How to prepare for the Digital Operational Resilience Act (DORA)
by Gorik Van den Bergh
From 17 January 2025, the European Digital Operational Resilience Act (DORA) will come into force for the financial sector. But what exactly is DORA and what does it mean for your organisation? And how does DORA relate to NIS2 legislation?
What is DORA?
DORA, or the Digital Operational Resilience Act, is a European regulation aimed at strengthening the digital resilience of financial organizations. The goal is to ensure the continuity of critical processes within these organizations by better managing IT risks and becoming more resilient to cyber threats.
DORA consists of three components: a regulation (level 1), technical standards (level 2), and guidelines (level 3). The development of technical standards and guidelines is divided into two phases. The first phase was submitted for approval to the European Commission in January 2024. The second phase was open for public consultation until March 4, 2024, and included standards for reporting serious ICT-related incidents and threat-led penetration testing (TLPT). This phase must be submitted to the European Commission by July 17, 2024.
Who is DORA for?
DORA applies to a wide range of financial institutions, including:
Banks
Investment firms
Pension funds
Electronic money institutions
Insurance and reinsurance companies
Payment institutions
Crowdfunding service providers
DORA also applies to the ICT-related service providers of these financial institutions. The full scope of DORA can be found here.
Core pillars
DORA focuses on five core areas to improve cybersecurity:
ICT Risk Management
Organizations must implement a comprehensive ICT risk management framework with documented strategies and procedures.Management, classification, and reporting of ICT incidents
An efficient incident response plan is required to quickly respond to cybersecurity incidents.Testing digital operational resilience
Regular tests are mandatory to evaluate the effectiveness of security measures.Management of third-Party ICT risks
Financial entities must develop a strategy for managing ICT risks when using third-party services.Information and intelligence sharing
DORA promotes collaboration and information exchange between financial institutions, IT service providers, and regulators.
Relationship between DORA and NIS2
In addition to DORA, the NIS2 Directive (Network and Information Security 2) is also in effect, aiming to improve the resilience of the EU infrastructure. Some financial institutions, such as banks, fall under both regulations. In such cases, DORA takes precedence as a 'lex specialis' when it imposes stricter requirements than the NIS2 legislation.
Sanctions
Financial penalties can be imposed for violations of DORA. The details of these penalties are determined by national authorities. Under NIS2, fines can reach up to 2% of global turnover. Both NIS2 and DORA allow for criminal prosecution of management members in cases of negligence. More information about NIS2 can be found here.
What steps can you already take?
Although some information will only be available later in 2024, it is important for financial institutions to take as many steps as possible to prepare.
Step 1: Understand processes and systems
Map out which business services depend on which processes and systems, and what data they process.
Step 2: Identify ICT risks
Implement an ICT Risk Management Framework or evaluate your existing framework to comply with DORA.
Step 3: Conduct a 'Gap Assessment'
Check if your current framework meets the new DORA requirements and identify any gaps.
Step 4: Manage third-party risks
Identify all your suppliers and third parties and develop a strategy to manage third-party ICT risks.
Step 5: Establish a mature incident management process
Ensure a mature incident management process that allows for timely response and reporting to regulators.
Step 6: Implement a solid testing program
Implement a testing program for digital operational resilience that covers all critical IT systems and conducts regular tests.
By following these steps, your organization can prepare for DORA compliance and improve digital resilience. Ready to get started? Contact us today for more information and support in implementing DORA in your organization.
Vandelanotte can help you determine the extent to which the DORA legislation applies to your organization;
We can support you with software for digitizing and automating IT risk management;
We can conduct a GAP analysis to assess the current level of cybersecurity and resilience;
We can assist you in implementing the necessary policies, procedures, and security controls to comply with DORA legislation.
This form can only be sent with the use of technical cookies. You can accept these cookies here.
These cookies are used to distinguish people from bots. Certain data, such as your IP address or language preference, can be sent to Google. More information in our cookie policy.
Gorik Van den Bergh
Certified Information Systems Auditor Gorik.VandenBergh@vdl.be
Disclaimer
In our opinions, we rely on current legislation, interpretations and legal doctrine. This does not prevent the administration from disputing them or from changing existing interpretations.
News and insights
Read our latest insights and news releases to stay abreast of changes in your industry.
