The Digital Operational Resilience Act (DORA) Regulation Summary

DORA represents a landmark legislative framework, Regulation (EU) 2022/2554 of the European Parliament and of the Council, designed to bolster the operational resilience of the financial sector against Information and Communication Technology (ICT)-related disruptions and threats. It consolidates and standardizes previous EU regulations, setting out rigorous requirements for financial entities to identify, assess, mitigate, and report ICT risks. A pivotal aspect of DORA is its comprehensive coverage, encompassing not only financial institutions themselves but also their critical third-party ICT service providers.

See FortifyData’s dashboards and how we help as part of the DORA compliance checklist further down in this article.

We offer a complimentary cyber risk assessment on your organization to show you the power of our data. Or, you can jump straight to a demo.

What is the purpose of DORA? It requires financial institutions and critical third-party providers to implement a comprehensive framework for managing operational risks related to information and communication technology (ICT).

Here’s a breakdown of DORA’s key points:

Applies to: Financial institutions (banks, insurers, investment firms) and their critical third-party ICT service providers (cloud platforms, data analytics).

Focuses on the 5 pillars of DORA:

ICT Risk Management and Governance

Implementing a framework to identify, assess, and mitigate ICT risks.

Incident Reporting and Management

Establishing processes for detecting, responding to, and recovering from ICT-related incidents.

Digital Operational Resilience Testing

Conducting regular testing of ICT systems and resilience measures.

Information Sharing

Encouraging collaboration and information sharing on cyber threats among financial institutions.

Oversight of Third Parties

Establish and operationalize the oversight framework for critical ICT providers and monitoring of third-party risk providers and contractual provisions between financial institutions and ICT vendors.

This holistic approach ensures that the entire financial ecosystem maintains a high standard of digital operational resilience. Interested readers can find the DORA regulation pdf on the European Union Law website. View the Digital Operational Resilience Act pdf on that website here.

DORA Timeline and Milestones Summary

  • January 16, 2023 – Entry of DORA Regulation
  • June 23, 2023 – End of the Public Consultation and Call for Advice on Criticality Criteria and Fees
  • September 11, 2023 – End of Public Consultation on First Batch of Policy Products
  • September 30, 2023 – Call for Advice on Criticality Criteria and Fees
  • January 17, 2024 – Delivery of First Batch of Public Policy Documents
  • March 4, 2024 – End of Consultation on Second Batch of Policy Products, Obtain Joint Feedback from ESAs Stakeholder Groups on Second Batch of Policy Products, Results of Public Consultation of the second Batch of DORA Policy Mandates
  • July 17, 2024 – Delivery of Second Batch of Public Policy Documents
  • January 17, 2025 – Effective date for application of DORA (e.g. DORA goes into effect; financial institutions and ICT will be ‘in-scope’ for DORA compliance starting on this date)
  • Ongoing from Effective Date – Start of Oversight Activities for the ESAs

Navigating DORA Regulation Compliance with FortifyData

Financial service providers are increasingly reliant on Internet and Communication Technology (ICT) systems and disruptions experienced during the COVID-19 pandemic helped realize the need for a stronger digital ecosystem. However, this dependency also exposes them to a myriad of cyber risks and vulnerabilities. Recognizing the critical need for operational resilience in the financial sector, the European Union introduced the Digital Operational Resilience Act (DORA). This legislation mandates stringent requirements for financial entities, emphasizing the critical evaluation and management of ICT vendor risks.

As part of this blog post, we delve into the intricacies of DORA, its implications for financial service providers, and how FortifyData’s pioneering DORA Gap Analysis Questionnaire with Technical Validation offers a streamlined path to compliance and enhanced operational resilience.

Assessing ICT Vendor Risks under DORA

Is DORA mandatory? Yes, the European Union legislation enacts financial services to be in compliance with DORA starting on January 17, 2025.

Institutions and ICT vendors will have had two years, considering the finalization of the policy documents, etc., to figure out how they will work together to comply and meet the requirements. DORA places a significant emphasis on the management of ICT vendor risks. Financial service providers must conduct thorough due diligence and continuously monitor the performance and compliance of their ICT vendors.

This involves evaluating the vendors’ capabilities to manage and respond to ICT risks, including their incident reporting procedures, data security measures, and business continuity plans. The act mandates the establishment of contractual agreements that reflect these stringent requirements, ensuring that vendors play their part in safeguarding the operational resilience of the financial sector.

FortifyData's Solution to DORA Compliance Challenges

Recognizing the complexities and challenges of achieving DORA compliance, FortifyData has introduced an innovative solution: the DORA Gap Analysis Questionnaire with Technical Validation. This tool is specifically designed to guide financial service providers through a comprehensive assessment of their compliance with DORA requirements. The questionnaire covers a wide range of critical areas, from governance and risk management to incident reporting and ICT third-party risk management. By identifying gaps and areas of non-compliance, financial institutions can prioritize their efforts and implement necessary measures to enhance their operational resilience.

Technical Validation: The Assurance Your Organization Needs

What sets FortifyData’s DORA Gap Analysis Questionnaire apart is its technical validation feature. This process goes beyond mere self-assessment, providing an added layer of assurance. The technical validation assesses the effectiveness of the implemented controls and measures, ensuring they meet the rigorous standards set by DORA. It serves as a critical checkpoint, offering financial service providers the confidence that their operational resilience strategies are not only compliant but also effective in protecting against ICT risks and disruptions.

Enhancing Operational Resilience with FortifyData

Operational resilience is not merely about compliance; it’s about securing the financial sector’s ability to withstand and quickly recover from ICT-related disruptions. FortifyData’s DORA Gap Analysis Questionnaire with Technical Validation empowers financial service providers to achieve this goal. By providing a detailed roadmap for compliance and resilience, FortifyData enables organizations to proactively identify and address vulnerabilities, implement robust controls, and foster a culture of continuous improvement. This not only aligns with DORA’s objectives but also strengthens the financial sector’s overall resilience against cyber threats.

Streamlining Your DORA Compliance Journey

The journey toward DORA compliance can seem daunting, with its intricate requirements and the critical need for thorough ICT vendor management. However, FortifyData’s innovative solution simplifies this process, offering a structured approach to assessment and validation. Financial service providers can leverage the DORA Gap Analysis Questionnaire to gain a clear understanding of their compliance status, identify areas for improvement, and confidently navigate the complexities of DORA compliance. With technical validation providing the assurance of effective operational resilience measures, FortifyData’s solution is a crucial asset for any financial institution seeking to safeguard its operations in today’s digital world.

What are the penalties for DORA non-compliance?

DORA proposes to impose considerable financial penalties for non-compliance. 

The penalties are meant to compel adherence to the regulation, designed for increased protection of the financial system.    

Here are the potential penalties: 

  • Administrative Fines: Financial institutions can face fines of up to 10 million euros or 5% of their total annual turnover for serious infringements.    
  • Periodic Penalty Payments: In cases of ongoing non-compliance, companies may be subject to daily penalties of up to 1% of average daily global turnover for a maximum of six months.    
  • Additional Measures: Regulatory authorities can impose other sanctions, such as public reprimands, operational restrictions, or even withdrawal of authorization.    

NOTE: the penalties will depend on the nature and extent of the non-compliance. DORA targets a strong incentive to drive compliance through these penalties, including daily penalties, to ensure that financial institutions prioritize cybersecurity and operational resilience.    

DORA Compliance Checklist

The Digital Operational Compliance Act is a mandatory regulatory framework for finance entities and information and communications technology vendors to implement. The DORA compliance checklist outlines the actions to take to achieve DORA compliance.

 

1. Scope Determination:

Identify whether your organization falls within the scope of DORA, as outlined in Article 2. Are you a financial institution or an ICT third-party vendor?

 

2. Gap Analysis:

Conduct a DORA maturity assessment to identify the gaps in ICT systems that are non-compliant with DORA requirements.

Begin to continuously monitor ICT risks with third-party risk assessments

How FortifyData helps with DORA gap analysis assessments

The FortifyData platform has an embedded DORA questionnaire with these checklist items and compliance requirements. You can respond, upload evidence and begin the continuous technical assessments which are tied to appropriate questions for auto-validation of the technical control.

FortifyData automates compliance mapping and reporting for financial institutions and third-party ICT vendors.

3. Remediation Plan:

Develop a roadmap to address compliance gaps, based on the findings of the gap analysis.

How FortifyData helps with remediation efforts

FortifyData automatically provides remediation recommendations for technical and asset based findings. The FortifyData platform also supports workflow communications with team members and other technology systems (GRC, SIEM) for additional remediation management automation.

DORA compliance questionnaire section6 ICT third party risk FortifyData

4. Identify and Manage Critical Third-Party ICT Providers:

Identify third-party ICT providers deemed critical under Article 31 and ensure their compliance with DORA.

How FortifyData helps ICT vendor management

DORA compliance ICT third party portfolio assessment FortifyData

The FortifyData platform assess ICT vendors and lets you:

  • find, track and continuously assess the attack surface
  • Monitor their compliance with DORA questionnaire and gaps
  • track their changes in security posture over time
  • compare to other ICT vendors and industry benchmarks
  • Receive alerts when ICT vendors fall below a monitoring threshold

5. Threat-Led Penetration Testing (TLPT):

Implement a TLPT framework as required by Article 26, meeting the following criteria:

  • Use an approved framework (e.g., TIBER-EU)
  • Include critical functions of the financial entity
  • Define the scope and obtain approval from competent authorities
  • Conduct testing on live production systems
  • Perform testing every three years or as needed based on risk assessment
  • Document findings, corrective actions, and compliance with requirements

 

FortifyData’s continuous external attack surface and internal vulnerability assessments can help any financial institution or ICT vendor be more prepared for threat lead penetration testing. Our assessments do the reconnaissance and identification steps, but not the exploitation. More advanced threat scenarios can be tested during your TLPT exercise with a good risk-based vulnerability management program in place.

FortifyData can also recommend Penetration Testing partners that focus on red teaming or threat led penetration tests.

 

6. Incident Response Plan:

Establish an ICT incident management process as per Article 17, including:

  • Early warning indicators
  • Incident identification, tracking, and classification
  • Roles and responsibilities
  • Communication and notification procedures
  • Reporting of major incidents to senior management

 

7. Continuous ICT Monitoring:

Monitor ICT systems continuously to identify risks as specified in Article 8, including:

  • Identifying and documenting ICT assets and dependencies
  • Assessing cyber threats and vulnerabilities
  • Performing additional risk assessments for major changes
  • Maintaining inventories of information assets and third-party dependencies
  • Regularly assessing legacy ICT systems

How FortifyData helps with continuous ICT monitoring

The FortifyData platform was developed to conduct continuous cyber threat assessments of the external attack surface of vendors, just like a threat actor will. This gives you and your ICT partner valuable intelligence to stay ahead of threat actors by continuously monitoring – weekly, monthly or other client decided interval – the external exposures, translated into an ongoing security rating score, that could risk the resilience of your financial services.

8. Board Responsibilities:

Ensure that the board of directors and executive management fulfill their responsibilities under Article 5, including:

  • Setting security policies
  • Defining governance arrangements
  • Approving digital resilience strategy
  • Reviewing ICT plans and third-party services
  • Allocating resources for ICT security and training

How FortifyData helps with Board Responsibilities

FortifyData provides simple and clear reporting that can be shared with Board members and other auditing or oversight role entities. This can simply and effectively communicate your ICT vendor oversight program with options for granular reports on each ICT vendor or comparison reports among the ICT vendors. to meeting DORA requirements.

FortifyData is specifically suited to help your organization automate and meet DORA compliance requirements. Schedule a demo to learn how you can simplify and automate your DORA regulations compliance journey.

As the financial sector continues to navigate the challenges of digital operational resilience, the importance of DORA compliance cannot be overstated. With FortifyData’s DORA Gap Analysis Questionnaire with Technical Validation, financial service providers have a powerful tool at their disposal to assess, manage, and enhance their operational resilience. By embracing this solution, organizations can not only meet the stringent requirements of DORA but also fortify their defenses against the ever-evolving landscape of cyber threats. Together, we can help achieve DORA compliance efforts through the gap analysis of financial institutions as well as continuously monitor the cyber risks of ICT vendors.

Automate DORA Compliance Efforts and Cyber Risk Management with FortifyData

FortifyData cyber threat assessments are automated and continuous assessments of your organization giving you up to date findings on the latest vulnerabilities, threats and risks facing the attack surface of your organization, be it internal, external, cloud or third-party. FortifyData automates a lot of the steps and processes, incorporates templates and consolidates the cyber threat assessment tool capabilities into one platform. Our assessments align with, and can supplement, annual threat assessments done by your team, external teams or consultants.

 

The FortifyData platform incorporates NIST Cyber Security Framework (CSF), NIST SP 800-30, NIST SP 800-53 and aligns with many other regulatory requirements for assessments, remediation and risk reporting. You will recognize their influence when it comes to assessing and analyzing the technological risks and vulnerabilities, ingesting additional security tool data sets and calculating threat likelihood and risk adjustment criteria within the platform.

Get a cyber threat assessment with FortifyData.

Resources

New call-to-action

Webinar: Reduce Cyber Risk with Next Generation Cyber Ratings

Understand why older cyber rating methods are not as effective, and learn the see the benefits of next generation ratings in action.

New call-to-action

FortifyScore Methodology

Discover the factors that the FortifyScore identifies, analyzes and calculates from the FortifyData platform assessments.

New call-to-action

Webinar: Optimize Your Third Party Risk Management Program

Learn FortifyData’s approach to third party cyber risk management, which is based on live assessment data.

New call-to-action

Next Generation Third Party Risk Management Whitepaper

Understand the benefit of using the next generation of Third Party Risk Management Platforms that provide more accurate intelligence.