Yes, DORA is mandatory.
Regulation EU 2022/2544, also known as the Digital Operational Resilience Act, DORA, is mandatory. The purpose of DORA is to strengthen the cybersecurity and operational resilience of the European financial sector through the publication of a framework that will help the financial system ecosystem participants, namely Information and Communications Technology (ICT) providers, to reduce cyber and operational risks.
It’s a binding regulation for financial institutions and critical third-party service providers operating within the European Union. There are significant penalties for non-compliance with DORA along with potential regulatory actions.
What is mandatory in DORA regulation EU 2022/2544
- ICT Risk Management:
- Companies need to establish a framework to identify, assess, and mitigate information and communication technology (ICT) risks. This includes conducting regular risk assessments, implementing controls to address identified risks, and having a plan for incident response.
- ICT-related Incident Reporting:
- Companies must have processes in place to detect, report, and investigate ICT-related incidents. This includes having clear reporting channels, procedures for classifying incidents based on severity, and timely notification to relevant authorities.
- Digital Operational Resilience Testing:
- Companies are required to conduct regular testing of their ICT systems and resilience measures. This testing should simulate various attack scenarios and assess the effectiveness of controls in place.
- ICT Third-Party Risk Management:
- The regulation emphasizes the importance of managing risks associated with third-party ICT service providers. Companies need to conduct due diligence on third parties, have contractual agreements outlining security expectations, and monitor their performance.
- Information Sharing:
- DORA encourages collaboration and information sharing on cyber threats among financial institutions. This can involve participating in industry forums, sharing threat intelligence, and conducting joint exercises.
Learn more about the mandatory DORA requirements in our summary- What is DORA in a nutshell?
What are the penalties for DORA non-compliance?
DORA proposes to impose considerable financial penalties for non-compliance.
The penalties are meant to compel adherence to the regulation, designed for increased protection of the financial system.
Here are the potential penalties:
- Administrative Fines: Financial institutions can face fines of up to 10 million euros or 5% of their total annual turnover for serious infringements.
- Periodic Penalty Payments: In cases of ongoing non-compliance, companies may be subject to daily penalties of up to 1% of average daily global turnover for a maximum of six months.
- Additional Measures: Regulatory authorities can impose other sanctions, such as public reprimands, operational restrictions, or even withdrawal of authorization.
NOTE: the penalties will depend on the nature and extent of the non-compliance. DORA targets a strong incentive to drive compliance through these penalties, including daily penalties, to ensure that financial institutions prioritize cybersecurity and operational resilience.
DORA RTS
The DORA Regulatory Technical Standards are a comprehensive to ensure parties in the financial services sector can developm, manage and mitigate ICT risks that could negatively impact the continuous business operations of financial service providers.
The European Supervisory Authorities publish the Policies of the DORA RTS and ITS.
The DORA RTS published by the ESA on their website include:
- RTS and ITS on the content, format, templates and timelines for reporting major ICT-related incidents and significant cyber threats;
- RTS on the harmonization of conditions enabling the conduct of the oversight activities;
- RTS specifying the criteria for determining the composition of the joint examination team (JET); and
- RTS on threat-led penetration testing (TLPT).
How FortifyData helps with DORA mandatory requirements
Operational resilience is not merely about compliance; it’s about securing the financial sector’s ability to withstand and quickly recover from ICT-related disruptions. FortifyData empowers financial service providers to achieve this goal and addresses DORA Regulatory Technical Standards (RTS) outcomes for the oversight of ICT activities and producing auditable materials for joint exams and the foundation for the TLPT component based on our continuous external vulnerability assessments. We offer a DORA Gap Analysis service complete with external attack surface assessments of your ICT vendors in addition to applicable Questionnaire with Technical Validation
By providing a detailed roadmap for compliance and resilience, FortifyData enables organizations to proactively identify and address vulnerabilities, implement robust controls, and foster a culture of continuous improvement. This not only aligns with DORA’s objectives but also strengthens the financial sector’s overall resilience against cyber threats. We can help.
What is DORA in a nutshell? DORA seeks to protect consumers and maintain financial stability by ensuring that banks, insurers, and other financial institutions can withstand and recover from IT disruptions. It achieves this by:
- Producing a standardized set of security rules across different EU countries.
- Imposing strict standards for managing and mitigating ICT risks.
- Enhancing incident reporting and response capabilities.
- When all parties adhere to the program it’s goal is to acheive an improved operational and cyber resilience for the financial services sector.
By establishing a common regulatory framework, DORA EU contributes to a more secure and stable financial system in the EU.
Avoid those penalties for non-compliance. Reach out to schedule a demo with FortifyData and to perform a DORA gap analysis.