The Digital Operational Resilience Act (DORA) is in full effect as of January 17, 2025, requiring financial institutions to strengthen their ability to withstand IT disruptions and cyber attacks.
In this article we’ll explain what the DORA regulation framework is, the importance of resilience testing for regulatory compliance, and how Cutover automated runbooks can help companies ensure DORA compliance.
What is the Digital Operational Resilience Act or DORA Act?
The Digital Operational Resilience Act (DORA) is regulatory legislation proposed by the European Commission that seeks to improve the resilience posture of financial services organizations that operate within the European Union (EU).
DORA legislation implementation date: January 2025
Effective January 17th, 2025, the full DORA regulation is applicable and European Supervisory Authorities (ESAs) will begin oversight activities of companies and critical third-party providers (CTPPs). Financial entities should review the DORA banking regulation act here in its entirety and have a full understanding of the requirements and implications.
What are the main objectives of the DORA act?
The DORA european regulation aims to reduce the cyber security and resilience risk and impact on financial markets. Financial institutions rely heavily on cloud providers, which is risky, and if a major cloud provider has a serious outage the impact would be widespread and potentially catastrophic for global financial markets. In summary, the DORA regulation act establishes a universal framework for managing and mitigating Information and Communication Technology (ICT) risks in the financial sector and sets more stringent parameters for resilience testing which improves the safeguards for resilience in cloud management.
Who is affected by the DORA law?
The DORA regulation is very wide and encompasses a range of financial services organizations operating in the EU, including banks, loan organizations, insurance companies, and auditors. As outlined and explained, the DORA also applies to the critical Information and ICT third-party providers (cloud and non-cloud), as defined in the regulation, that service the financial industry and could have a systemic impact on financial services provisioning in Europe. Examples of the financial services organizations that will be impacted by the DORA EU regulation include:
- Capital markets
- Payment institutions
- Investment firms
- Credit rating agencies
- Crypto-asset service providers
- Crowdfunding service providers
- Fintech
- Trading venues
- Financial system providers
- Credit institutions
How does the DORA regulation impact financial institutions?
The DORA regulation requirements mandate financial services organizations to adequately capture, test, and iteratively improve their recovery plans. This will significantly impact how they document, execute and audit testing. For DORA, testing will need to occur regularly and span both the applications and third-party ICT vendors’ systems.
What does the DORA framework change?
The DORA framework provides a more robust and comprehensive digital resiliency framework, with more stringent requirements for digital operational resilience documentation and testing. Some of the changes include:
- The execution of recovery and vulnerability tests at least once a year as well as threat-led penetration testing every three years.
- A complete audit documentation of the tasks and results associated with each recovery plan.
- Post-execution analysis and remediation plans for addressing any weaknesses.
- Reporting on weaknesses to the relevant DORA authorities for validation.
Why is operational resilience important?
Operational resilience is defined as the ability to detect, prevent, respond to, learn and/or recover from disruptions in operations that could possibly impact delivery of important business products or services. For financial institutions, operational resilience can also refer to the ability to provide critical services when faced with a large-scale disruption.
As cybersecurity threats and IT service disruptions increase, it’s critical for organizations to ensure their systems can resist losses and outages and recover from them if they occur.
DORA's five pillars of resilience
With the DORA regulation act, financial services organizations and Information and ICT third-party providers will need to focus on the following 5 key pillars of DORA.
Risk management
The DORA framework requires a robust, well-documented ICT risk management framework to effectively deliver greater digital operational resilience.
Incident reporting
The DORA regulation also mandates an ICT-related incident management process and the development of capabilities to monitor, handle, and follow up on such incidents.
Digital operational resilience testing
Financial institutions are obligated to implement a proportional and risk-based digital operational resilience testing program on an annual basis and penetration testing every three years.
ICT third-party risk
DORA also mandates that ICT third-party risk should be managed by the financial services organizations as an integral component of their ICT risk management framework.
Information sharing
Businesses must define a process to be put in place to share cyber threat information and intelligence, provided such exchange of information aims at enhancing the digital operational resilience of financial services organizations. This also takes place within trusted communities and is carried out in accordance with applicable legislation (e.g. data protection, trade secrets, and competition).
What are the penalties for non-compliance with the DORA regulation framework?
It’s important to understand the potential strict penalties if you do not comply with DORA regulation requirements. These penalties include:
- A fine of up to 2% of a company’s total annual worldwide turnover
- An audit or temporary suspension of operations
- Public notices or cease-and-desist orders
- Individual fines for high-ranking executives (up to 1 million Euros)
- Higher penalties for third-party ICT service providers
Key steps for financial institutions to prepare for DORA compliance
Now that 2025 is here, financial services firms need to ensure preparedness for DORA. Here are key steps:
Implementing internal resilience frameworks
In order to comply with the DORA regulation, financial institutions need to not only establish but also maintain strong internal systems and controls for IT resilience. The frameworks help ensure you withstand and recover quickly from IT disruptions including cyber attacks.
Cybersecurity upgrades
To comply with DORA, businesses and financial institutions should evaluate and implement various tools to help identify, respond, and quickly recover from cyber threats. This can include data encryption, access controls and identity management, advanced threat detection and response systems, and automated cyber recovery platforms.
Supplier and third-party risk management
Assess and mitigate risks associated with any external suppliers or third-party managers with access to sensitive data.
Incident response plans
DORA requires financial institutions to define comprehensive procedures to detect, contain, and recover from cyber incidents.
Are you up to speed with the DORA regulation framework?
It’s important to understand how your firm will handle each requirement to gain full compliance. Many organizations will undoubtedly need to find best-of-breed solutions to address all of the DORA financial requirements.
Cutover can help you comply with DORA regulation requirements
Cutover’s proven Collaborative Automation cloud solution connects your teams and technology with automated runbooks to strengthen your IT disaster recovery strategies. In particular, the DORA’s recommendations for digital operational resilience testing are a fundamental capability of Cutover as our platform helps the world’s largest financial service organizations support IT disaster recovery for DORA.
Cutover’s proven solution for operational resilience testing gives you confidence in your testing and live invocations as well as enabling you to:
Plan your response for DORA resilience
Through the use of runbooks you can detail all the recovery tasks required regardless if it is a planned, unplanned, or live invocation to a particular event or set of events. You can build a comprehensive, templated, and approved recovery plan library so you know exactly what will happen in your recovery strategies.
Automate your DORA law recovery strategies
Eliminate manual processes during planning activities and executions with automated runbooks. With Cutover you can free teams from manual tasks to focus on higher-value activities.
Create Cutover runbooks to cater to a variety of recovery events
Respond to a cybersecurity attack or data center failure by creating a library of pre-approved runbook templates. Runbooks provide a set of instructions on how to fail over a particular service from one location to another or perform switchovers of production load to alternate sites.
Rehearse to build muscle memory
Automated runbooks can be dynamically edited in real time and provide a detailed audit trail that can be used for analysis and improvement. More frequent testing enables you to identify issues with recovery scenarios, such as missing steps and opportunities for automation, and ensure familiarity with the processes to be run in response to an incident.
Automate orchestration
Orchestrate this complex sequence of tasks, ensuring that teams and technology follow the set path in the correct order by automatically notifying people of when to start their tasks and triggering automated processes.
Track metrics during resilience testing
With Cutover, measure recovery time achieved (RTA) and demonstrate that you can recover your applications and ICT services according to the demands of your supported businesses.
Integrate with a wide ecosystem across the IT resilience stack
Through Cutover’s pre-built and custom integrations capability, we enable you to have full flexibility for tight integrations via a REST API for the programmatic creation and execution of recovery plans. With Cutover, you can easily integrate with a wide base of applications and sources including third-party IT service management systems and configuration management databases, such as ServiceNow or local proprietary-built applications.
Communicate to keep your team informed
The in-built communication features that allow for timely, clear, and effective communication in the midst of recovery, as well as during regular test events.
Access accurate post-execution analytics and regulatory audit logs
Regulatory reporting is critical for DORA. Our automated runbooks automatically record the timing and execution of tasks for reporting and generating an audit trail that is not editable. This serves as a record of performance for auditing, continuous improvement, and regulatory compliance purposes. Audit logs can be used to investigate incidents and track compliance with regulations. This can help firms to demonstrate that they are taking steps to mitigate ICT risks.
Get a clear picture of how your event has performed to evaluate whether objectives were met and how effectively a program was executed, and to identify future actions required to make improvements.
Preparing for the DORA law in 2025 and beyond
With DORA's regulation deadline looming, financial institutions cannot afford to delay their resilience efforts. Cutover’s automated runbooks offer a powerful and efficient solution to meet the regulation's demands and strengthen their overall resilience and application recovery.
By embracing Cutover’s automated runbooks, financial institutions can ensure compliance with DORA and build a more secure and resilient foundation for the future. In a world of ever-increasing cyber threats, the ability to bounce back quickly is no longer a luxury – it's a necessity.
Start preparing today and let Cutover's automated runbooks help you face the DORA deadline with confidence.
Partner with Cutover for DORA compliance
Cutover’s platform is trusted by leading financial institutions to support seamless alignment with DORA requirements. With a focus on operational resilience and compliance, we provide the tools and support you need to meet regulatory standards.
Ready to enhance your organization’s resilience? Book a demo today to learn more about how we can help you comply with DORA.