DORA Requirements

The Digital Operational Resilience Act (DORA) is a landmark piece of legislation designed to bolster the resilience of financial services entities and their third-party providers against Information and Communication Technology (ICT)-related disruptions and threats.

DORA, or officially known as Regulation (EU) 2022/2554, exists to ensure compliance, organizations must adhere to a set of stringent requirements. The key aspects of DORA, including its scope, requirements, and best practices for compliance as we’ve heard from the regulators, legal experts and of course, our clients are described below.

What are the Requirements for DORA?

The requirements for DORA are categorized into five pillars. There’s no one-size-fits-all approach to DORA compliance. The specific actions a company needs to take will depend on factors such as their size, threat profile, risk tolerance and the type of ICT systems they use. The 5 pillars of DORA form the basis of a DORA compliance checklist that companies can follow.

1. ICT Risk Management:

• Companies need to establish a framework to identify, assess, and mitigate information and communication technology (ICT) vendors and their risks. This includes conducting regular risk assessments, implementing controls to address identified risks, and having a plan for incident response.

2. ICT-related Incident Reporting:

• Companies must have processes in place to detect, report, and investigate ICT-related incidents. This includes having clear reporting channels, procedures for classifying incidents based on severity, and timely notification to relevant authorities.

3. Digital Operational Resilience Testing:

• Companies are required to conduct regular testing of their ICT systems and resilience measures. This testing should simulate various attack scenarios and assess the effectiveness of controls in place and often referred to as

4. ICT Third-Party Risk Management:

• The regulation emphasizes the importance of managing risks associated with third-party ICT service providers. Companies need to conduct due diligence on third parties, have contractual agreements outlining security expectations, and monitor their performance.

5. Information Sharing:

• DORA encourages collaboration and information sharing on cyber threats among financial institutions. This can involve participating in industry forums, sharing threat intelligence, and conducting joint exercises.

Additionally, there are DORA regulatory technical standards (RTS) that further define activities for financial institutions and ICT vendors.

What are the DORA RTS to follow?

The DORA Regulatory Technical Standards (RTS) are a comprehensive to ensure parties in the financial services sector can develop, manage and mitigate ICT risks that could negatively impact the continuous business operations of financial service providers.

The European Supervisory Authorities publish the Policies of the DORA RTS and ITS.

The DORA RTS published by the ESA on their website include:

  • RTS and ITS on the content, format, templates and timelines for reporting major ICT-related incidents and significant cyber threats;
  • RTS on the harmonization of conditions enabling the conduct of the oversight activities;
  • RTS specifying the criteria for determining the composition of the joint examination team (JET); and
  • RTS on threat-led penetration testing (TLPT).

Some elaboration on the threat-led penetration testing, or red team penetration testing, from what we hear from clients and our penetration testing partners.

Financial institutions and their ICT vendors could use threat-led penetration testing to meet DORA compliance.

DORA (Digital Operational Resilience Act) mandates that financial institutions and their third-party providers have robust cyber resilience capabilities. Threat-led penetration testing can help demonstrate compliance with the DORA RTS by:

  • Identifying vulnerabilities: In conjunction with the FortifyData platform, which conducts external and internal vulnerability assessments, vulnerabilities will be identified- the security team can remediate them and reduce the exposures that the penetration testing firm might use as part of their test. Threat-led testing can uncover (additional) vulnerabilities that might be missed by traditional testing methods, providing a more comprehensive assessment of the organization’s security posture.
  • Simulating real-world attacks: By mimicking the tactics of known threat actors, threat-led testing can help organizations understand how their systems might be exploited and develop effective countermeasures.
  • Prioritizing risks: Also, in conjunction with the FortifyData platform, we allow asset classification, so any assessments we run will always produce a prioritized remediation list based on operational context and criticality to services. Threat-led testing allows organizations to focus on the vulnerabilities that pose the greatest risk to their operations, ensuring that their security efforts are aligned with their business objectives.
  • Demonstrating compliance: The results of threat-led penetration testing can be used as evidence of compliance with DORA’s requirements for risk assessment, resilience testing, and incident response.

What are the Requirements for DORA Incident Management?

Incident response considerations for the financial service organization and the related ICT vendors are a key callout of DORA and included in DORA compliance checklist. DORA requires organizations to have comprehensive incident management plans in place, including:

Incident response teams

Dedicated teams with the skills and resources to handle cyber incidents.

Communication protocols

Clear communication channels for internal and external stakeholders.

Business continuity plans

Strategies for maintaining critical operations during and after incidents.

The financial institutions will have to communicate via multiple levels of reports to submit to ESAs- initial report, intermediate report and final report. Find a synopsis of reporting requirements from the RTS on Incident Reporting (PDF).

The initial report provided by financial institutions on incident reporting shall be “submitted as early as possible within 4 hours from the moment of classification of the incident as major, but no later than 24 hours from the moment the financial entity has become aware of the incident” and consist of (Article 3):

a) incident reference code

b) date and time of detection and classification of the incident;

c) description of the incident;

d) classification criteria that triggered the incident report as set out in [Articles 1 to 8 of Delegated Regulation [insert number once published in official journal];

e) members States impacted by the incident, where applicable;

f) information on how the incident has been discovered;

g) information about the origin of the incident, where available;

h) indication whether a business continuity plan has been activated;

i) information about the reclassification of the incident from major to non-major, where applicable; and

j) other information, where available.

 

The intermediate report provided by financial institutions on incident reporting “the latest within 72 hours from the submission of the initial notification even where the status or the handling of the incident have not changed as referred to in Article 19(4)(b) of Regulation (EU) 2022/2554. Financial entities shall submit without undue delay an updated intermediate report, in any case, when regular activities have been recovered” and shall consist of (Article 4):

a) incident reference code provided by the competent authority, where applicable;

b) date and time of occurrence of the incident;

c) date and time when regular activities have been restored, where applicable;

d) information about the classification criteria that triggered the incident report;

e) type of the incident;

f) threats and techniques used by the threat actor, where applicable;

g) affected functional areas and business processes;

h) affected infrastructure components supporting business processes;

i) impact on the financial interest of clients;

j) information about reporting to other authorities;

k) temporary actions/measures taken or planned to be taken to recover from the incident; and

l) information on indicators of compromise, where applicable.

 

The final report provided by financial institutions on incident reports shall be “submitted no later than one month from the submission of the latest updated intermediate report” and consist of (Article 5):

a) information about the root causes of the incident

b) dates and times when the incident was resolved and the root cause addressed;

c) information on the incident resolution;

d) information relevant for resolution authorities, where applicable;

e) information about direct and indirect costs and losses stemming from the incident and information about financial recoveries; and

f) information about recurring incidents, where applicable.

Who is Exempt from DORA?

First, let’s reiterate who does DORA apply to? DORA applies to a wide range of financial services entities and their third-party providers.

DORA applies to: Financial institutions (banks, insurers, investment firms) and their critical third-party ICT service providers (cloud platforms, data analytics). Specifically, as identified in the final legislation:

“…this Regulation applies to the following entities:

(a) credit institutions;

(b) payment institutions, including payment institutions exempted pursuant to Directive (EU) 2015/2366;

(c) account information service providers;

(d) electronic money institutions, including electronic money institutions exempted pursuant to Directive 2009/110/EC;

(e) investment firms;

(f) crypto-asset service providers as authorised under a Regulation of the European Parliament and of the Council on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (‘the Regulation on markets in crypto-assets’) and issuers of asset-referenced tokens;

(g) central securities depositories;

(h) central counterparties;

(i) trading venues;

(j) trade repositories;

(k) managers of alternative investment funds;

(l) management companies;

(m) data reporting service providers;

(n) insurance and reinsurance undertakings;

(o) insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries;

(p) institutions for occupational retirement provision;

(q) credit rating agencies;

(r) administrators of critical benchmarks;

(s) crowdfunding service providers;

(t) securitisation repositories;

(u) ICT third-party service providers.”

 

Second, Who is exempt from DORA? Certain entities may be exempt or subject to specific requirements. These exemptions can vary based on factors such as the size and nature of the organization.

“(a) managers of alternative investment funds as referred to in Article 3(2) of Directive 2011/61/EU;

(b) insurance and reinsurance undertakings as referred to in Article 4 of Directive 2009/138/EC;

(c) institutions for occupational retirement provision which operate pension schemes which together do not have more than 15 members in total;

(d) natural or legal persons exempted pursuant to Articles 2 and 3 of Directive 2014/65/EU;

(e) insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries which are microenterprises or small or medium-sized enterprises;

(f) post office giro institutions as referred to in Article 2(5), point (3), of Directive 2013/36/EU.”

What are the 5 Pillars of DORA Regulation?

Here’s a DORA summary of each pillar and what companies need to do to comply. There’s no one-size-fits-all approach to DORA compliance. The specific actions a company needs to take will depend on factors such as their size, threat profile, risk tolerance and the type of ICT systems they use. The 5 pillars of DORA form the basis of a DORA compliance checklist that companies can follow.

1. ICT Risk Management:

Companies need to establish a framework to identify, assess, and mitigate information and communication technology (ICT) risks. This includes conducting regular risk assessments, implementing controls to address identified risks, and having a plan for incident response.

2. ICT-related Incident Reporting:

Companies must have processes in place to detect, report, and investigate ICT-related incidents. This includes having clear reporting channels, procedures for classifying incidents based on severity, and timely notification to relevant authorities.

3. Digital Operational Resilience Testing:

Companies are required to conduct regular testing of their ICT systems and resilience measures. This testing should simulate various attack scenarios and assess the effectiveness of controls in place.

4. ICT Third-Party Risk Management:

The regulation emphasizes the importance of managing risks associated with third-party ICT service providers. Companies need to conduct due diligence on third parties, have contractual agreements outlining security expectations, and monitor their performance.

 5. Information Sharing:

DORA encourages collaboration and information sharing on cyber threats among financial institutions. This can involve participating in industry forums, sharing threat intelligence, and conducting joint exercises.

How FortifyData Can Help Address the 5 Pillars of DORA Regulation

Operational resilience is not merely about compliance; it’s about securing the financial sector’s ability to withstand and quickly recover from ICT-related disruptions. FortifyData’s DORA Gap Analysis Questionnaire with Technical Validation empowers financial service providers to achieve this goal. By providing a detailed roadmap for compliance and resilience, FortifyData enables organizations to proactively identify and address vulnerabilities, implement robust controls, and foster a culture of continuous improvement, all parts of the DORA compliance checklist. This not only aligns with DORA’s objectives but also strengthens the financial sector’s overall resilience against cyber threats.

FortifyData's Solution to DORA Compliance Challenges

Recognizing the complexities and challenges of achieving DORA compliance, FortifyData has introduced an innovative solution: the DORA Gap Analysis Questionnaire with Technical Validation. This tool is specifically designed to guide financial service providers through a comprehensive assessment of their compliance with DORA requirements. The questionnaire covers a wide range of critical areas, from governance and risk management to incident reporting and ICT third-party risk management. By identifying gaps and areas of non-compliance, financial institutions can prioritize their efforts and implement necessary measures to enhance their operational resilience.

Technical Validation: The Assurance Your Organization Needs

What sets FortifyData’s DORA Gap Analysis Questionnaire apart is its technical validation feature. This process goes beyond mere self-assessment, providing an added layer of assurance. The technical validation assesses the effectiveness of the implemented controls and measures, ensuring they meet the rigorous standards set by DORA. It serves as a critical checkpoint, offering financial service providers the confidence that their operational resilience strategies are not only compliant but also effective in protecting against ICT risks and disruptions.

Enhancing Operational Resilience with FortifyData

Operational resilience is not merely about compliance; it’s about securing the financial sector’s ability to withstand and quickly recover from ICT-related disruptions. FortifyData’s DORA Gap Analysis Questionnaire with Technical Validation empowers financial service providers to achieve this goal. By providing a detailed roadmap for compliance and resilience, FortifyData enables organizations to proactively identify and address vulnerabilities, implement robust controls, and foster a culture of continuous improvement. This not only aligns with DORA’s objectives but also strengthens the financial sector’s overall resilience against cyber threats.

Streamlining Your DORA Compliance Journey

The journey toward DORA compliance can seem daunting, with its intricate requirements and the critical need for thorough ICT vendor management. However, FortifyData’s innovative solution simplifies this process, offering a structured approach to assessment and validation. Financial service providers can leverage the DORA Gap Analysis Questionnaire to gain a clear understanding of their compliance status, identify areas for improvement, and confidently navigate the complexities of DORA compliance. With technical validation providing the assurance of effective operational resilience measures, FortifyData’s solution is a crucial asset for any financial institution seeking to safeguard its operations in today’s digital world.

How to Be Compliant with DORA

Achieving DORA compliance requires a proactive and comprehensive approach. Organizations will want to consistently reference the DORA regulation PDF to ensure they incorporate all the requirements, the 5 pillars of DORA, the regulatory technical standards (RTS) and the incident response requirements. Key steps include:

  • Conduct a gap analysis: Assess the organization’s current state of resilience against DORA requirements.
  • Develop a compliance roadmap: Outline the steps necessary to achieve compliance.
  • Implement controls: Put in place the necessary controls and procedures.
  • Monitor and adapt: Continuously monitor the regulatory landscape and adapt strategies as needed.

 

For a detailed understanding of DORA requirements, refer to the official regulation document.

What are the Requirements of DORA?

The Digital Operational Resilience Act (DORA) imposes specific requirements on financial services entities and their third-party providers outlined in the DORA Regulation PDF and specifically in the DORA regulatory standards document, including:

  • Risk assessment: Conducting regular risk assessments to identify potential threats.
  • Resilience testing: Regularly testing resilience capabilities to identify vulnerabilities.
  • Incident response: Having robust incident response plans in place.
  • Information sharing: Collaborating with other organizations to share information about cyber threats.

 

Throughout this page are the various aspects of the DORA requirements – from legislation, who DORA applies to, DORA RTS for incident reporting and DORA RTS on threat led penetration testing (TPLT).

What Entities Does DORA Apply to?

The Digital Operational Resilience Act (DORA) applies to a wide range of financial services entities, including:

  • Banks
  • Insurance companies
  • Investment firms
  • Payment institutions
  • Electronic money institutions

 

More specifically, these entities are who DORA will apply, from the final DORA legislation:

(a) credit institutions;

(b) payment institutions, including payment institutions exempted pursuant to Directive (EU) 2015/2366;

(c) account information service providers;

(d) electronic money institutions, including electronic money institutions exempted pursuant to Directive 2009/110/EC;

(e) investment firms;

(f) crypto-asset service providers as authorised under a Regulation of the European Parliament and of the Council on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (‘the Regulation on markets in crypto-assets’) and issuers of asset-referenced tokens;

(g) central securities depositories;

(h) central counterparties;

(i) trading venues;

(j) trade repositories;

(k) managers of alternative investment funds;

(l) management companies;

(m) data reporting service providers;

(n) insurance and reinsurance undertakings;

(o) insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries;

(p) institutions for occupational retirement provision;

(q) credit rating agencies;

(r) administrators of critical benchmarks;

(s) crowdfunding service providers;

(t) securitisation repositories;

(u) ICT third-party service providers.”

What is DORA Compliance?

In essence, DORA seeks to protect consumers and maintain financial stability by ensuring that banks, insurers, and other financial institutions can withstand and recover from IT disruptions. It achieves this by:

  • Producing a standardized set of security rules across different EU countries.
  • Imposing strict standards for managing and mitigating ICT risks.
  • Enhancing incident reporting and response capabilities.
  • When all parties adhere to the program it’s goal is to acheive an improved operational and cyber resilience for the financial services sector.

 

By establishing a common regulatory framework, DORA EU contributes to a more secure and stable financial system in the EU.

DORA compliance refers to the process of adhering to the requirements of the Digital Operational Resilience Act. This involves implementing robust controls, conducting regular testing, and maintaining effective governance. Many financial institutions and ICT third-party vendors can determine how they meet the requirements of DORA by undergoing a DORA Readiness Assessment.

To assess an organization’s readiness for DORA compliance, a thorough assessment should be conducted, covering areas such as:

  • Governance and oversight
  • Risk management
  • Resilience testing
  • Incident response
  • Information sharing

 

Compliance with DORA is essential for financial services entities and their third-party providers. By understanding the requirements and implementing effective strategies, organizations can enhance their resilience and protect against cyber threats.

Automate DORA Compliance Efforts and Cyber Risk Management with FortifyData

FortifyData cyber threat assessments are automated and continuous assessments of your organization giving you up to date findings on the latest vulnerabilities, threats and risks facing the attack surface of your organization, be it internal, external, cloud or third-party. FortifyData automates a lot of the steps and processes, incorporates templates and consolidates the cyber threat assessment tool capabilities into one platform. Our assessments align with, and can supplement, annual threat assessments done by your team, external teams or consultants.

 

The FortifyData platform incorporates NIST Cyber Security Framework (CSF), NIST SP 800-30, NIST SP 800-53 and aligns with many other regulatory requirements for assessments, remediation and risk reporting. You will recognize their influence when it comes to assessing and analyzing the technological risks and vulnerabilities, ingesting additional security tool data sets and calculating threat likelihood and risk adjustment criteria within the platform.

Resources

New call-to-action

Webinar: Reduce Cyber Risk with Next Generation Cyber Ratings

Understand why older cyber rating methods are not as effective, and learn the see the benefits of next generation ratings in action.

New call-to-action

FortifyScore Methodology

Discover the factors that the FortifyScore identifies, analyzes and calculates from the FortifyData platform assessments.

New call-to-action

Webinar: Optimize Your Third Party Risk Management Program

Learn FortifyData’s approach to third party cyber risk management, which is based on live assessment data.

New call-to-action

Next Generation Third Party Risk Management Whitepaper

Understand the benefit of using the next generation of Third Party Risk Management Platforms that provide more accurate intelligence.