What Is DORA and What Does It Mean for Businesses?

The Digital Operational Resilience Act (DORA) is a regulatory framework established by the European Union to strengthen the digital resilience of financial entities against cybersecurity and information/communications technology (ICT) -related disruptions. Drafted in September 2020 and ratified by the European Parliament in 2022, the regulations will come into force in January 2025.   

DORA signals a major shift in regulating cybersecurity. Its focus is to guarantee the ability of businesses to maintain operations in the face of severe disruptions caused by cyber threats and significant ICT issues.   

The regulations will see the creation of a unified supervisory approach. Specifically, the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) will oversee compliance at an EU level.  

Those organizations will work closely with national supervisory authorities to share information and monitor compliance. This regulation mandates that financial organizations can prevent and mitigate cyber threats and withstand, respond to, and recover from all types of ICT-related disruptions.  

What Is Needed to Meet DORA Regulations?  

To comply with DORA, businesses must address several areas. Firstly, they need to establish robust risk management processes, which involves the following steps:  

Related:Understanding the EU AI Act’s Impact and Ripple Effects in the US

Once this is established, effective incident management, classification and reporting must be considered. Organizations should implement early warning capabilities to detect and manage cyber incidents and complete timely reporting. This vigilance requires a dedicated security operations center (SOC). To be compliant, businesses will need risk-centric independent testing programs in place, incorporating technological and human testing strategies. 

These strategies could include attack surface management, continuous assurance technology capabilities, penetration testing, and red team and purple team testing -- a combination of simulated penetration testing and defensive responses.  

Related:Do the EU’s Proactive Regulations Stifle Tech Innovation?

With knowledge sharing being a significant part of DORA, businesses are expected to use valuable threat and intelligence information and make it available to the wider business community, helping others manage third-party risks. As the landscape evolves, continuous assurance is needed to protect against ongoing threats of risk.  

In periods of increasingly interconnected rick factors -- the era of assurance 4.0 -- navigating a safe path through this landscape is essential.  

Under DORA, all businesses must include ICT risks from third parties within their ICT management frameworks. As ICT or cyber security incidents arise, the DORA framework requires that businesses have mechanisms ready to foster greater resilience, whether these incidents happen to them or to a third party.  

Crucially, DORA compliance is an ongoing process. Resilience in cybersecurity means organizations need to prepare for repeated attacks. This requires regular testing of people, processes and technology, and collaboration with third-party service providers to carry out advanced threat-led penetration testing every three years. 

What Actions Do Businesses Need to Take Now?  

The path to compliance will likely involve bridging several gaps. Businesses should begin with a comprehensive gap analysis, including a detailed review of current operational resilience status, comparing it against DORA’s requirements. The gap analysis should include a careful examination of all current policies, procedures, and documentation related to ICT risk management, incident response, and resilience testing. 

Upon completing the gap analysis, the next step involves creating strategies to bridge identified gaps. This requires outlining specific actions needed to achieve compliance, including deadlines, resource allocation, and assigning responsibility for each task. Prioritizing risk mitigation measures based on the severity and potential impact of identified risks can help ensure that the most critical areas are addressed first. 

Following strategy creation is the strategy implementation stage, which may involve introducing new technologies, enhancing existing systems, and updating documentation. The bridging strategy must include testing and monitoring with frameworks in place to facilitate continuous improvement, and the ability to provide evidence in the event that it is requested by a supervisory body. 

Achieving DORA compliance offers significant benefits for businesses, including enhanced resilience, avoiding penalties, and greater confidence from regulators, customers, and stakeholders.  

What Assistance Is Available? 

For many businesses, achieving DORA compliance not only fulfills regulatory obligations but also increases trust and reliability in their digital operations. In an ever more digital financial landscape, a good reputation is crucial for maintaining stakeholder confidence. Meeting DORA’s requirements is a large undertaking that will require specialist knowledge, making it advisable to partner with third-party assurance providers. Leveraging this comprehensive experience in financial regulations can make the process of achieving compliance smoother and give all stakeholders peace of mind knowing they are compliant.  

Navigating regulatory landscapes can be daunting, especially when new frameworks first come in. However, DORA compliance is an essential step for financial organizations operating within the EU.