Select Page
Home / Blog / Navigating the EU’s DORA Regulation: Key Takeaways

Navigating the EU’s DORA Regulation: Key Takeaways

Discover what financial services companies and ICT providers need to do to comply with DORA

Posted Jan 16, 2025 By: Katrina Thompson

Table of contents

On January 17, 2025, the Digital Operational Resilience Act (DORA) went into effect across the European Union (EU). From then on, all financial entities (FEs) within the EU are required to adhere to DORA compliance standards, along with their critical information and communication technology (ICT) service providers.

What is the EU DORA Regulation?

DORA, officially Regulation (EU) 2022/2554, aims to help the EU’s financial services sector improve its digital operational and security resilience. Specifically, it seeks to crack down on risks incurred by third-party information and communication technology vendors, namely those providing financial entities with critical services.

DORA has three main stated objectives:

1. Reduce the risk of financial instability and disruption across the EU.

2. Reduce the administrative security burden on the EU’s financial entities.

3. Increase protection for consumers and investors of the EU financial system.

DORA aims to strengthen the financial system’s cybersecurity by identifying third-party risks, particularly in the technology supply chain. It focuses on enhancing security in areas such as incident response, business continuity, and reporting, addressing existing vulnerabilities and preparing for emerging digital threats.

DORA Compliance

Who must comply with DORA?

All financial entities and their ICT providers must adhere to DORA requirements by January 17, 2025. Under DORA, financial entities include, but not limited to:

  • Banks
  • Insurance & Reinsurance Firms
  • Auditors & Audit Firms
  • Brokers
  • Trade Repositories
  • Management Firms
  • Credit Rating Agencies
  • Crypto-Asset Providers
  • Credit Institutions
  • Crowdfunding Services

Under DORA, covered ICTs denote third-party ICT vendors supplying software (not hardware), and can include:

  • Brokers
  • Providers of Digital & Data Services
  • Crowdfunding Services
  • Providers of Software & Data Analytics
  • Data Centers

ICTs that will ultimately be subject to DORA are those determined by European Supervisory Authorities (ESAs) and competent authorities to provide “critical” services for EU financial entities. They will be classified as critical third-party information and communication technology service providers (CTTPs).

DORA deadlines

Important DORA compliance dates are as follows:

  • January 17, 2025: DORA went into effect and requirements will be enforced.
  • April 30, 2025: ESAs will collect information from financial entities to determine if their ICTs qualify as critical third-party providers and therefore are subject to DORA. Federal entities must submit a “register of information” by this point.
  • January 17, 2026: The European Commission will review the appropriateness of the strengthened requirements.

Penalties for DORA non-compliance

The consequences for non-compliance include:

  • Fines of up to 2% of a company’s total annual worldwide turnover.
  • Individual fines up to 1 million euros.
  • Up to 5 million euros in fines for critical third-party providers.
  • Additional potential penalties, including suspension of services, mandatory remedial measures, audits, and public notices.

5 Pillars of DORA

The underlying purpose of DORA is to maintain business continuity among the EUs financial entities in the event of a cyberattack and to avoid such instances to the extent possible. To that end, the act is built around five pillars:

DORA

ICT risk management

Financial organizations must identify the risk of cyberattacks.

Financial entities must report any cyber incidents to authorities as soon as possible.

Digital operations resilience testing

ICTs must be regularly tested by financial institutions to identify weaknesses and security vulnerabilities that would leave them vulnerable to a cyberattack.

Information and threat intelligence sharing

Financial entities within the EU are encouraged to share threat intelligence and security best practices with each other to promote common security and increased protection against cyber threats.

Third-party risk management

Under DORA, financial entities are responsible for the security risks incurred by their contracted ICT vendors and must manage that risk according to the stated compliance measures.

6 Key DORA Deliverables

To comply with DORA requirements, financial entities within the EU must accomplish the following:

1. Create an ICT risk management framework that identifies all information and communication technology third parties and their associated risks.

2. Employ continuous monitoring and control of ICT tools and systems to ensure consistent protection against ICT-related threats.

3. Implement digital operational resilience testing with a threat-led approach.

4. Put in place provisions for third-party risk management. All ICT third-party contracts must align with DORA and a “register of information” must be kept on each one.

5. Have an incident reporting and classification framework. This enables financial entities to report any cyber incidents in a timely and accurate manner.

6. Establish a clearly defined governance structure that places ultimate responsibility for ICT risk management on top executives.

Achieving DORA Compliance with Managed Security Services

Achieving DORA compliance in a short timeframe is challenging, but financial organizations in the EU might already have a leg up. There is a lot of overlap between the Digital Operational Resilience Act and other cybersecurity standards such as NIS2, GDPR, and even PCI DSS 4.0 (for those with a U.S. presence). Once you audit your current security controls and identify any missing elements necessary to achieve compliance, collaborating with a managed security services provider like Fortra’s Alert Logic can help you fill those gaps.

DORA calls for cybersecurity controls in the following areas:

By working with a managed security services provider, financial entities can offload much of the burden of achieving DORA compliance. Many of these protocols will already be in place, but a managed security solution can provide skilled experts in the areas in which weak policies exist and even point out opportunities for reduced overhead and management responsibilities through vendor consolidation.

New research from BlackBerry reveals that in 2024, 75% of all software supply chains experienced a cyberattack. With virtually every financial institution today being integrally connected to third-party software vendors, these high rates of software supply chain risk cannot be ignored. As it stands, 64% of global financial institutions faced a ransomware attack last year (up from 34% in 2021), and some say DORA could not come at a better time.

Learn more about how Alert Logic’s managed security services can help you achieve your DORA compliance goals and cut down on third-party risk by scheduling a demo today.

Fundamentals
Katrina Thompson
About the Author
Katrina Thompson
An ardent believer in personal data privacy and the technology behind it, Katrina Thompson is a freelance writer leaning into encryption, data privacy legislation and the intersection of information technology and human rights. In addition to Alert Logic, she has written for Bora, Venafi, Tripwire and many other sites.
More Posts by Katrina Thompson

Related Post

December 16, 2024

9 Must-Have CMMC Training Resources 

November 27, 2024

Don’t Let Cyber Threats Steal Your Holiday Cheer: Stay Safe While Shopping

November 19, 2024

ISO 27001:2022 Grace Period Nearing an End — Are You Ready?

Ready to protect your company with Alert Logic MDR?

Request A Demo