DORA, The Explainer
A quick overview of the Digital Operational Resilience Act (DORA)
If you’re a financial institution or supply IT services to a financial institution in the EU, the Digital Operational Resilience Act (DORA) should be on your list of regulations to explore and understand. The EU understands how important the stability and integrity of data at financial institutions is and enacted DORA to ensure its financial industry is resilient and protected. DORA went in to effect in December 2023, but DORA enforcement started on January 17, 2025. If you haven’t established a comprehensive GRC program and are subject to DORA, by now you’re actually behind the curve.
Strengthening Digital Resilience for Europe’s Financial Entities
“Financial entities” is broadly defined and includes:
- Banks
- Insurance companies
- Investment companies
- Payment processors
- Crypto providers
- Crowd funding sites
- Credit reporting agencies
DORA introduces stringent requirements for financial entities operating within the EU, mandating comprehensive ICT risk management, resilience testing and third-party risk management. DORA not only stresses the importance of comprehensive ICT frameworks but also mandates continuous monitoring and incident response plans.
Technology service providers, whether based in the EU or abroad, will also be significantly impacted. They must align their services with DORA to support compliance for their financial entity clients. This includes:
- Updating contracts to incorporate DORA compliance.
- Enhancing internal policies to meet DORA standards, including ICT asset management and incident reporting.
- Preparing for increased scrutiny and due diligence from clients.
Even if not directly under the purview of DORA, it provides vision into the bright horizon of GRC requirements generally. DORA codifies much of GRC best practices and reinforces the holistic GRC model.
What does DORA require?
DORA essentially imposes five pillars of requirements upon in-scope institutions:
1. Risk Management
Establishing a framework of controls and internal policies to enforce those controls.
2. Incident Management
This includes the requirement to report specific incidents in a form.
3. Business Resiliency
Execute BCDR testing on a regular schedule. Also, threat-focused penetration testing and vulnerability testing is needed. The results of testing may be required to be provided to regulators.
4. Third-party Risk Management
Perform appropriate due diligence on third parties and manage those providers with specific contractual requirements and ongoing monitoring.
5. Information Sharing
Where appropriate, share threat information with other financial entities to mitigate threat expansion.
Non-Compliance with DORA
The repercussions for failing to comply with DORA can be severe. Although monetary penalties are determined by EU Member States, non-compliance could lead to substantial financial fines. Critical ICT providers face daily penalties of up to 1% of their average global turnover, and authorities may suspend their services. If found to be deficient in compliance, increased governmental scrutiny can be expected increasing operating costs to manage that oversight. An integrated GRC platform can help keep compliance organized, documented and automated.
Ultimately, the implementation of DORA represents a significant shift in how financial entities and their technology partners manage digital operational resilience. With the January 2025 deadline, it is crucial for all stakeholders to act swiftly to ensure compliance and safeguard against potential risks. As the landscape of digital threats continues to evolve, DORA is a vital step toward enhancing the resilience of the financial sector in Europe.