robust digital operational resilience frameworks, sponsored at the C-suite-level and supported by integrated risk approaches across the organisation.
This article will highlight the core elements of DORA that every organisation should be aware of and reveal the five key areas that in-scope entities need to address alongside crucial considerations to ensure compliance and resilience.
What you need to know about DORA
Legislators have clearly outlined the kinds of institutions in scope of DORA’s legislative obligations. While there are a few noted exceptions to these categories, the in-scope entities are as follows:
| Credit Institutions | Management Companies | Central Securities Depositories |
| Payment Institutions | Data Reporting Service Providers | Central Counterparties |
| Account Information Service Providers | Insurance and Reinsurance Undertakings | Trading Venues |
| Institutions for Occupational Retirement Provision | Insurance Intermediaries, Reinsurance Intermediaries, and Ancillary Insurance Intermediaries | Trade Repositories |
| Investment Firms | Electronic Money Institutions | Managers of Alternative Investment Funds |
| Crypto-Asset Service Providers | Credit Rating Agencies | Securitisation Repositories |
| Crowdfunding Service Providers | Administrators of Critical Benchmarks | ICT Third-Party Service Providers |
DORA stipulates that in-scope entities must meet the minimum standards across several key cyber security areas, including risk management, incident management, and resilience testing.
Each EU member state is expected to implement their own legislation in response to this directive, meaning there may be national variations in the specificities of the regulation. The requirements laid out by DORA at the Union level, though, do provide us with an idea of what to expect overall.
DORA's Five Core Requirements
There are 5 key areas that in-scope entities need to address. We’ve broken these down in the table below, along with some considerations for addressing the requirements.
| Area | Things to Consider |
| Information & Communication Technology (ICT) Risk Management - This section mandates the need for an 'internal governance and control framework' and 'comprehensive and well-documented’ risk management framework. There are also obligations to maintain effective protection and prevention programmes, as well as incident detection and disaster recovery protocols. Proper communication structures are required, as are backup/restoration policies and procedures. |
|
| ICT-Related Incident Management, Classification and Reporting - DORA specifies the mechanisms for incident response, as well as laying out a framework for classification and severity rating. It then outlines reporting obligations, which include the need to report any major incident to the relevant competent authority. There are also stipulations regarding the notification of affected clients. |
|
| Digital Operational Resilience Testing – Financial entities will be expected to build a robust testing regime, designed to ‘identify weaknesses, deficiencies and gaps’ within their digital operational resilience. This includes the testing of ICT tools and systems using a risk-based approach, considering both the broader and localised risk landscape. These tests must be undertaken by internal or external independent parties, and any issues found as a result must be remedied following identification. The regulation goes on to specify a requirement for some entities to conduct Threat Led Penetration Testing (TLTP) of their ICT tools and systems. |
|
| Managing of ICT Third-Party Risk - This is one of the more extensive chapters of the legislation and outlines how the management of third-party risk should be integrated into risk-management frameworks. DORA notes in Article 28 (5) that ‘financial entities may only enter into contractual arrangements with ICT third-part service providers that comply with appropriate information security standards’. The regulation’s focus on supply-chain risk goes as far as to outline key contractual provisions, circumstances for contractual termination, and even establishes an Oversight Forum with dedicated supervisory powers for critical third-party providers. |
|
| Information Sharing - DORA encourages collaboration and communication between trusted groups of in-scope entities. This supports greater resilience by supporting greater awareness of the risks facing the sector, aiming to reduce the ability of a threat to spread. |
|
What are the penalities for DORA non-compliance?
In terms of penalties in case of non-compliance, DORA outlines two sets of penalties – those for the financial entities themselves, and those for the ICT third-party service providers.
-
Financial Services Entities – DORA does not specify the exact fines or sanctions for in-scope entities, but instead provides competent authorities ‘all supervisory, investigatory and sanctioning powers necessary to fulfil their duties’. This means that penalties for non-compliance will be determined by EU member states in their own implementations of DORA.
-
ICT third-party service providers – As outlined in Article 35, Overseers can impose a periodic penalty payment for non-compliance of up to 1% of the ‘average daily worldwide turnover of the critical ICT third-party service provider in the preceding business year’ for up to 6 months.
Preparing for DORA Compliance
While there is only a month to go before DORA comes into effect, there is still time to review current practices and achieve DORA compliance.
If you haven’t already, take the time to identify the country-specific DORA legislation relevant to your organisation. Conducting comprehensive gap assessments of your ICT risk, controls, and cyber operations will help you identify areas in need of further investment and leveraging existing frameworks and opportunities for automation will increase the maturity of your ICT processes and solutions, boosting your compliance and supporting delivery teams.
Turnkey's range of maturity assessments can help you understand your organisation's current position and set you on the path to easy compliance. Contact our team today to learn more about how we can support you.
