Subscribe to our
weekly update
Sign up to receive our latest news via a mobile-friendly weekly email
DORA sets the requirements for financial service firms in the EU. How are you preparing to ensure compliance? Learn how Catchpoint can help.
Not to be confused with the popular children’s TV character, DORA is a new EU regulation for the financial sector, which stands for the Digital Operational Resilience Act. DORA became law on 16 January 2023 and will start to apply from 17 January 2025, so it’s crucial that senior executives in the financial sector, such as Chief Risk Officers and Chief Information Security Officers, understand its implications and prepare for compliance from day one. In this blog, we’ll delve into the impact of DORA, how it differs from the upcoming NIS2 directive, and explore what it entails for companies.
The Digital Operational Resilience Act is an EU regulation whose primary objective is to establish a comprehensive and unified framework for managing and mitigating information and communication technology (ICT) risks within the European Union’s financial services sector. DORA aims to enhance the resilience of financial entities by promoting a proactive approach to identifying, assessing, and addressing ICT-related risks, thereby strengthening the overall stability and security of the financial system.
DORA is built upon five foundational pillars:
By setting standardized requirements and guidelines, DORA aims to ensure that financial entities can effectively withstand disruptions, cyber threats, and other challenges in an increasingly digital landscape. Moreover, DORA introduces measures to oversee critical third-party providers, such as cloud service providers, recognizing their significant role in supporting the operational infrastructure of financial entities.
At a board level, you can’t avoid dealing with these acronyms, both major pieces of European Union cybersecurity legislation. But what are the key differences?
As to which law takes precedence, it depends. If DORA applies to your organization, it trumps NIS2. Which brings us to the next question.
The Digital Operational Resilience Act applies to the following financial entities:
Additionally, DORA extends its scope to include ICT third-party service providers that are designated as “critical” by the European Supervisory Authorities (EBA, ESMA, and EIOPA).
Below, are some of the key drivers behind the act:
While it’s true that preventing cyber-attacks is a focus of DORA, preventing Internet disruptions is also a key tenet of its legislation. The act directly states that security and ICT tools must be continuously monitored and controlled to minimize risk.
The following are key components of the legislation:
Article 8, Identification: Financial entities shall, on a continuous basis, identify all sources of ICT risk, in particular the risk exposure to and from other financial entities, and assess cyber threats and ICT vulnerabilities relevant to their ICT-supported business functions, information assets and ICT assets.
Article 9, Protection and prevention: For the purposes of adequately protecting ICT systems and with a view to organizing response measures, financial entities shall continuously monitor and control the security and functioning of ICT systems and tools and shall minimize the impact of ICT risk on ICT systems through the deployment of appropriate ICT security tools, policies and procedures.
Article 10, Detection: Financial entities shall have in place mechanisms to promptly detect anomalous activities, in accordance with Article 17, including ICT network performance issues and ICT-related incidents, and to identify potential material single points of failure.
DORA holds boards accountable
By law, DORA mandates that boards of financial services organizations will be held accountable for ICT risk, constituting one of its pivotal requirements. This is huge. If you are a financial services company or provide services to one, complying with this new law will require immediate attention.
Your Internet Stack just got bigger
A required part of financial entities’ ICT risk management framework by the DORA legislation is a “holistic” ICT multi-vendor strategy. It’s easy to see why. For instance, in the event of a service disruption or outage from Microsoft, organizations relying on Windows 11 devices, Azure as their cloud service provider, and Microsoft 365 as their productivity suite may face significant challenges.
To comply with DORA, financial institutions will likely need to implement a multi-vendor approach, ensuring alternative options are available in the event of disruptions or failures.
To ensure resilience, you need to monitor ALL these vendors.
DORA directly states that security and ICT tools must be continuously monitored and controlled to minimize risk. That’s exactly where Catchpoint comes in. DORA serves as a validation of our long-standing messaging, emphasizing that the Internet has become the primary enterprise network and is now more susceptible to vulnerabilities than ever before.
While many companies nowadays have monitoring tools in place, they tend to only monitor their own applications and tools. Catchpoint, on the other hand, monitors the entire Internet Stack, delivering unparalleled visibility into your applications, users, networks, and critical third-party services you now need to monitor to achieve DORA compliance.
With over 2500 vantage points worldwide, our unequalled global observability network provides the industry’s most comprehensive Internet Performance Monitoring data set. This empowers you to proactively pinpoint and fix issues before they impact your users, protecting your bottom line and ensuring DORA compliance.
Moreover, having a network decoupled from hosting cloud providers gives us the unprecedented capability to continuously detect, identify, troubleshoot, and validate issues even when cloud providers go down, delivering the type of robust resilience mandated by DORA.
Ensuring DORA compliance is not just about meeting regulatory obligations; it’s about building a resilient and secure digital ecosystem that can withstand evolving threats and disruptions. If you are a Systems Integrator assembling a DORA solution, we are here to help, come talk to us. With Catchpoint’s comprehensive Internet Performance Monitoring (IPM) solutions, you’ll navigate the DORA compliance journey with confidence.