GDPR & Cybersecurity
30 July 2024

How to prepare for the Digital Operational Resilience Act (DORA)

by Gorik Van den Bergh

From 17 January 2025, the European Digital Operational Resilience Act (DORA) will come into force for the financial sector. But what exactly is DORA and what does it mean for your organisation? And how does DORA relate to NIS2 legislation?

What is DORA?

DORA, or the Digital Operational Resilience Act, is a European regulation aimed at strengthening the digital resilience of financial organizations. The goal is to ensure the continuity of critical processes within these organizations by better managing IT risks and becoming more resilient to cyber threats.

DORA consists of three components: a regulation (level 1), technical standards (level 2), and guidelines (level 3). The development of technical standards and guidelines is divided into two phases. The first phase was submitted for approval to the European Commission in January 2024. The second phase was open for public consultation until March 4, 2024, and included standards for reporting serious ICT-related incidents and threat-led penetration testing (TLPT). This phase must be submitted to the European Commission by July 17, 2024.

Who is DORA for?

DORA applies to a wide range of financial institutions, including:

  • Banks

  • Investment firms

  • Pension funds

  • Electronic money institutions

  • Insurance and reinsurance companies

  • Payment institutions

  • Crowdfunding service providers

DORA also applies to the ICT-related service providers of these financial institutions. The full scope of DORA can be found here.

Core pillars

DORA focuses on five core areas to improve cybersecurity:

  1. ICT Risk Management
    Organizations must implement a comprehensive ICT risk management framework with documented strategies and procedures.

  2. Management, classification, and reporting of ICT incidents
    An efficient incident response plan is required to quickly respond to cybersecurity incidents.

  3. Testing digital operational resilience
    Regular tests are mandatory to evaluate the effectiveness of security measures.

  4. Management of third-Party ICT risks
    Financial entities must develop a strategy for managing ICT risks when using third-party services.

  5. Information and intelligence sharing
    DORA promotes collaboration and information exchange between financial institutions, IT service providers, and regulators.

Network and Information Security

Relationship between DORA and NIS2

In addition to DORA, the NIS2 Directive (Network and Information Security 2) is also in effect, aiming to improve the resilience of the EU infrastructure. Some financial institutions, such as banks, fall under both regulations. In such cases, DORA takes precedence as a 'lex specialis' when it imposes stricter requirements than the NIS2 legislation.

Sanctions

Financial penalties can be imposed for violations of DORA. The details of these penalties are determined by national authorities. Under NIS2, fines can reach up to 2% of global turnover. Both NIS2 and DORA allow for criminal prosecution of management members in cases of negligence. More information about NIS2 can be found here.

What steps can you already take?

Although some information will only be available later in 2024, it is important for financial institutions to take as many steps as possible to prepare.

Step 1: Understand processes and systems

Map out which business services depend on which processes and systems, and what data they process.

Step 2: Identify ICT risks

Implement an ICT Risk Management Framework or evaluate your existing framework to comply with DORA.

Step 3: Conduct a 'Gap Assessment'

Check if your current framework meets the new DORA requirements and identify any gaps.

Step 4: Manage third-party risks

Identify all your suppliers and third parties and develop a strategy to manage third-party ICT risks.

Step 5: Establish a mature incident management process

Ensure a mature incident management process that allows for timely response and reporting to regulators.

Step 6: Implement a solid testing program

Implement a testing program for digital operational resilience that covers all critical IT systems and conducts regular tests.

By following these steps, your organization can prepare for DORA compliance and improve digital resilience. Ready to get started? Contact us today for more information and support in implementing DORA in your organization.

  • Vandelanotte can help you determine the extent to which the DORA legislation applies to your organization;

  • We can support you with software for digitizing and automating IT risk management;

  • We can conduct a GAP analysis to assess the current level of cybersecurity and resilience;

  • We can assist you in implementing the necessary policies, procedures, and security controls to comply with DORA legislation.

Contact form

Do you want to know more or need specialist advice? Don't hesitate to contact one of our specialists.

This form can only be sent with the use of technical cookies. You can accept these cookies here.
These cookies are used to distinguish people from bots. Certain data, such as your IP address or language preference, can be sent to Google. More information in our cookie policy.