Jul 19, 2024
Table of contents
Cyber threats and general security risks in financial institutions (FIs) have soared recently. Much of this is due to the digital transformation of the industry. New financial paradigms, like open finance, accessible banking data (open banking), and improved customer-bank interactions, have increased cyber threats. The IMF’s Global Financial Stability Report 2024 confirms this: "Against a backdrop of growing digitalization, evolving technologies, and rising geopolitical tensions, cyber risks are on the rise.” The EU has responded to this growing risk of cyber threats by creating a new regulation, DORA (Regulation (EU) 2022/2554 Digital Operational Resilience Act).
What is DORA?
The EU’s Digital Operational Resilience Act provides guidelines for mitigating ICT-related cyber-risks in the financial services sector. Article 114 of the Treaty on the Functioning of the European Union (TFEU) forms the legal basis for DORA.
The Digital Operational Resilience Act ensures that the ecosystem behind financial services is cyber-resilient. DORA requires financial service companies to identify cyber weaknesses and implement protective measures against these vulnerabilities. DORA takes a risk-based approach, providing annual testing of critical ICT systems and applications. Demonstrating compliance with DORA requires yearly assessments, which are carried out both on and off-site through inspections. DORA inspectorates require documented details, such as ICT service, incident reporting logs, and cyber risk mitigation measures.
The DORA regulation is based on a framework of five core pillars to create a healthy risk-management process.
Five pillars of DORA
Pillar one: ICT risk management
The fundamental pillar of DORA is ICT-related risk management. Covered entities must identify risks associated with their ICT systems. A risk management plan must incorporate business continuity and recovery policies, as well as communication strategies. Security controls for critical assets must be reflected in the risk management process.
Pillar two: ICT incident management and reporting
DORA requires that a covered entity have mechanisms to identify, classify, and report incidents in place. Major ICT-related incidents must be promptly reported to competent authorities. Reporting under DORA is harmonized through an EU hub. This centralized governance layer will collect reports of major ICT-related events affecting financial services. A 2023 DORA consultation established the reporting process for any significant ICT incident as follows:
Initial report within four hours from the moment of classification of the incident as major, but no later than 24 hours from the time of detection of the incident.
Intermediate report within 72 hours from the classification of the incident as major, or when regular activities have been recovered and business is back to normal.
Final report no later than one month from the classification of the incident as “major.”.
Pillar three: Digital Operational Resilience Testing
Regular testing of digital operational resilience is a requirement under DORA. This type of testing is commonly known in the financial sector as “Threat-Led Penetration Testing” (TLPT). However, DORA broadens the scope of the testing. DORA Article 25 includes additional details, like vulnerability assessments and scans, open-source analyses, network security assessments, performance testing, and penetration testing.
Pilar four: Information and threat intelligence sharing
DORA actively encourages the sharing of security intelligence within the financial services sector. This information includes current and emerging threats, effective mitigative measures, and operational tactics.
Pillar five: ICT third-party risk management
The classification of ICT Critical Third-Party Providers (CTPPs) is essential to DORA compliance. Article 31 of DORA provides the criteria for assessing critical ICT third-party service providers.
DORA penalties for non-compliance
Non-compliance with DORA can result in substantial fines. Fine amounts are based on the severity of the DORA violation:
Financial institutions can be fined up to 2% of their total annual worldwide turnover — or up to 1% of the average daily turnover worldwide.
Individuals can face fines of up to EUR 1,000,000.
Critical third-party ICT service providers can risk fines of up to EUR 5,000,000, or EUR 500,000 for individuals.
European Supervisory Authorities (ESAs) have the authority to issue penalties.
DORA timeline
On 24 September, 2020, DORA was released as a draft.
On 10 September, 2022, the European Parliament ratified DORA.
DORA entered into force on 16 January, 2023.
DORA takes effect on 17 January, 2025.
Organizations covered under DORA regulation
DORA is a legislative measure that applies to all EU member state financial services and organizations — and their associated critical ICT providers. DORA follows in the harmonization footsteps of GDPR. In the case of DORA, harmonization focuses on consolidation and upgrading ICT risk management in financial services. The Digital Operational Resilience Act requires financial firms to protect against ICT-related risks. DORA requirements include third parties, like cloud providers.
Covered entities under DORA include the following:
Credit institutions
Payment institutions
Electronic money institutions
Investment firms
Crypto-asset service providers
Alternative investment funds
Insurance managers
ICT providers servicing covered entities
See Article 2 of DORA for details of all covered entities.
How does DORA affect non-European companies?
Non-European companies are also subject to regulation under DORA. A critical organization that is a non-EU-based ICT service provider of a DORA-covered entity must establish a subsidiary within the EU.
How does identity and access management (IAM) fit with DORA?
Identity and access management (IAM) is a fundamental security control that helps ensure DORA compliance. Financial institutions need to oversee data access and authorization events. An FI must classify, approve, and demonstrate the implementation of the DORA risk-management framework. Robust identity management provides the rails to ensure sensitive information is accessible only by the right person, at the right time, using the right device. Elements of identity management that help meet DORA's risk management framework include:
ICT risk management relies on robust access and authorization to sensitive data. Identity solutions, such as Privileged Access Management (PAM) tools, enforce least privilege access on a need-to-know basis. IAM tools, like PAM, govern access by ICT suppliers and can be used to modify access rights based on variables such as risk factors.
IAM tools audit access events and provide visibility across systems. Comprehensive, identity-enabled audits are used to generate reports to meet the reporting requirements of DORA. If an incident occurs, a report can be quickly generated in preparation for incident reporting under DORA rules.
Adaptive and risk-based authentication measures provided by IAM tools mitigate the risks of unauthorized access. Measures such as MFA and risk-based access align with DORA’s risk-based approach to security.
IAM tools provide a mechanism to extend out to third-party ICT suppliers. Enforcing authentication and authorization across the network boundary ensures that supply chain risks are mitigated.
Third-party risk management under DORA
The ENISA 2023 Threat Landscape report highlights how cybercriminals exploit employees to gain entry into the enterprise. These employees are not only those directly employed by a parent company. The supply chain, too, is becoming a go-to source of entry points for hackers, as evidenced by the 724% increase in supply chain attacks since 2019.
DORA is concerned with the financial sector, but the scope of legislation also covers ICT suppliers, i.e., third-party vendors. This is in line with the severe threat to the financial sector from the supply chain. The scope of covered entities in DORA is wide and includes cloud services, data analytic services, and data center services.
DORA Article 6, known as the "ICT risk management framework," is essential in guiding the development of an effective ICT risk management framework. This framework is a crucial component of overall risk management under DORA. Article 6 further emphasizes the importance of addressing ICT risk promptly, efficiently, and comprehensively. It also provides a comprehensive list of measures to incorporate into this framework, including "adequate" data protection from damage — and unauthorized access or usage.
DORA requires adherence to full vendor lifecycle management. In practice, this means that any third parties will be taken through a process that includes onboarding, risk assessments, continuous monitoring, and robust exit strategies. DORA requires that third party vendors are subject to:
Pre-contractual assessments to determine business viability, alignment with company goals, criticality in line with DORA requirements, and due diligence.
Contracts must reflect DORA compliance, such as audit and security requirements.
Monitoring of third party vendors must be ongoing. Tools, such as privileged access management (PAM) and automation tools for identity security, should be used to ensure visibility and enforce security.
Post-contract obligations, such as termination clauses and exit strategies to ensure data security — such as effective and swift de-provisioning to protect data against unauthorized access.
DORA, NIS 2, and FiDA
The EU has several overlapping legislatures that impact the financial sector (and others). The NIS2 Directive provides guidelines and best practices that help critical infrastructures prevent modern cyber-attacks. DORA also acts to de-risk cybersecurity and improve operational resilience of financial services. However, NIS2's scope is broader than DORA's — which focuses on the financial sector. DORA also specifically addresses ICT risks.
In 2023, the EU proposed a framework for Financial Data Access (FiDA). FiDA takes a customer-centric view and provides guidelines to mitigate the risks associated with new financial-customer interfaces brought about by technology changes, including open banking. FiDA fits within the broader European strategy for data and data sharing within the financial and other sectors. FiDA sets out new data access rights for data not previously covered by other EU legislation. DORA documentation says this about FiDA:
“Important note for experts implementing the Digital Operational Resilience Act (DORA).
If implementing DORA, you must monitor the developments around the proposed Financial Data Access (FiDA) regulation.”
DORA, SOC 2, and ISO27001
DORA has a broader scope than ISO 27001 — which focuses on information security management. Where ISO 27001 is a general standard for information security, DORA applies explicitly to the financial service sector and its critical ICT suppliers. Incident response and reporting are core elements of DORA that can benefit from the ISO27001 framework. The work done in ISO27001 compliance to create an Information Security Management System (ISMS) can be used to develop DORA cyber resilience requirements.
DORA implementation can benefit from a SOC2 report to demonstrate compliance with ICT system security.