Not to be confused with the popular children’s TV character, DORA is a new EU regulation for the financial sector, which stands for the Digital Operational Resilience Act. DORA became law on 16 January 2023 and will start to apply from 17 January 2025, so it’s crucial that senior executives in the financial sector, such as Chief Risk Officers and Chief Information Security Officers, understand its implications and prepare for compliance from day one. In this blog, we’ll delve into the impact of DORA, how it differs from the upcoming NIS2 directive, and explore what it entails for companies.
What is the Digital Operational Resilience Act?
The Digital Operational Resilience Act is an EU regulation whose primary objective is to establish a comprehensive and unified framework for managing and mitigating information and communication technology (ICT) risks within the European Union’s financial services sector. DORA aims to enhance the resilience of financial entities by promoting a proactive approach to identifying, assessing, and addressing ICT-related risks, thereby strengthening the overall stability and security of the financial system.
DORA is built upon five foundational pillars:
- ICT risk-management
- Incident reporting
- Operational resilience testing
- Managing third-party risk
- Intelligence sharing
By setting standardized requirements and guidelines, DORA aims to ensure that financial entities can effectively withstand disruptions, cyber threats, and other challenges in an increasingly digital landscape. Moreover, DORA introduces measures to oversee critical third-party providers, such as cloud service providers, recognizing their significant role in supporting the operational infrastructure of financial entities.
How does DORA differ from NIS2?
At a board level, you can’t avoid dealing with these acronyms, both major pieces of European Union cybersecurity legislation. But what are the key differences?
- NIS2 is a directive, meaning it provides guidance but requires adaptation into the national laws of each EU Member State before implementation.
- DORA is a regulation, so its directly applicable in all EU Member States upon enactment, without any modifications, making it a binding law that must be fully enforced.
- NIS2 is broader in focus, ensuring essential services, including energy, transport, banking, and healthcare adhere to standardized cyber security measures throughout the EU.
- DORA’s focus is narrower, aiming to strengthen the digital operational resilience of the financial sector specifically.
As to which law takes precedence, it depends. If DORA applies to your organization, it trumps NIS2. Which brings us to the next question.
Who will need to comply with DORA?
The Digital Operational Resilience Act applies to the following financial entities:
- Credit institutions
- Payment institutions
- E-money institutions
- Investment firms
- Cryptoasset service providers
- Central securities depositories
- Central counterparties
- Trading venues
- Trade repositories
- Managers of alternative investment funds
- Data reporting service providers
- Insurance and reinsurance undertakings
- Insurance intermediaries
- Reinsurance intermediaries
- Ancillary insurance intermediaries
- Institutions for occupational retirement pensions
- Credit rating agencies
- Administrators of critical benchmarks
- Crowdfunding service providers
- Securitization repositories
Additionally, DORA extends its scope to include ICT third-party service providers that are designated as “critical” by the European Supervisory Authorities (EBA, ESMA, and EIOPA).
Why is this happening now?
Below, are some of the key drivers behind the act:
- Role of ICT in the digital age: Even more so since the pandemic, ICT has become essential in providing financial services. According to the act, this has put resilience under the spotlight: “Increased digitalization and interconnectedness also amplify ICT risk, making society as a whole, and the financial system in particular, more vulnerable to cyber threats or ICT disruptions.”
- Systemic vulnerability and financial stability: The European Systemic Risk Board (ESRB) highlighted the systemic vulnerability caused by interconnections and dependencies of ICT systems in the financial sector. Localized cyber incidents can quickly spread across financial entities, posing risks to the entire financial system and leading to liquidity runs and loss of confidence.
- Resilience now a top priority: Past reforms primarily targeted economic and market conduct aspects, with resilience being overlooked. Resilience is now considered crucial for the financial sector, “ultimately enabling the effective and smooth provision of financial services across the whole Union, including under situations of stress, while also preserving consumer and market trust and confidence.”
- Harmonization and supervisory mandates: Despite the fact that The Union financial sector is regulated by a Single Rulebook and governed by a European system of financial supervision, there is a lack of standardizations. According to the Act, “Provisions tackling digital operational resilience and ICT security are not yet fully or consistently harmonized, despite digital operational resilience being vital for ensuring financial stability.” DORA seeks to rectify this discrepancy.
DORA - it’s not just about cyber security.
While it’s true that preventing cyber-attacks is a focus of DORA, preventing Internet disruptions is also a key tenet of its legislation. The act directly states that security and ICT tools must be continuously monitored and controlled to minimize risk.
The following are key components of the legislation:
Article 8, Identification: Financial entities shall, on a continuous basis, identify all sources of ICT risk, in particular the risk exposure to and from other financial entities, and assess cyber threats and ICT vulnerabilities relevant to their ICT-supported business functions, information assets and ICT assets.
Article 9, Protection and prevention: For the purposes of adequately protecting ICT systems and with a view to organizing response measures, financial entities shall continuously monitor and control the security and functioning of ICT systems and tools and shall minimize the impact of ICT risk on ICT systems through the deployment of appropriate ICT security tools, policies and procedures.
Article 10, Detection: Financial entities shall have in place mechanisms to promptly detect anomalous activities, in accordance with Article 17, including ICT network performance issues and ICT-related incidents, and to identify potential material single points of failure.
What does this mean for financial institutions?
DORA holds boards accountable
By law, DORA mandates that boards of financial services organizations will be held accountable for ICT risk, constituting one of its pivotal requirements. This is huge. If you are a financial services company or provide services to one, complying with this new law will require immediate attention.
Your Internet Stack just got bigger
A required part of financial entities’ ICT risk management framework by the DORA legislation is a “holistic” ICT multi-vendor strategy. It’s easy to see why. For instance, in the event of a service disruption or outage from Microsoft, organizations relying on Windows 11 devices, Azure as their cloud service provider, and Microsoft 365 as their productivity suite may face significant challenges.
To comply with DORA, financial institutions will likely need to implement a multi-vendor approach, ensuring alternative options are available in the event of disruptions or failures.
To ensure resilience, you need to monitor ALL these vendors.
How to achieve DORA compliance
DORA directly states that security and ICT tools must be continuously monitored and controlled to minimize risk. That’s exactly where Catchpoint comes in. DORA serves as a validation of our long-standing messaging, emphasizing that the Internet has become the primary enterprise network and is now more susceptible to vulnerabilities than ever before.
While many companies nowadays have monitoring tools in place, they tend to only monitor their own applications and tools. Catchpoint, on the other hand, monitors the entire Internet Stack, delivering unparalleled visibility into your applications, users, networks, and critical third-party services you now need to monitor to achieve DORA compliance.
With over 2500 vantage points worldwide, our unequalled global observability network provides the industry’s most comprehensive Internet Performance Monitoring data set. This empowers you to proactively pinpoint and fix issues before they impact your users, protecting your bottom line and ensuring DORA compliance.
Moreover, having a network decoupled from hosting cloud providers gives us the unprecedented capability to continuously detect, identify, troubleshoot, and validate issues even when cloud providers go down, delivering the type of robust resilience mandated by DORA.
Ensuring DORA compliance is not just about meeting regulatory obligations; it’s about building a resilient and secure digital ecosystem that can withstand evolving threats and disruptions. If you are a Systems Integrator assembling a DORA solution, we are here to help, come talk to us. With Catchpoint’s comprehensive Internet Performance Monitoring (IPM) solutions, you’ll navigate the DORA compliance journey with confidence.