SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

What is the EU’s Digital Operational Resilience Act (DORA)?

Cybersecurity Assessments

As of June 2024, the European Union's Digital Operational Resilience Act (DORA) is set to become a pivotal piece of legislation impacting financial institutions and their Information and Communication Technology (ICT) service providers. Designed to improve the stability and security of the financial sector amidst increasing cyber threats, DORA mandates several rigorous standards that organizations under its purview will need to accommodate.

As highly experienced cybersecurity experts, we stay abreast of all the latest legislative changes globally in the event that our clients are affected and have to pivot to satisfy additional requirements. That’s true of DORA—we have insight to offer our partners and you.

In this article, we’ll break down the EU’s reasons for introducing DORA, its key components, the applicability—including to third-party providers—and the steps you’ll need to take to comply so that as this law comes into effect, you’ll be ready.

Why DORA?

 

In terms of digital security, the EU has been active in its attempts to strengthen that of Union members through different recent legislation. Recently, they’ve introduced and progressed laws such as:

We’ve previously examined most of these new regulations of which DORA is just the latest—it’s also more specific, as it was created in response to several factors and challenges that the financial sector currently faces, including:

  • Critical Digital Interdependencies: Increasing digitalization and the parallel sophistication of cyber threats continue to heighten the industry’s overall vulnerability, particularly because the financial sector is more interconnected than ever. With various institutions relying on shared services and third-party providers, any disruption can quickly cascade and impact others, making it more critical than ever before to ensure the operational resilience of all involved organizations so that consumers remain protected and confident.
  • Fragmented Regulatory Landscape: Before DORA, regulatory approaches to digital operational resilience varied across EU member states, which made it challenging for financial entities operating across borders to ensure comprehensive resilience—DORA not only takes care of that with its unified regulatory framework, but it also aligns with other global regulatory trends emphasizing the importance of ICT risk management and operational resilience.
  • Resilience Against Future Crises: Back in 2020, the COVID-19 pandemic quickly highlighted the importance of operational resilience as every organization—financial ones included—was forced to rapidly adapt to new ways of working with increased reliance on digital channels, and DORA aims to better prepare the financial sector for any future, similar crises.

What are DORA’s Requirements?

 

As a regulation, DORA operates on a proportionality principle. In other words, it takes a tailored approach in that its requirements apply to organizations based on the size, complexity, and risk profile of the financial entity.

While that does mean that every organization will have a different lens—with financial entities bearing more responsibility than their providers—the requirements themselves can be categorized into a few key areas:

Requirement Area

Details

ICT Risk Management

To ensure disruptions can be tolerated without severe impact on services, ICT risk management frameworks that identify, mitigate, and manage ICT risks effectively are now required, and they must include:

  • The performance of regular risk assessments on ICT systems and processes.
  • The involvement of senior management and the board of directors in the development and implementation of comprehensive policies and procedures that address the identification, protection, detection, response, and recovery from ICT-related risks, as well as business continuity and disaster recovery plans.

Incident Reporting

Financial institutions are required to:

  • Establish mechanisms for the detection and classification of ICT-related incidents based on their severity and impact; and
  • Provide timely and detailed reports regarding any significant ICT-related incidents to their competent authorities—these reports should include the nature, cause, and impact of the incident.

Operational Resilience Testing

To demonstrate that systems and processes can withstand cyber threats and disruptions, organizations are now required to perform regular testing in the form of:

Third-Party Risk Management

Financial institutions must manage third-party risks effectively, which now means ensuring that their service providers comply with DORA requirements by:

  • Conducting thorough due diligence when selecting and contracting third-party ICT service providers to ensure they meet resilience standards.
  • Including specific terms for managing ICT risks, ensuring service continuity, and allowing for audit and inspection rights in contracts with third-party providers.
  • Continuously monitoring and assessing the performance and resilience of third-party providers (and take corrective actions if needed).

Information Sharing

DORA also encourages financial entities to share information about cyber threats and incidents to enhance collective cybersecurity defense mechanisms across the sector.

 As these requirements come into effect, competent authorities will oversee the implementation and compliance with DORA requirements, conducting inspections and assessments as necessary. Those authorities will also impose penalties and require remediation measures for non-compliance with DORA standards.

Are You Affected By DORA?

 

Given that this new regulation aims to strengthen the financial sector, it’s obvious that DORA and its requirements will apply to a wide range of financial entities, but if you’re an organization simply doing business with those entities, things are less clear.

If you provide ICT services—such as data analytics, cloud computing services, or cybersecurity—DORA is likely applicable, but if you’re still not sure, here are some other avenues that can help you determine whether your organization will need to comply with DORA:

  • Review your current customer base to understand if any services you’re providing to EU financial entities could be considered critical as it pertains to their business continuity and operational resilience.
  • Examine the contracts and service agreements you have with your financial entity partners, as they may indicate whether your compliance with regulatory standards is mandatory.
  • Ask your partners directly, as financial institutions will need to ensure that their third-party providers comply with DORA (The European Supervisory Authorities (ESAs) may also provide guidance regarding the obligations of critical third parties.)

Next Steps for DORA

 

Though DORA is set to become fully applicable on January 17, 2025, we’re also still waiting on the second set of detailed technical standards to be released, which is scheduled to be submitted to the European Commission by July 17, 2024.

While we already have the first technical standards—which were released on January 17, 2024—the second set is expected to address:

  • Guidelines on establishing and maintaining robust cybersecurity measures to safeguard your digital assets;
  • Details on the required advanced security and resilience tests on critical ICT systems;
  • Specifications for reporting significant cybersecurity incidents to regulatory authorities, including the timing and format;
  • Definitive requirements for managing operational risks within technology infrastructure and data protection; and
  • Standards for assessing and managing risks posed by third-party providers to ensure they meet DORA's requirements.

Moving Forward Under DORA

 

Introduced to enhance the digital operational resilience of the EU's financial sector, DORA—and its new framework of requirements—will help address rising cyber threats and foster a more secure digital financial ecosystem that will better protect consumers and market stability.

Though the deadline for compliance is in January 2025, organizations under DORA’s purview should begin to pivot now, as it’ll likely require additional effort and investment to create an environment that supports the required continuous improvements in operational resilience and risk management.

If you’re interested in gaining a baseline awareness of where your organization stands against the requirements of DORA, contact us today, as our team is equipped to assist through several different service offerings:

  • Gap Assessments: We distribute and conduct a series of questionnaires and interviews to pinpoint the applicability of requirements and identify where more implementation is needed to satisfy those applicable requirements, including where any overlap from your existing compliance initiatives can help.
  • Cybersecurity Risk Program and Maturity Assessments: We evaluate your people, processes, and technology in a way that measures and reports on your overall cybersecurity posture.
  • Threat-Led Penetration Testing: We stage a simulation of specific threats your organization faces in order to evaluate your defense capabilities against targeted attacks.
  • Third-Party Risk and Impact Assessments: We diagnose the organizational and security risks related to the third parties in your supply chain, as well as their potential impact on your business.

About Chris Smith

Chris Smith is a Director with Schellman based in Raleigh, NC. Prior to joining Schellman in 2016, he worked as a Senior Auditor at a large public accounting firm in New York City performing financial statement audits for private equity and business development companies. Chris has over 12 years of audit and compliance experience and maintains multiple CPA licenses, along with CISSP, CISA, ISO 27001 Lead Auditor, and CIPP/US certifications. Chris’ primary focus areas consist of SOC examinations and cybersecurity assessments.