DORA: A Game-Changer in EU Financial Cybersecurity and Resilience

The Digital Operational Resilience Act (DORA) went into effect on January 17, creating a transformative step for cybersecurity and operational resilience in the European Union (EU) financial sector. Designed to address growing cyber risks and IT disruptions, DORA establishes a harmonized framework of requirements that impact financial institutions, Information and Communication Technology (ICT) service providers and the broader marketplace.

But what does this really mean for financial organizations that do business in the EU? What does the law require them to do? And how can they prove compliance?

This is the first in a two-part series. This blog will give you an overview of DORA and its requirements. The second part will provide actionable recommendations that you can take today to make sure your organization is in compliance.

The EU Finance Industry is a Matter of National Security and Public Safety

Put into effect nearly seven years ago, the General Data Protection Regulation (GDPR) has laid the groundwork for a more robust regulatory landscape throughout the EU. As digital environments continue to mature and grow more complex, and increasingly sophisticated threat actors put these digital environments at risk, more regulations are needed to protect companies and their customers, setting a baseline to ensure secure practices are followed. Network and Information Security Directive (NIS2) went into effect in 2023 to bridge the gap amongst critical industries such as energy, transportation and public services – and now, DORA seeks to establish a robust operational resilience standard across the finance sector.

Addressing the unique cybersecurity challenges in the financial industry makes sense. Finance is heavily dependent on digital technology and is a critical sector that impacts nearly every other economic sector – from manufacturing and healthcare to government services and transportation. Any disruption to the finance industry could halt funding for critical infrastructure, impact insurance policies across the EU or prevent the free flow of goods and services across member states. Threat actors know this, of course, and are increasingly targeting vulnerable IT infrastructures that power one of the world’s largest, most dynamic economies. This combination of potential disruption and vulnerable infrastructure make the security of the financial sector a matter of national security.

One of the main challenges with operational resilience in the finance industry is the sector’s inherent interconnectedness. The ability to conduct nearly any kind of transaction almost immediately – no matter how big or small across borders and industrial sectors – is a critical service that keeps the economy ticking. Automated processes across banking, financing, insurance and other financial services are dependent on complex infrastructures that span on-premises data center and cloud service providers. This dependency on third-party service providers and technology vendors puts financial organizations at great risk.

From Third Parties to Penetration Testing

DORA seeks to standardize operational resilience across the finance sector and EU member states by establishing a set of best practices and recommendations that strengthen cyber resilience. Beginning on January 17, individual organizations have to comply with DORA requirements. If a breach occurs, the organization may be held liable and be subject to fines and other penalties. Similar to GDPR, penalties can reach up to two percent of global revenues – potentially exceeding hundreds of millions of dollars as well as fines for high-ranking individuals and third parties if member states decide to impose further penalties. Realistically, however, regulatory bodies are interested in seeing the steps companies that are not in compliance are taking to move forward as a way to further bolster sector wide operational resilience.

Here are five critical components of DORA that security analysts must consider to maintain compliance with the new regulations:

1. ICT Risk Management

You can’t protect what you don’t know about, so DORA requires organizations to better understand their IT environments and how they put them and their customers at risk. What assets are out there? How critical are they to operational resiliency? What would be the impact of these assets being breached or going down? And how are these systems interconnected? What controls do we have in place to secure them? The understanding of these questions are critical to identifying and inventorying assets, in order to effectively assess current risk which is an integral aspect of DORA. This is where threat-led penetration testing is key, giving security teams insight into how an event could unfold and the steps that need to be taken to stop and remediate threats.

2. Third-Party Service Providers

Business today is rarely conducted solely within the confines of the organization’s facilities. Contractors, other service providers and to some extent, work-from-home employees play a critical role in business operations in the modern workplace – and each one of these unmanaged entities poses a risk to operational and cyber resilience. DORA requires financial organizations to understand the impact of these third parties on the business, record it and ensure the appropriate safeguards have been put into place to protect interconnected processes from start to finish. This should all be documented within a Register of Information (RoI) and be readily available.

3. Incident Management

DORA also requires financial organizations to implement a structured process for detecting, handling, and reporting ICT-related incidents. This includes establishing clear classification criteria, timely escalation processes and a consistent reporting framework with consideration for strict timeframes. This all needs to be backed up by performing operation resilience focused table-top exercises to ensure disaster recovery and business continuity policies are understood – enabling stakeholders to take immediate action when operations are threatened.

4. Change Management

Organizations and their digital environments are constantly changing, and it’s important that security teams have visibility into ICT changes and how they impact operational risk – including assessment, implementation and monitoring. Authorization and compliance with existing policies are critical functions as well – ensuring that no unauthorized changes are able to take place. This requires evaluating software updates, modifications to infrastructure and the on-boarding of third parties. Ultimately, DORA ensures that change management processes are stringent and require structured approvals. Security teams should consider pre- and post- implementation testing of proposed changes – using penetration testing to gain insights into how threats could target the organization if the changes were to take effect.

5. Reporting and Compliance

Above all else, DORA focuses on accountability. Financial organizations that want to do business in the EU will need to take responsibility across their entire IT and business environments. This will require constant monitoring of critical systems, vulnerability testing, risk assessment and, most importantly, reporting. Organizations should use consistent templates that outline requirements and timelines and input them into the Register of Information (ROI) – a repository of information from third parties, contractual agreements, risk assessments, dependencies, incident information and contingency plans – made available to internal and, when necessary, external auditors. It’s not enough to collect the information. Given the complexity of IT infrastructures today, this information will need to be parsed, analyzed and turned into actionable information. It needs to be used to harden security and keep systems, data and customers’ privacy safe from malicious actors.

Moving Ahead with DORA Compliance

DORA went into effect January 17 across the EU, and any financial organization that conducts business in the region (or third party ICT providers) will need to understand how the regulations impact them and their ability to conduct business across an increasingly complex digital landscape. Any breach or disruption to operations could be devastating to organizations, so it’s important to consider how the new regulations impact them. From there, you can take clear-cut steps to meet compliance and ensure operational and cyber resilience in an increasingly dangerous world.

To learn more, read the whitepaper How Bitdefender Supports Dora Regulation Compliance.