What is DORA? The Digital Operational Resilience Act Explained

DORA is a regulation that enhances the operational resilience of information and communication technology (ICT) and third-party providers in the EU financial sector.

The Digital Operational Resilience Act, also known as DORA, is a pivotal EU regulation designed to enhance the operational resilience of digital systems that support financial institutions operating in European markets, with a comprehensive focus on risk management, incident response, and governance.


play

Featured learning experience:

The Digital Operational Resilience Act (DORA) and Your Mainframe System (2:02)

watch now right-arrow

DORA regulations fortify mainframe operations and ensure resilience to shield your organization from financial penalties and reputational risks.

Quote Icon
With new regulations like the Digital Operational Resilience Act (DORA) in Europe, resilience is now a legal mandate. The conclusion is clear: Operations teams must rise to the challenge of modern mainframe resilience.

Jason Bloomberg

Intellyx | Founder & Principal Analyst

Provided for informational purposes only. This information should not be considered legal advice, and may not reflect the latest in legal/regulatory/compliance/etc. Always consult with council or qualified legal professionals, and/or relevant authorities.

What you need to know about DORA

  • The Digital Operational Resilience Act timeline started with formal adoption by the Council of the European Union and the European Parliament in November 2022, and DORA regulations will go into effect on January 17, 2025.
  • Financial entities and third-party ICT service providers have until January 17, 2025, to comply with DORA before enforcement starts.
  • The DORA law addresses key components such as service visibility, risk mitigation, business continuity, incident management, and governance, guiding organizations in building resilient frameworks that withstand challenges and align with the dynamic landscape of digital operations.

The purpose of DORA

Why is DORA happening?

  • There is currently no framework for the management and mitigation of ICT risk that spans the entire European financial sector.
  • The DORA regulatory act aspires to establish a framework by comprehensively harmonizing risk management rules across the EU and ensuring that every financial institution is held to the same high standard.
  • DORA compliance aims to eliminate the complexities arising from gaps, overlaps, and conflicts between diverse regulations in different member states, streamlining compliance for financial entities while enhancing the resilience of the entire EU financial system.

What are the 5 pillars of DORA?

The 5 pillars of DORA are:

ICT risk management and governance

This requirement involves strategizing, assessing, and implementing controls. Accountability spans all levels, with entities expected to prepare for disruptions. Plans include data recovery, communication strategies, and measures for various cyber risk scenarios.

Incident reporting

Entities must establish systems for monitoring, managing, and reporting ICT incidents. Depending on severity, reports to regulators and affected parties may be necessary, including initial, progress, and root cause analyses.

Digital operational resilience testing

Entities must regularly test their ICT systems to assess protections and identify vulnerabilities. Results are reported to competent authorities, with basic tests annually and threat-led penetration testing (TLPT) every three years.

Third-party risk management

Financial firms must actively manage ICT third-party risk, negotiating exit strategies, audits, and performance targets. Compliance is enforced by competent authorities, with proposals for standardized contractual clauses under exploration.

Information sharing

Financial entities are urged by the DORA to develop incident learning processes, including participation in voluntary threat intelligence sharing. Shared information must comply with relevant guidelines, safeguarding personally identifiable information (PII) under the EU's General Data Protection Regulation (GDPR).

Focus areas of DORA for the mainframe

The Digital Operational Resilience Act’s core principles ensure that financial institutions understand their entire IT landscape, including their third-party service suppliers, and can identify potential vulnerabilities and risks and implement robust automated strategies to protect their systems, data, and customers from cyberthreats and other disruptions. While the DORA regulatory focus is on ICT and third-party risk management, incident reporting, resilience testing, and information sharing, firms with mainframe systems should also consider the following:






DORA operational resilience toolchain

DORA outlines five considerations for rapid response, recovery, and compliance that align with the aforementioned key aspects of DORA as they relate to the mainframe.

Identify

Understanding risk to systems, people, assets, data, and capabilities, including business context, policies, and vulnerabilities.

Protect

Ensure safeguards to limit or contain the impact of a potential cybersecurity event. Fortify defenses to ensure the integrity and security of critical data and systems.

Detect

Discover cybersecurity events and anomalies in real time and understand their potential impact. Identify and understand potential threats for swift mitigation.

Respond

Take action to limit the impact of cybersecurity events and anomalies. Well-defined response mechanisms and protocols in place.

Recover

Restore data, systems, and operations to normal conditions. Ensure systems can bounce back efficiently and effectively.

BMC solutions for DORA focus areas

BMC offers a range of solutions that address the full scope of the five focus areas outlined above, as well as specific sub-focus areas within each, as follows.






DORA regulation overview: Understanding the Digital Operational Resilience Act

First, a quick DORA (Digital Operational Resilience Act) summary. DORA is a comprehensive European union (EU) regulation designed to:

  • Enhance and fortify operational resilience
  • Establish unified incident response protocols
  • Provide guidance for risk management and mitigation
  • Shield organizations from information and communication technology (ICT)-related incidents, penalties, and reputational risk

The DORA regulatory legislation defines technical standards, capabilities, and outcomes to ensure all organizations under its jurisdiction follow a unified set of practices to maintain their security and continuous operations during incidents that threaten their ICT systems.

DORA and the financial sector

The DORA regulation applies to financial entities within the EU and the critical third-party ICT providers that serve them. These financial entities have undergone rapid digitalization. They are common targets for cyberattacks, and the fallout from suffering an incident impacts every other organization that depends on the financial entity’s core services.

Authorities within the EU drafted DORA to help financial organizations and their providers understand and manage risks, and ensure their services are operational at all times.

Timelines and milestones: DORA’s implementation schedule

DORA historical timeline

The following Digital Operational Resilience Act timeline summarizes the key moments in this legislation’s history.







Key terms to know

CTPPS (Critical Third-Party Providers)

The DORA regulation sets requirements for both financial entities and the third-party ICT providers that serve them. However, DORA only applies to what it defines as “critical” providers, and the legislation often refers to them as critical third-party providers, or CTPPS.

The legislation is somewhat ambiguous about what is considered a “critical” provider, though it relates to how integrated and important a service is for a financial entity’s operations. These providers are directly impacted by DORA and its authorities.

NISD (Network and Information Security Directive)

The Network and Information Security Directive (NISD) is a broader directive to improve the security and resilience of organizations and infrastructure within the EU. NISD applies to operators of essential services and relevant digital service providers, and imposes similar requirements to DORA.

NISD goes live in October 2024, a few months before DORA. Together, the two regulations make it clear that cybersecurity and resilience are core concerns for the EU, and additional legislation for other industries is likely to follow.

The three European Supervisory Authorities

DORA empowers multiple authorities to supervise its implementation, enforce its policies, and levy penalties for entities that fail to comply. These are often referred to as European Supervisory Authorities (ESAs), and they include:




The role of external oversight and the ESAs

The ESAs are the organizations that drafted DORA’s regulatory technical standards (RTS) and implementing technical standards (ITS). They are also responsible for assessing and enforcing compliance with the legislation.

Oversight as laid out in DORA

DORA authorities, including the ESAs, will evaluate compliance with the legislation’s requirements. They will perform direct oversight for both financial entities, and for third parties deemed critical ICT providers and under their jurisdiction.

These authorities will also collaborate with entities and providers, receive their reports of incidents and notifications of threats, and offer guidance and best practices for maintaining compliance.

Certain forms of oversight will be performed by entities and providers themselves. Entities are required to maintain oversight over their third-party ICT providers, and both groups are required to maintain awareness of their own risks.

How ESAs will enforce DORA

Entities and providers will be required to prove compliance with DORA’s requirements, which include vulnerability scans and assessments, annual recovery testing, physically and logically segregated data vaults, and rapid event reporting.

ESAs will also be empowered to perform audits, request information and documentation, and levy penalties. These can include financial penalties, denying approval for providers to work with DORA EU financial entities, and forcing an organization to cease to operations.

Who will DORA apply to?

Broadly speaking, the DORA regulation applies to financial entities operating within the EU and the third-party ICT providers that do business with them.

Identifying entities affected by DORA

DORA classifies 21 categories of financial activities that fall under its scope, which means the legislation applies to a wide range of financial entities and service providers. These include:

  1. Credit institutions
  2. Payment institutions
  3. Account information service providers
  4. Electronic money institutions
  5. Investment firms
  6. Crypto-asset service providers
  7. Central securities depositories
  8. Central counterparties
  9. Trading venues
  10. Trade repositories
  11. Managers of alternative investment funds
  12. Management companies
  13. Data reporting service providers
  14. Insurance and reinsurance undertakings
  15. Insurance intermediaries
  16. Institutions for occupational retirement provision
  17. Credit rating agencies
  18. Administrators of critical benchmarks
  19. Crowdfunding service providers
  20. Securitization repositories
  21. ICT third-party service providers

Understanding the implication for third-party providers

DORA sets requirements for “critical” third-party ICT providers that do business with financial institutions within the EU, even if those providers are not headquartered in the EU. DORA includes third-party ICT providers that appear location-agnostic, including cloud service providers, data center providers, and data analytics providers.

These new technical requirements will be written into contracts between financial entities and third-party ICT providers. At the moment, these contract requirements will be defined by the entities themselves, but it is possible that DORA will include standardized contracts or terms that must be used by providers and entities.

This would place third-party ICT providers under greater oversight and scrutiny from both the financial entities they support and EU financial authorities. Third-party ICT providers may also need to have a legal subsidiary within the EU to offer their services to financial entities within the EU.

DORA regulations broadly define which third-party ICT providers are deemed “critical” as any provider that offers important functions to financial entities, and whose services may impact a financial entity’s business stability and continuity.

Who is exempt from DORA?

DORA regulation offers limited exemptions for smaller financial entities that employ less than 10 people and have annual turnover and/or balance sheet totals under two million Euros. It also does not apply to certain entities exempt from related legislation. For them, DORA requires a simplified version of its ICT risk management framework.

In terms of third-party ICT providers, DORA sets requirements for providers deemed “critical,” as outlined above. However this remains a broad term, and it is unclear whether DORA will effectively apply to all providers that service financial entities.

Overall, DORA requirements follow the principle of proportionality. They are designed for financial entities that align with a specific size, risk profile, nature, scope, and complexity of services, activities, and operations. Under DORA, financial entities that meet these criteria will need to meet all of the act’s requirements.

The repercussions of non-compliance: Understanding the penalties

DORA outlines a range of specific fines and penalties for non-compliance. It also gives authorities the power to apply additional penalties at their discretion.

Penalties and fines for DORA non-compliance

Under DORA, financial entities that violate the act can be fined a periodic penalty of up to one percent of their average daily global turnover for up to six months (or until they achieve compliance). They may also be fined up to two percent of the annual global turnover. Third-party ICT providers are subject to the same potential penalties and fines.

Individuals who violate DORA can be fined up to one million Euros.

Additional penalties will be determined by each EU member state, and by the “competent authorities” and ESAs within them. These authorities may audit or suspend an entity or provider’s operations, send cease-and-desist orders and termination notices, issue public notices, or levy administrative or criminal penalties.

DORA and enterprise IT leaders

While IT leaders will remain key players in ICT risk management, DORA expands the capability beyond the domain of IT leadership in two ways:

  1. Most requirements for an organization’s ICT risk management will now be defined by external entities (European Supervisory Authorities, or ESAs)
  2. The internal management body for governing ICT risk management will now be cross-functional and include broader business leadership

How DORA will influence IT governance

DORA regulatory legislation mandates that financial entities establish or adjust their internal governance framework to align with its requirements. Financial entities must also establish or realign their management body. Non-technical board members, executive leaders, and other senior business managers are now expected to play an active role in IT governance, and can be held accountable if their entity fails to comply with DORA.

Who should care? Roles responsible for DORA

Maintaining compliance with DORA’s risk management framework will require a cross-functional effort. The following RACI chart outlines the various themes that must be addressed, and the teams and roles responsible for them.

table-dora

Major challenges: Operational resilience testing and incident reporting

Under DORA, banking entities and other financial entities must periodically test their operational resiliency plans. This includes testing to ensure they are prepared for likely disruptions, identifying and resolving deficiencies within their response plans. It also includes testing resilience against higher-level risks—such as ransomware attacks—through threat-led penetration testing (TLTP).

ICT-related incident reporting under DORA

In addition, DORA requires financial entities to expand their incident reporting capabilities and practices. DORA demands that entities:

  • Establish systems for monitoring, logging, classifying, and describing incidents
  • Report major ICT incidents (operational and security) to competent authorities
  • Report significant incidents within 48 hours of discovery
  • Send intermediate reports on incidents still in progress
  • Report on root causes and remediation after an incident is resolved
  • Communicate incidents to both DORA authorities and customers
  • Voluntarily report significant threats they have discovered
  • Follow all DORA guidelines, classifications, and templates for reporting

Third-party risks and resilience in the supply chain

Managing risk from third-party ICT providers is a core element of DORA. The legislation identifies significant risk from these providers and the supply chain as a whole. It defines requirements that third-party ICT providers must follow, as well as requirements for how financial entities must engage with their providers.

Both sets of requirements are detailed in greater length below.

ICT risk management framework: What DORA requires

The DORA act is an ICT risk management framework for financial entities. It seeks to expand ICT risk management beyond previous definitions, which primarily required entities to hold enough capital to mitigate their risks, and to unify these expanded risk management practices across all entities within the EU.

DORA also highlights “ICT risk management and governance” as one of its five pillars, and defines requirements that include, but are not limited to:

  • Developing a ICT risk management framework
  • Mapping all ICT systems
  • Identifying and classifying critical assets
  • Documenting ICT interconnections and dependencies
  • Conducting continuous risk assessments of ICT systems
  • Documenting and classifying cyberthreats
  • Defining threat management protocols
  • Conducting business impact analysis
  • Establishing risk tolerance at multiple levels
  • Implementing required cybersecurity capabilities
  • Creating business continuity and disaster recovery plans
  • Outlining communications and reporting plans in the case of a major ICT-related incident
  • Testing of risk management and resilience practices

DORA also defines specific ICT risk management requirements related to third-party ICT providers, as well as new governance requirements. Both are detailed below.

Oversight framework: EU-level monitoring of third-party ICT providers

Third-party ICT providers that service financial entities—and are defined as “critical”—will be subject to an oversight framework imposed by DORA authorities, and will fall under direct supervision by EU financial authorities.

DORA authorities will monitor these providers to determine the risk that they bring to their customers, and to ensure they are managing their ICT risk properly. To do so, DORA authorities may request information and documentation on a provider’s risk management practices, perform investigations and inspections, recommend actions, and levy fines and penalties.

However, the DORA framework and the DORA authorities that manage it are not the only bodies responsible for third-party compliance with DORA. The legislation requires that individual financial entities reshape their relationships with these providers, as well, and take some accountability for managing their own supply chain risks.

Managing third-party risks: A crucial element of DORA

DORA regulatory legislation will become a standard element of all relationships between financial entities within the EU, and the third-party ICT providers that serve them.

The legislation seeks to increase the sector’s resilience against supply chain attacks and operational incidents, and to ensure financial entities can maintain continuity during these events. To do so, DORA places requirements on how entities understand and manage their third-party risks, and manage their relationships with providers.




DORA compliance: A strategic checklist for IT leaders

DORA is a complicated set of regulations with an extensive list of new requirements and technical standards to meet. Bringing it to life will be difficult for many financial entities and third-party ICT providers. The following checklist provides a simple way to get started building compliance as quickly as possible.

Assessing current ICT systems and identifying gaps

Some of DORA’s requirements are easy to assess against, others are not. For example, DORA specifically states that a financial entity’s backup data must be logically and physically segregated, and that it must be able to test its recovery plans once per year. These are concrete requirements that you either meet or need to develop.

Other DORA requirements are more ambiguous. For example, DORA states that cyberattacks need to be “promptly and quickly” resolved. While DORA states that critical functions must be recovered within two hours of the incident, there is no clear-cut timeline for when an incident must be resolved in full.

Creating a culture of cyber resilience in financial institutions

Every requirement in the DORA regulation focuses on building cyber resilience—the ability to withstand and recover from any disruptive incident. Resilience goes beyond simply developing business continuity plans and disaster recovery protocols, and creates additional systems to deal with complex, modern threats like ransomware attacks.

A culture of resilience focuses on five core competencies:

  • Identifying risks outside of known attack patterns
  • Protecting critical data and systems to limit the likelihood and impact of an incident
  • Detecting problems ASAP
  • Responding to events with well-defined mechanisms
  • And recovering data and operations efficiently and effectively

Essential collaboration between IT teams and regulatory bodies

In the past, financial entities and EU member states all followed their own protocols and standards. This created a patchwork of regulations and best practices that opened vulnerabilities and made compliance difficult to navigate. DORA seeks to standardize protocols to create a unified, secure EU financial sector.

This is a collaborative effort. The DORA law requests feedback from entities, voluntary sharing of threats, and open reporting of incidents. Maintaining open dialogue with DORA’s authorities not only makes the framework more effective, but it also keeps entities in the loop on ever-changing regulations so they can stay ahead of new requirements.

Meeting new technical standards

A financial entity’s ability to meet DORA’s technical standards largely depends on its tools and partnerships with compliant, experienced providers. The first step will be leveraging pre-existing structures, capabilities, and relationships that need to be tweaked or expanded to fill gaps in DORA’s requirements.

However, most entities will need to make additional investments. For example, while many financial entities already have a second backup data storage system in place, DORA states they must have immutable backups that are physically and logically segregated from all other sources, which typically requires investment in a third, cybervault technology.

The future of financial operational resilience

DORA does not exist in a vacuum. It follows and closely mirrors other regulations that attempt to standardize and improve cybersecurity practices across the EU, and it will likely inform a large number of coming regulations in multiple industries.

Predicting the evolution and impact of DORA

DORA will improve cybersecurity and outline operational resilience regulations for financial entities as well as entities in many other industries. The reason for this is twofold. First, DORA sets higher standards for third-party ICT providers. Few of these providers only service the financial sector. Most of them serve organizations in every industry. By forcing third-party ICT providers to increase their security and resilience, DORA will reduce their risk for everyone who works with them—not just financial entities.

Second, DORA will likely inform broader regulations that apply to all industries, and are passed by countries outside of the EU. Financial services—and the EU—have long set the standard for cyber regulations. Just like GDPR’s requirements have become the global standard for data privacy, it is likely that the DORA requirements will be adopted by many other frameworks.

The act itself will continue to evolve, and financial entities and the providers that serve them should expect DORA updates that will further standardize practices and requirements for cybersecurity and digital resilience. The future is more regulations around these topics, not less, and IT leaders would do well to stay ahead of the curve.

The role of enterprise IT leaders in fostering a culture of resilience

DORA may be a cross-functional framework that makes cyber resilience a board-level concern, but it still lives primarily within the IT domain. IT leaders in operations, security, and risk will have the primary responsibility for meeting its requirements, as they “own” the digital systems that DORA is concerned with protecting.

This responsibility will only increase as more and more financial systems become digitized and dependent on ICT systems, whether internal or from third-party providers. DORA makes it clear that IT leaders are the present and the future of maintaining resilient operations within financial entities.

How should I prepare for DORA? What to focus on today.

The sooner you start, the better.

The DORA law goes into effect on January 17, 2025, and many of its requirements will take time to put into place. Focus on the biggest gaps within your compliance that will require the most investment and effort to implement.

For most financial entities, that will be:

  1. Implementing a third, immutable backup of data that is physically and logically segregated from primary and secondary sources
  2. Creating systems to recover data within two hours of an incident
  3. Developing the ability to manually test those systems at least once per year

BMC provides solutions and ICT services to rapidly bring these capabilities to life, in addition to a full portfolio of tools to cover every other element of operational resilience.

To learn more and request assistance in understanding DORA and achieving compliance by January 2025, reach out today for a consultation.