DORA: The Digital Operational Resilience Act Explained

The Significance of DORA - Just a Matter of Compliance?

In an increasingly digitalized world, protection against cyber threats has become a crucial pillar for the smooth functioning of our society. To address this growing need, the European Parliament has expanded EU law with groundbreaking new cybersecurity regulations - the Digital Operational Resilience Act (DORA). Cybersecurity encompasses all measures necessary to protect network and information systems, their users, and all other persons affected by cyber threats.

What is DORA?

The Digital Operational Resilience Act, or DORA Regulation (2022/2554), came into force directly in all EU member states on January 17, 2023 without requiring implementation into national law. It becomes applicable from January 17, 2025. The regulation applies to almost all organizations in the financial sector.

DORA's objective is to standardize and enhance the cybersecurity level of the financial industry within the EU, strengthening the ability to withstand damage from cyber-attacks (resilience).

What does DORA mean for the financial sector?

Large banks and other financial sector companies have long maintained organizational processes and IT systems to increase security and resilience, allocating appropriate resources. However, particularly for small and medium-sized organizations, compliance with DORA's minimum legal requirements and accompanying standards often marks the beginning of a structured approach to cybersecurity and IT resilience. The DORA regulation provides a broad framework that helps bring previously unconsidered areas outside of IT (so-called "blind spots") into the focus of Information Security Management Systems (ISMS) for the first time. Cybersecurity is no longer just a technical IT issue but requires active participation from the entire organization - from technology through business processes and sales to executive management.

For those who must use resources effectively in the long term, it's advisable to focus on more than just compliance with laws and standards from the start. Compliance alone doesn't automatically guarantee protection against theft, manipulation, and publication of business-critical information or negative headlines with broad media coverage. For this reason, the legislator has based the requirements of the Digital Operational Resilience Act on a risk-based approach. Accordingly, affected institutions can decide on appropriate and proportionate technical, operational, and organizational measures, considering the probability of security incidents and their severity (including social and economic impacts).

This approach aims to promote the effective development of resilient systems rather than efficient compliance with rigid requirements. Effective information security controls don't slow down business but enable - like a car's brakes - faster and safer progress toward a digital future.

Who is affected by the Digital Operational Resilience Act?

DORA applies to all financial institutions (FIs) operating in the EU. Specifically, the regulation's direct scope includes (Article 2 Paragraph 1 DORA):

a. CRR credit institutions
b. Payment institutions
c. Account information service providers
d. E-money institutions
e. Investment firms
f. Crypto-asset service providers authorized under MiCAR and issuers of asset-referenced tokens
g. Central securities depositories
h. Central counterparties
i. Trading venues
j. Trade repositories
k. Alternative investment fund managers
l. Management companies
m. Data reporting service providers
n. Insurance and reinsurance companies
o. Insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries
p. Institutions for occupational retirement provision
q. Credit rating agencies
r. Critical benchmark administrators
s. Crowdfunding service providers
t. Securitization repositories
u. ICT service providers

Organizations not directly falling into these categories but acting as suppliers or partners may be indirectly affected by DORA, as they can represent potential entry points for cyber-attacks.

Key Requirements and Obligations under DORA

Affected organizations must meet extensive cybersecurity requirements. These can be summarized in 5 main pillars:

• ICT Risk Management: Under this pillar, management must ensure an appropriate framework is established to (among other things) adequately identify cybersecurity and business continuity risks and effectively mitigate them through appropriate measures.
• ICT Incident Reporting: This involves the handling, classification, and reporting of ICT-related incidents. Organizations must be able to detect and handle threats in their ICT landscape promptly. Appropriate processes and procedures must be established to communicate with affected third parties and the competent authority. Reporting deadlines include initial notification within 24 hours of incident detection and a more detailed intermediate report within 72 hours.
• Digital Resilience Testing: This defines requirements for periodic testing of systems and processes, including vulnerability assessments, penetration tests, and incident response process exercises or crisis drills.
• Third Party Risk Management: To ensure resilience against digital disruptions and cyber risks, dependencies on external ICT service providers must be systematically managed. This focuses particularly on identifying critical third-party providers, implementing contractual and security-relevant standards, and continuous monitoring and risk management.
• Threat Intelligence Sharing: To continuously improve situational awareness, voluntary information and intelligence sharing between financial institutions is encouraged. This is complemented by cross-sector crisis management and emergency exercises to improve communication and strengthen resilience in the financial sector.

DORA Regulation Timeline Overview

The Digital Operational Resilience Act entered into force on January 16, 2023, with a two-year implementation period. Important technical regulatory standards (RTS) and implementing standards (ITS) were published throughout 2024:

• First Half 2024: Initial standards including ICT risk management, operational security, ICT incident classification, and ICT third-party risk management.
• Second Half 2024: Additional standards including ICT incident reporting, resilience testing requirements, and sub-outsourcing agreement specifications.

The DORA implementation deadline is January 2025, by which time financial institutions should fully comply with all Digital Operational Resilience Act requirements.

A Possible Solution Approach

While DORA presents significant challenges for affected organizations, it also offers an opportunity to substantially improve cybersecurity. A holistic approach that extends beyond IT and provides risk-based decision-making foundations enables organizations to not only meet DORA requirements but also strengthen their resilience.

For practical implementation of this holistic approach, we recommend choosing a structured, regular, and self-improving process. Established cybersecurity standards, such as ISO 27001, offer a Plan-Do-Check-Act cycle for regularly executing the management system of policies, risk management, measures, and reviews. This helps identify weaknesses in processes and organizational and technical measures, deriving risks and improvement measures for the organization.

Since planning and implementing this management system requires significant additional effort, A1 Digital can support you with ‘CISO-as-a-Service’. Our Chief Information Security Officers (CISOs) have years of practical experience and current security-specific training to provide professional support. You can individually arrange whether the ‘CISOaaS’ handles all cybersecurity-related tasks or provides targeted support for specific issues – according to your wishes and budget.

In addition to our holistic CISOaaS, we offer advanced technical solutions and specific consulting services for implementing measures across all 5 DORA pillars:

ICT Risk Management:

• Training concepts and cybersecurity training delivery for all relevant target groups (management, employees, special groups like system administrators, software developers)

ICT Incident Handling:

• Incident response services from our partner Ikarus
• Consulting on creating incident response processes and emergency plans

Operational Resilience Testing:

• Threat-led penetration testing (TLPT)
• Support in planning and conducting simulations to test incident and emergency processes

Third-Party Risk Management:

• For DE → BSI cyber risk check according to DIN SPEC 27076
• For AT → cyber risk rating A+ with independent audit by A1 Digital for critical suppliers

Threat Intelligence Sharing:

• Your threat intelligence can be enhanced through Offensity with automated security checks of web-based assets, account leakage monitoring including individual security reports.

Other EU Cybersecurity Legislation

In addition to the Digital Operational Resilience Act, the EU legislator has enacted other cybersecurity regulations to promote cyber defense capabilities and combat cybercrime. These notably include: