What is the Digital Operational Resilience Act (DORA)?

As the backbone of the global economy, the financial services sector faces constant challenges when tackling cyber threats.

From ransomware attacks to devastating data breaches, the potential for disruption and widespread damage is significant. In response to this challenge, the European Union introduced the Digital Operational Resilience Act (DORA) in 2020.

This legislation aims to strengthen the digital defence systems of financial institutions and their crucial third-party vendors, improving their ability to withstand cyberattacks and prevent disruptions.

In this article we will be deep-diving into the Digital Operational Resilience Act (DORA), exploring its meaning, importance and five key pillars.

What is the definition of the Digital Operational Resilience Act (DORA)?

The Digital Operational Resilience Act (DORA) is a European Union (EU) regulation that aims to strengthen the cybersecurity and operational resilience of the financial sector. The regulation was introduced in 2020 and will fully effect on January 17, 2025.

Why was DORA introduced?

Digital Operational Resilience Act (DORA) was introduced after a series of incidents that exposed vulnerabilities in the security of the financial services sector. 

Financial institutions are increasingly targeted by cybercriminals due to the vast amount of sensitive data they hold. These attacks are becoming more frequent and complex, requiring a more robust and comprehensive approach to defend against.

The 2020 SolarWinds attack was a large-scale cyberattack that compromised a popular IT management software, impacting thousands of organizations worldwide, including government agencies and prominent companies.

Read: Biggest Cyber Attacks in History

Attackers injected malicious code into software updates, granting them remote access to compromised systems. The attack's scale, sophistication, and suspected state-backing by Russia raised significant concerns about supply chain security, the need for vigilance in software selection, and international cooperation in combating cyber threats.

Prior to the Digital Operational Resilience Act (DORA), different EU member states had their own regulations and standards for cyber resilience in the financial sector. This lack of consistency created challenges for financial institutions operating across borders and made the overall financial system less secure.

Because of all these activities, the Digital Operational Resilience Act (DORA) plays a pivotal role in making sure banks and other financial companies are prepared for cyberattacks and can keep running smoothly even if something unexpected happens.

In light of the escalating ransomware attacks, the finance industry must prioritize a balanced approach that includes both proactive defences and effective response strategies. This necessity is echoed in legislative efforts such as Europe's DORA, aimed at bolstering cyber resilience within the sector.

Raghu Nandakumara, Head of Industry Solutions at Illumio.

Is DORA just for the financial sector?

The Digital Operational Resilience Act (DORA) is currently specific to the financial sector within the European Union (EU). It applies to all financial institutions operating within the EU, including traditional entities like banks and investment firms, as well as non-traditional ones like crypto-asset service providers & fintechs. 

Additionally, the Digital Operational Resilience Act (DORA) extends its reach to critical third-party service providers that supply ICT (Information and Communication Technology) services to these financial firms, such as cloud platforms and data centres.

While the Digital Operational Resilience Act (DORA) doesn’t currently apply beyond the financial sector, its emergence highlights the growing importance of cybersecurity and operational resilience across industries.

It's possible that similar regulations could be introduced in other sectors in the future, especially those handling sensitive data or critical infrastructure.

How does the Digital Operational Resilience Act (DORA) help mitigate cyber-attacks?

The Digital Operational Resilience Act (DORA) is a new regulation that helps protect the financial services industry. It doesn't just focus on banks and investment companies but also includes any business/third-party vendors that work with them.

This is because all these businesses are interconnected in the financial system. Digital Operational Resilience Act (DORA) introduces several steps to make the financial security network tougher and safer.

It sets up tougher security rules, and better plans to deal with possible dangers, and promotes the sharing of information between businesses. In the end Digital Operational Resilience Act's (DORA) goal is to protect the financial sector from online attacks and keep it stable.

The staggering scale of cyber threats faced by financial institutions was highlighted at the World Economic Forum 2024 in Davos. JPMorgan's Head of Asset and Wealth Management, Mary Erdoes, revealed the bank encounters a staggering 45 billion hacking attempts daily, underlining the relentless pressure placed on cybersecurity defences.

Digital Operational Resilience Act (DORA) mandates financial institutions and their critical third-party service providers to comply with specific technical standards within their Information and communication technology (ICT) frameworks by January 17, 2025. 

What are the five pillars of the Digital Operational Resilience Act (DORA) regulation?

1. ICT Risk Management

DORA mandates the establishment of robust risk management frameworks, enabling proactive identification and mitigation of cyber threats, and safeguarding critical systems and data.

2. Incident Management 

Clear reporting requirements and standardized testing procedures foster a rapid and effective response to cyber incidents, minimizing disruption and damage.

3. Resilience Testing

Regular testing of critical systems and applications ensures preparedness and identifies vulnerabilities, preventing potential breaches.

4. Third-Party Risk Management

Recognizing the growing reliance on third-party technology providers, DORA emphasizes managing their associated risks through regular assessments and stricter oversight.

5. Information Sharing

DORA encourages information sharing among institutions regarding cyber threats and vulnerabilities, enabling industry-wide collaboration and enhancing overall resilience.

DORA’s impact on Financial Institutions

While compliance might initially seem daunting, embracing DORA presents a unique opportunity for enterprises. By adhering to its regulations, financial institutions can achieve several key benefits:

• Enhanced Security Posture: DORA's comprehensive framework for risk management, incident response, and testing empowers institutions to identify and mitigate threats more effectively, reducing the likelihood and impact of cyberattacks.
• Improved Business Continuity: Robust Information and communication technology (ICT) resilience ensures minimal disruption in the event of an incident, safeguarding critical operations and protecting financial stability.
• Increased Trust and Confidence: Demonstrating DORA compliance fosters trust with investors, customers, and regulators, potentially leading to a competitive edge in the market

What are consequences of Non-Compliance to the Digital Operational Resilience Act (DORA)?

Failing to comply with DORA can have significant repercussions for financial institutions. The deadline for DORA compliance is January 17, 2025. Regulatory authorities can impose hefty fines, potentially impacting financial stability and profitability.

Additionally, reputational damage from public disclosure of non-compliance can reduce trust and damage customer relationships. Moreover, inadequate resilience can expose institutions to cyber attacks, leading to data breaches, service outages, and financial losses, further hindering business continuity.

To ensure a smooth transition, a collaborative approach involving comprehensive risk assessments, tailored compliance roadmaps, and expert guidance is crucial. Industry collaboration and information sharing are also essential for building a more robust and resilient financial ecosystem.

Read: Top 10 Biggest GDPR Fines in History (So Far) 

Who are examples of Early Adopters and Industry Leaders?

Several financial institutions are already taking proactive steps towards Digital Operational Resilience Act (DORA) compliance, recognizing it as a strategic imperative for ensuring long-term sustainability and success in the face of evolving cyber threats. Here are two prominent examples:

1. IBM

IBM has been actively involved in shaping DORA's development and supporting its implementation. Their expertise in cybersecurity, cloud computing, and AI solutions has been instrumental in helping financial institutions navigate the compliance process. IBM offers a range of DORA-specific services, including:

• DORA readiness assessments: Identifying gaps and developing compliance roadmaps.
• Security and incident response solutions: Implementing robust measures to meet DORA's security requirements.
• Cloud-based solutions: Leveraging secure and resilient cloud infrastructure for enhanced ICT resilience.
• Third-party risk management solutions: Assessing and managing risks associated with third-party technology providers.

2. HSBC

The global banking giant has adopted a comprehensive approach to DORA compliance, conducting gap analyses, implementing new controls, and updating policies to align with the act's requirements. They're also actively engaging with third-party vendors to ensure compliance with DORA's provisions.

Final Thoughts

DORA marks a significant shift in the European Union's approach to regulating the financial services sector's digital resilience. While navigating its requirements necessitates effort and investment, early adopters like IBM and HSBC demonstrate the proactive steps leading organizations can take.

By embracing DORA as a strategic imperative, financial institutions can not only ensure regulatory compliance but also build a more secure, resilient, and trustworthy digital ecosystem, safeguarding themselves and their stakeholders in the face of evolving cyber threats.