Exploring DORA: The Digital Operational Resilience Act - What Implications Will It Have For Your Business?
What is DORA?
No, not that one!
The Digital Operational Resilience Act (DORA) is a new regulation introduced by the European Union (EU), set to take effect on January 17th, 2025.
In the era of digitalisation, many organisations now rely entirely on digital systems, making sensitive information vulnerable and often stored across multiple locations worldwide, with varying levels of protection. DORA aims to address this issue by setting a baseline for ICT (Information and Communication Technology) resilience in the financial sector.
The regulation applies to over 20,000 financial institutions and ICT service providers within the EU, as well as third-party ICT infrastructure supporting these entities, even if located outside the EU.
DORA is structured around five key areas of focus, each with specific requirements:
ICT Risk Management
Incident Management related to ICT
Digital Operational Resilience Testing
Third-Party ICT Risk Management
Information Sharing Arrangements
This framework is designed to ensure that financial institutions are better prepared to handle and recover from digital disruptions, improving overall resilience in the financial system.
What are the Requirements?
The table below compares the requirements of DORA with other widely recognised cybersecurity governance accreditations:
As shown, DORA presents more detailed and specific requirements than many other established cybersecurity standards. The closest comparison is ISO 27001, though DORA's criteria are more granular in nature. If your organisation is not yet ready to meet the standards of DORA or ISO 27001, starting with foundational certifications like Cyber Essentials or IASME Level 2 can provide a solid groundwork. These stepping stones will help build the necessary cybersecurity infrastructure, paving the way for the successful attainment of more comprehensive governance accreditations.
What’s In and Out of Scope of DORA?
If you're a financial organisation, the first step is to review the requirements of the Digital Operational Resilience Act (DORA) to determine whether your entity falls within its scope. The following organisations are explicitly defined as being within scope for DORA's requirements:
Credit institutions
Payment institutions, including those exempt under Directive (EU) 2015/2366
Account information service providers
Electronic money institutions, including those exempt under Directive 2009/110/EC
Investment firms
Crypto-asset service providers authorised under the Regulation on markets in crypto-assets (EU Regulation) and issuers of asset-referenced tokens
Central securities depositories
Central counterparties
Trading venues
Trade repositories
Managers of alternative investment funds
Management companies
Data reporting service providers
Insurance and reinsurance undertakings
Insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries
Institutions for occupational retirement provision
Credit rating agencies
Administrators of critical benchmarks
Crowdfunding service providers
Securitisation repositories
ICT third-party service providers
While the scope of most organisations is clear, the category of ICT third-party service providers is more broadly defined. However, if you provide hardware, software, or data services to an EU-regulated financial services firm, you are highly likely to be considered a critical third-party provider under DORA, even if the specifics of your service offering are not immediately clear.
What if I Don’t Comply?
If your organisation falls under the scope of DORA and fails to comply with its requirements, there are two significant risks you could face:
Administrative Penalties: Similar to the General Data Protection Regulation (GDPR), non-compliance with DORA can result in substantial fines. Institutions subject to DORA could be fined up to 2% of their total annual worldwide turnover or 1% of their average daily worldwide turnover. In certain cases, fines could reach as much as €1,000,000. These penalties will be imposed by European Supervisory Authorities (ESAs), who will assess compliance on a case-by-case basis, considering both the nature of the non-compliance and the specific circumstances surrounding it.
Supply Chain Disruptions: Non-compliance may also affect your position within the supply chain. Larger institutions are increasingly requiring that their partners adhere to DORA's principles as part of their due diligence processes. If your organisation fails to meet the five core chapters of DORA, it may face exclusion from critical business relationships, potentially resulting in the loss of clients or partners.
How can PureCyber Help?
The DORA requirements can seem overwhelming at first. Their complexity and detail often leave organisations unsure of where to begin - That’s where PureCyber comes in…
Our team of experienced governance, risk, and compliance consultants are here to guide you through the process. We’ll help your organisation define the scope of your requirements, perform a thorough gap analysis to identify areas for improvement, and provide tailored consultancy to ensure you meet the necessary standards.
By partnering with a trusted team that communicates complex advice in a clear, actionable way, your organisation can avoid common pitfalls, fully understand your compliance obligations, and confidently meet the DORA requirements.
PureCyber is recognised as an Assured Service Provider by the NCSC to offer governance and compliance consultancy services/audits. Contact our team of compliance experts to enquire about your organisation’s standings today and gain an insight into the services we can offer.
Need a refresh? No matter what level of cyber security knowledge you have, it is always valuable to refresh your understanding of terms, topics and techniques. Our PureCyber glossary of terms is the perfect place to brush up on your understanding.