Regulation EU 2022/2554 – Digital Operational Resilience Act (DORA)

Regulation (EU) 2022/2554 is the legislation that defines the Digital Operational Resilience Act (DORA). This EU regulation was adopted on December 14, 2022, and takes effect on January 17, 2025. DORA aims to enhance the cybersecurity and operational resilience of the financial sector.

The DORA regulation establishes a comprehensive framework for financial institutions and critical third-party service providers to identify, manage and report ICT-related risks including incident response to ensure business continuity. DORA is a regulatory response to the growing operational risks experienced during the COVID-19 pandemic and cyber threats facing the financial industry.

Navigating the Regulation EU 2022/2554 DORA Regulation with FortifyData

Financial service providers are increasingly reliant on Internet and Communication Technology (ICT) systems and disruptions experienced during the COVID-19 pandemic helped realize the need for a stronger digital ecosystem. However, this dependency also exposes them to a myriad of cyber risks and vulnerabilities. Recognizing the critical need for operational resilience in the financial sector, the European Union introduced the Digital Operational Resilience Act (DORA). This legislation mandates stringent requirements for financial entities, emphasizing the critical evaluation and management of ICT vendor risks.

Source: FortifyData DORA Questionnaire with Technical Control Auto-validation

As part of this blog post, we delve into the intricacies of EU Regulation 2022/2554 or DORA, its implications for financial service providers, and how FortifyData is helping financial service providers and their ICT vendors with Gap Analysis Questionnaire that has Technical Validation and ongoing continuous monitoring of the financial service provider and their ICT vendors in a unified cyber risk management platform to ensure cyber and operational resilience.

DORA regulation

Read further the What is the Digital Operational Resilience Act in a Nutshell that further defines the 5 pillars of DORA and the DORA RTS requirements:

  • ICT Risk Management and Governance: Implementing a framework to identify, assess, and mitigate ICT risks.
  • Incident Reporting and Management: Establishing processes for detecting, responding to, and recovering from ICT-related incidents.
  • Digital Operational Resilience Testing: Conducting regular testing of ICT systems and resilience measures.
  • Information Sharing: Encouraging collaboration and information sharing on cyber threats among financial institutions.
  • Oversight of Third Parties: Establish and operationalize the oversight framework for critical ICT providers and monitoring of third-party risk providers and contractual provisions between financial institutions and ICT vendors.

Next Steps to Take to Meet Regulation EU 2022/2554 DORA Requirements

Many financial institutions and their critical ICT vendors are working through the requirements outlined by the 5 pillars for DORA pdf and the DORA RTS established in the DORA regulation. In fact, we have analyzed the EU Regulation 2022/2554 and produced a DORA compliance checklist.

Aligning Questionnaire Responses with Vulnerability Assessment Findings

FortifyData allows organizations to monitor their third-party vendors continuously, offering real-time visibility into cyber risks. With this platform, organizations can conduct in-depth cyber risk assessments of their vendors, including questionnaire management that correlates the technical findings to applicable technical control questions on the questionnaire. This is known as auto-validation of a questionnaire and can quickly highlight discrepancies between recipient responses and technology findings. This helps ensure third parties (service providers) meet the stringent requirements set by DORA.

DORA compliance ICT third party portfolio assessment FortifyData

FortifyData has an interactive DORA questionnaire embedded within our platform (see previous image further up in this post). This enables Financial Institutions and ICTs to perform a gap analysis and meet the requirements of DORA. This can act as a DORA compliance checklist to follow. FortifyData’s platform is designed to identify vulnerabilities, assess potential threats, and provide actionable insights to mitigate risks.

Additionally, client organization’s subject to DORA can have a score that is impacted by third-party risk (as part of their overall security rating score). AND client organizations can setup specific security ratings scores for each specific vendor or groups of vendors. It means continuous monitoring of the third-party risk to the client organization. Clients can then choose to use the report that FortifyData has for the third parties to send to ESA regulators for review.

Automating DORA Compliance with FortifyData

Source: FortifyData, Unified Exposure Management Dashboard

FortifyData automates continuous assessments of your organization and your third-parties. This gives you up to date findings on the latest vulnerabilities, threats and risks facing the attack surface of your organization, be it internal, external, cloud or third-party.

When it comes to complying with DORA, a platform like FortifyData helps meet requirements as identified in the DORA regulation.

Request a DORA gap assessment to look at your exposures and those of your ICT vendors with FortifyData.

More content