The financial sector is only healthy if it can withstand singular or simultaneous cyberattacks on participating entities. An increasing number of cyberattacks have given cause for concern throughout the EU that financial entities are subject to systemic and concentration risk owing to the interconnectivity of the financial markets and participants.
To address these concerns, the European Commission, the presidency of the Council of the EU, and the European Parliament collaborated to build a framework for financial institutions and service providers to instill resiliency, ensuring Europe’s financial markets can withstand operational interruptions. The result was the Digital Operational Resilience Act, or DORA, a framework of principles designed to identify and mitigate information and communications technology (ICT) risks by requiring financial system participants to adhere to common technical resiliency standards.
Who Must Comply With DORA?
By January 2025, over 21,000 EU financial institutions, including banks, credit companies, payment institutions, e-money institutions, investment firms, crypto-asset service providers, central securities depositories, managers of alternative investment funds, securities management companies, crowdfunding service providers, and ICT third-party service providers will need to comply with DORA.
Financial entities and ICT service providers outside of the EU will also be required to comply if they provide critical ICT processing to EU financial entities. Not complying with DORA carries significant penalties and potentially criminal prosecution.
How Will Dora Be Enforced?
DORA solves the legislative disparities and uneven country regulatory or supervisory approaches to resiliency within the EU. It also instills accountability of financial entities to demonstrate resiliency planning commensurate with impact baselines. Regulators are empowered to perform audits to validate DORA compliance of financial entities and ICT service suppliers. DORA is complementary to, rather than a replacement for, existing EU laws governing data privacy and security, including the Network and Information Security (NIS) Directive and the General Data Protection Regulation (GDPR).
The best way to look at DORA is as a framework of resiliency rules. Financial entities and supporting ICT suppliers must perform resiliency testing to demonstrate compliance. One does not have to have an outage to be fined; failure to comply is equal grounds for penalties. Failing to comply with DORA will cost 1% of a covered entity’s daily turnover for up to six months. For example, if a financial entity such as BNP Paribas, with US$68.14 billion in annual turnover, experienced an extended outage, it could be fined US$1.868 million daily for a six-month maximum of US$339.97 million.
What Are the Requirements of DORA?
DORA has specific requirements, including the need for a comprehensive risk management program of the ICT attack surface and an estimation of the potential impacts of an outage. Voluntary and mandatory incident reporting is required depending on the extent of the outage. Covered entities must prove resiliency plan effectiveness through testing, including threat-led penetration testing for larger covered entities. Organizations are encouraged to share threat intelligence, and third-party ICT risk must be owned and managed by covered entities.
The following shows the compliance framework CISOs should follow:
Do U.S. Financial Entities Need to Worry About DORA?
U.S. financial institutions and ICT service providers that provide critical ICT services to EU financial entities will also be required to comply with DORA. DORA has caught the attention of U.S. regulators. The U.S. Department of the Treasury issued a report on the financial sector’s adoption of cloud services on February 8, 2023, discussing DORA.
The report states, “DORA also authorizes the European Supervisory Authority to establish administrative arrangements with regulators in non-EU countries to foster international cooperation on third-party risk.” DORA is expected to be a common framework across G7 countries. CISOs need to determine if they would be required to comply with DORA.
Financial institutions should keep their eyes on DORA, even if they aren’t active primarily in the EU. With cyberattacks on the rise, similar legislation is likely to follow outside of Europe in DORA’s wake. To find out more about what DORA means for the world of cybersecurity, read my latest report Digital Operational Resilience Act (DORA): Take a Licking and Keep on Ticking.