The EU's Digital Operational Resilience Act (DORA) marks a shift in cybersecurity regulation, from a focus on preventing cyber-attacks to also ensuring the ability to recover quickly and effectively from them – a concept that is commonly called cyber resilience.
DORA was adopted in November 2022 as part of the EU’s 2020 Digital Finance strategy, which laid out the ambition for Europe to become a digital single market for financial services.
It aims to improve the resilience of the financial sector to operational disruptions, such as cyber-attacks.
DORA's Wide Scope
According to Jean-Philippe Gaulier, co-founder of Cyberzen, DORA was adopted in response to the EU regulators' concerns that the financial sector was not doing enough to mitigate cyber threats.
“Specifically, EU regulators were probably not thinking of big banks and insurance companies when drafting this bill, as they are among the best-prepared companies in the world to prevent and recover from cyber-attacks, but rather of other, perhaps less regulated institutions that play a role in modern financial services,” he told Infosecurity.
Therefore, DORA applies to a wide range of financial institutions, including banks, insurance companies, investment firms, cryptocurrency exchanges and trading platforms, as well as their critical third parties.
What are DORA's Five Pillars
The DORA regulation is based on five pillars:
- Cyber risk management
- Cyber incident management
- Digital operations resilience testing
- Third-party risk
- Information sharing
The first three pillars include a range of measures to improve the resilience of financial firms, including requirements to have a risk management plan, an incident response plan and a recovery plan in place, as well as to conduct regular audits and penetration testing.
DORA also extensively outlines what each process (risk management framework, incident reporting…) should contain.
Addressing Supply Chain Risk
As DORA will take precedence over any other cybersecurity law in the EU, financial service providers will have to comply with stricter rules that were covered by both versions of the directive on network and information systems (NIS and NIS2). For instance, while NIS requires companies to report a cyber incident within 72 hours, organizations covered by DORA will have to send an initial notification within 24 hours, an additional intermediate report within a week and a final report within a month.
However, the most radical change introduced by DORA is the measures on supply chain risk, Rodrigo Marcos, chair of the CREST EU Council, told Infosecurity.
“So far, no organization was liable for their third parties. With DORA, each covered company will have to conduct a third-party registry to identify which ones are critical, apply their risk assessment plan to their critical third parties and renew it regularly,” he said.
If a covered organization does not comply with DORA, the European Supervisory Authorities (ESAs) will be able to impose a fine of up to €10m ($10.8m) or 2% of the financial institution's global annual turnover, whichever is greater.
Is DORA An Inspiration?
DORA is great news for the financial sector, Marcos said.
“First, as the fifth pillar implies, the bill will encourage more collaboration between financial service providers within the bloc,” he explained, “Then, it will have a positive impact in other sectors, both because of the third-party interactions between the financial service providers and other industries and because other sectors might even get inspired to implement more cyber resilience measures as well in the future. Finally, I think it is very likely that other jurisdictions will introduce similar laws, much like what happened with the General Data Protection Regulation (GDPR).”
DORA’s technical standards will be released in early 2024 and the law will be applicable in EU member states from January 17, 2025.