The Digital Operational Resilience Act explained: Everything you need to know

Cyber attacks are a growing threat to businesses worldwide. Incidents such as Distributed Denial of Service attacks, phishing, data breaches, and ransomware can endanger an organization’s financial stability and lead to systemic crises in a vast range of industries, such as banking, energy, and transport. 

With the recent implementation of the Digital Operational Resilience Act, EU organizations and financial entities are required to comply with new requirements to optimization of their ICT risk management practices, including any third parties that touch this process.

Here, we discuss what the Digital Operational Resilience Act is, what it means for the financial world, and the five key requirements for compliance.

‍

What is the Digital Operational Resilience Act?

‍

Implemented in December 2022, the Digital Operational Resilience Act (DORA) is a new piece of legislation from the European Parliament that aims to protect, foster, and strengthen the technological development of businesses in the European Union, providing both financial stability and consumer protection. 

The DORA requires companies to undergo a thorough risk assessment and identify the potential threats that could cause their digital systems to fail. It also instructs businesses to report any incidents that do occur so they can be monitored, regulated, and prevented from happening again in the future. 

‍

Who is affected by the DORA law?

‍

The DORA encompasses a broad range of financial institutions, as well as ICT third party providers, such as digital service providers and digital service operators. This applies to both cloud and non-cloud ICT services that supply digital tools as a service to business-to-business (B2B) and business-to-customer (B2C) consumers within the European Union. 

Here is a comprehensive list of the institutions that must abide by DORA law: 

• Credit institutions. 
• Payment institutions.
• E-money institutions.
• Investment firms. 
• Domain name system providers.
• Crypto-asset service providers. 
• Central securities depositories. 
• Content delivery network providers.
• Managers of alternative investment funds. 
• UCITS management companies. 
• Administrators of critical benchmarks. 
• Crowdfunding service providers. 
• ICT third party service providers. 

The DORA law also involves public authorities and companies that haven’t previously been subject to specific ICT regulations.

‍

What does the DORA change?

‍

Before the implementation of the DORA, there were no resilience regulations in place to protect customers from the inadequacy of unprepared financial firms. Since the European Council enforced this act, financial institutions are now required to manage and mitigate risks with assessment practices, prepare for a wide range of threats including cyberattacks and natural disasters, and have a robust recovery framework in place, identifying their most critical systems and laying out the steps needed to recover within a set time frame to avoid negatively impacting customers.

The DORA intends to address the increasing risk of illegal activity and subsequential disturbance to digital services in institutions where disruptions can have a direct detrimental impact on society and the economy.  

‍

Why is operational resilience important?

‍

Operational resilience is important for various reasons. In the modern world where nearly all systems run online, it’s essential for institutions to take security measures to avoid negative impacts on customers and the wider economy and protect their data.

Here are some of the main reasons why operational resilience is vital in these industries:

• Risk mitigation — When faced with a threat, businesses should be able to withstand large disturbances and operate regardless of the issues that arise. By planning ahead, you avoid circumstances like that of the Bank of Ireland (BoI). In 2021, the Irish bank’s continuity framework failed upon action, causing significant disruption in its critical services. This led to the BoI receiving a fine of €24.5 million, per Central Bank of Ireland. That’s why it’s essential to identify risks and ensure the solutions in place are actionable before a problematic situation occurs.
• Trust in major organizations — The DORA legislation doesn’t just help with business stability, it also helps to maintain customers’ trust in financial organizations. If organizations aren’t able to effectively protect against and recover from threats, it could lead to wider impacts, such as customers not being able to access banking services. The DORA’s enforcement of operational resilience in these enterprises across the continent functions to preserve stability in financial institutions and increase customer safety and trust. 
• Quality of ICT services — Although the financial sector is mostly affected by the DORA law, critical third party ICT providers are also tested on their quality of service. If an ICT service provider or operator doesn’t meet the required standards, they may face penalties like that of a financial entity. In fact, Uptime Institute found that, since 2016, 63% of all publicly-reported outages were caused by third party and commercial IT operators such as cloud, hosting, colocation, and telecommunication providers.

‍

The DORA’s five pillars of resilience

‍

The DORA regulation is underpinned by five pillars of resilience: Risk management, incident reporting, digital operational resilience testing, ICT third party risk management, and the sharing of information and intelligence. 

Let’s break down these pillars and what they mean. 

‍

1. ICT risk management

ICT risk management greatly reduces the chances of unforeseen cyberattacks through effective and thorough risk assessments which aim to prevent and detect cyber threats before they take hold. This pillar places ultimate responsibility on a firm’s management body to implement the appropriate measures and controls, ensuring operational and security risk management, as well as a robust, well-documented ICT risk management framework.  

To comply, firms will need to identify their impact tolerance, risk associations, and critical functions. With a stable framework in place, organizations should also form prevention and detection plans, response plans, and recovery plans to be completely prepared for all threat-related circumstances.

‍

2. ICT incident reporting

This pillar requires companies to submit a report regarding any ICT related incidents or threats that have occurred, including the following information:

• The number of users affected.
• The amount of data lost.
• The severity of the impact on ICT systems.
• The geographical spread.
• The criticality of the services affected.
• The economic impact.

By submitting a detailed report, incidents can be monitored and managed appropriately and both organizations and regulators can build knowledge to continuously improve recovery.

‍

3. Digital operational resilience testing

For this essential pillar, organizations are required to run a comprehensive risk-based test at least once a year, as well as proportional threat-led penetration testing once every three years for financial institutions. 

These tests should not be performed by the company. Instead, independent testers should be scheduled in advance with approval from a DORA regulator to guarantee reliable test outcomes. This process can take a long time to prepare for, with approximately two years of recommended planning time. Companies are encouraged to begin preparation as soon as possible to allow for regulator authorization with the deadline set at the end of 2024. 

‍

4. ICT third party risk 

This pillar maintains that companies in the financial sector should have third party risk management in place as a fundamental component of their ICT risk management framework. This involves a defined multi-vendor ICT third party risk policy strategy, an information register containing details on all ICT third party providers, the services they provide and the functions they support, as well as a yearly report on changes to this register.

The DORA also enforces regulatory annual assessments for critical providers to ensure organizations are complying with legislation. Any standard checks that demonstrate a lack of compliance will result in legal and financial penalties. 

‍

5. Information and intelligence sharing

When building digital finance resilience frameworks, a lot of labor goes into the research and building of robust and reliable solutions. To create a stronger and more resilient environment for financial services organizations across Europe, sharing intelligence and information helps to support and protect other financial services from operational threats. 

The DORA has introduced guidelines for sharing arrangements among firms, creating stable communities that transfer intelligence and information in accordance with regulations, confidentiality requirements, data protection, trade secrets, and competition. 

‍

Components of operational resilience

‍

To comply with the five pillars of the DORA, it’s essential to understand the key components of operational resilience. 

Digital operational resilience is all about how effectively companies can continue their business operations when faced with unexpected disruptions and challenges. Below are the key components to focus on when considering the DORA proposal.

‍

Business continuity planning

This component focuses on developing and planning strategies that enable companies to resume their day-to-day processes if an issue arises. A reliable continuity plan should include everything from data center migrations, data recovery plans, backup systems, and communication plans to ensure stakeholders are kept in the loop.

‍

Mapping

It’s important to map the internal and external interconnections and dependencies necessary to action critical operations. This involves recording the relevant contacts and elements, such as people, facilities, technologies, and processes. Maps should be detailed and specific to enable teams to determine the relevant vulnerabilities and complexities, should a threat arise.

‍

Periodic self-assessment

To maintain high levels of digital operational resilience, regular self-assessments provide organizations with consistent, up-to-date information on operational weaknesses and identify windows for threat opportunities. With identified risk exposures, businesses can then work to address these issues and preserve their resilience.

To learn more about the components of operational resilience and achieving digital operational resilience testing for the DORA, download our white paper. 

‍

Are you up to speed?

‍

Despite its recent implementation, the DORA has a demanding timetable of implementation in place, expecting the final execution of compliance by Q4 2024. To fully comply with the new DORA legislation, it’s essential to understand which vendors will best enable you to address each of these requirements. Will you take a best-of-breed approach for each application or try to find a single vendor that might provide a suboptimal solution?

‍

Cutover can help

‍

The Cutover Collaborative Automation platform enables you to build multi-team recovery plans or make use of existing templates to regularly test your IT resilience. Measure your Recovery Time Actuals and prove your organization’s ability to rapidly recover your services and applications. The Cutover platform provides visibility, communications, and audit logs for continuous improvement and regulatory reporting.

The DORA is a lengthy piece of legislation that’s difficult to dissect. Luckily, Cutover is here to help ensure you’re on the right track. To find out more, download your free copy of our white paper and get in touch with us to find out how the Cutover platform can help you improve and prove your level of resilience.