The Digital Operational Resilience ACT (DORA) regulation becomes enforceable in the European Union on 17 January 2025. With stress testing on 109 banks already underway by the European Central Bank (ECB), the rest of the EU financial sector should follow suit to avoid rushing through last-minute compliance efforts.
This article outlines the DORA compliance requirements, including a handy checklist to help you pave a path to compliance before the deadline.
What is DORA?
The Digital Operational Resilience ACT, or DORA, is an EU regulation that aims to establish digital operational resilience across the financial ecosystem to reduce business disruptions in the event of a cyberattack or data breach. DORA complements existing EU cybersecurity regulations, such as the GDPR and NIS2 Directive.
Who must comply with the DORA regulation?
All financial institutions doing business in the EU member states must comply with the DORA requirements, including:
- The Financial Services Industry
- Payment institutions
- Investment firms
- Insurance companies
- Credit rating agencies
- Crypto-asset service providers
- Crowdfunding service providers
- Data analytics and audit services
- Fintech
- Trading venues
- Financial system providers
- Credit institutions
Third-party vendors who provide information and communication technology (ICT) services for finance institutions must also achieve DORA compliance.
DORA compliance dates
The DORA legislation became effective on 16 January 2023, allowing a 24-month implementation period for in-scope organizations.
On 17 January 2024, the three European supervisory authorities, the EBA (European Banking Authority), EIOPA (European Insurance and Occupational Pensions Authority), and ESMA (European Securities and Markets Authority), finalized drafted Regulatory Technical Standards (RTS) outlining ICT risk management requirements under DORA.
Affected institutions have until 17 January 2025 to comply with DORA requirements.
On 3 January 2024, the European Central Bank (ECB) announced the commencement of digital operational resilience testing across 109 banks in the EU.
Learn how to comply with the third-party risk requirements of DORA >
What are the penalties for DORA non-compliance?
Enforcement of penalties for DORA non-compliance falls in the hands of designated regulators in each EU state, known as “competent authorities. Potential consequences for non-compliance include administrative fines, remedial measures, public reprimands, withdrawal of authorization, and compensation for damages incurred.
In-scope entities that don’t comply with the DORA are subject to penalty payments of up to 1% of the average daily worldwide turnover in the preceding business year.
DORA compliance requirements
The DORA regulation consists of five key pillars that set out requirements for finance entities to withstand, respond to, and recover from ICT-related threats. Below are the five pillars of DORA compliance.
1. ICT risk management
Finance entities are required to establish and maintain comprehensive ICT risk management frameworks. These frameworks should cover all stages of an ICT system’s lifecycle and include appropriate cybersecurity measures for cyber threat identification, protection, detection, response, and recovery plans within the organization and throughout the supply chain. This pillar also mandates continuous testing and monitoring to ensure the ongoing effectiveness of the implemented measures.
2. ICT incident reporting
Firms must report major ICT-related incidents to their respective regulators promptly. The aim is to enable a better understanding of the ICT risk landscape across the financial sector and encourage a coordinated response to major incidents.
3. Digital operational resilience testing
DORA mandates that firms conduct regular testing to assess their capacity to withstand various types of ICT disruptions. This pillar requires in-scope entities to undergo routine threat-led penetration testing (TLPT) to simulate cyberattacks and assess their cybersecurity defenses.
4. ICT third-party risk management
DORA introduces rules for managing cyber risks from outsourcing critical financial operations to third-party ICT service providers. The DORA third-party risk management requirements stipulates that finance entities must subject ICT third-party service providers to proper oversight and due diligence processes. They should also ensure that third-party risk management processes are in place to reduce the likelihood of major incidents like data breaches.
5. Information and intelligence sharing
DORA encourages the sharing of cyber threat information and intelligence among finance entities. This collaboration aims to enhance the sector's ability to identify, protect against, respond to, and recover from ICT-related incidents. The regulation provides an information-sharing framework while ensuring data protection remains a priority.
By establishing these pillars, DORA aims to standardize and strengthen the digital operational resilience of the EU's financial sector, ensuring that it remains robust, competitive, and capable of handling the evolving landscape of ICT risks.
DORA compliance checklist
The Digital Operational Compliance Act is a comprehensive regulatory framework that requires finance entities to take a structured approach to implementation. This checklist maps out key actions to take to achieve DORA compliance faster.
1. Determine DORA scope
▢ Refer to Article 2 of the DORA legislation to determine if your organization is an in-scope entity, i.e., a finance institution or critical ICT service provider to a financial institution.
2. Perform a DORA gap analysis
▢ Conduct a maturity assessment against the DORA compliance requirements to identify gaps across all ICT systems.
▢ Assess your ICT third-party risk by conducting vendor risk assessments.
💡 How UpGuard helps
UpGuard offers a free DORA assessment workbook that maps relevant controls from the NIST CSF and ISO 27001 frameworks to the DORA requirements. The UpGuard platform automates compliance mapping and reporting for these frameworks for you and your vendors.
3. Create a remediation roadmap
▢ Use assessment findings to identify compliance gaps and create a roadmap of remediation activities.
💡Compliance tip: ‘The roadmap should include identified actions on a yearly timeline (e.g., divided into quarters), based on action priority and feasibility.’ - Cindy Ruan, Governance Risk and Compliance Specialist
💡 How UpGuard helps
UpGuard includes automated remediation workflows that enable you to request vendor remediation based on automated scanning and questionnaire responses.
4. Identify critical third-party ICT providers
▢ Refer to Article 31 of the DORA requirements to understand which of your third-party ICT providers are deemed ‘critical’ and must also comply.
💡 How UpGuard helps
UpGuard helps you find, track, and monitor the security posture of any organization instantly. You can categorize vendors, compare them against industry benchmarks, and see how their security posture changes over time.
5. Implement a threat-led penetration testing (TLPT) framework
As per Article 26 of the DORA regulation, financial entities must conduct TLPT testing at least every three years.
▢ Use an approved TLPT framework, such as TIBER-EU.
▢ Ensure your TLPT framework covers several or all critical functions of the financial entity.
▢ Define the scope of the TLPT framework and receive approval of the scope by a competent authority (as defined in Article 46 of the DORA).
▢ When ICT third-party service providers are deemed in-scope for TLPT testing, take the necessary measures and safeguards to ensure the service provider's participation.
▢ Perform testing on live production systems.
▢ Ensure testing is carried out at least every three years, depending on risk portfolio and operational circumstances.
▢ Submit a summary of relevant findings, corrective action plans, and documentation demonstrating that the test meets requirements.
💡 Compliance tip: ‘TLPT is also known as Red Team Testing or “Red Teaming” in the industry. It’s a controlled (and authorized) attempt by ethical hackers to compromise an entity’s systems and overall cyber resilience by simulating the tactics, techniques, and procedures (TTPs) of real-life threat actors.’ - Cindy Ruan, Governance Risk and Compliance Specialist
6. Develop an incident response plan
Article 17 of the DORA requires financial entities to define, establish, and implement an ICT-related incident management process to detect, manage, and notify ICT-related incidents.
▢ Put in place early warning indicators.
▢ Establish procedures for identifying, tracking, logging, and classifying ICT-related incidents.
▢ Assign roles and responsibilities for incident management.
▢ Create plans for communication and notification of ICT-related incidents between all key stakeholders and senior management.
▢ Report major ICT-related incidents to relevant senior management and the management body.
💡Compliance tip: ‘Test your incident response and disaster recovery plans or strategies by performing tabletop exercises (such as simulating a disaster or incident) to evaluate their effectiveness. The outcomes of the exercises should be documented and reviewed so that organizations can understand how to improve their internal processes.’ - Cindy Ruan, Governance Risk and Compliance Specialist
💡 How UpGuard helps
UpGuard notifies you of external vulnerabilities and exposures putting you and your vendors at risk with real-time security rating alerts.
7. Continuously monitor ICT systems
According to Article 8 of the DORA, financial entities must continuously identify all sources of risk as part of an ICT risk management framework.
▢ Identify, classify, and properly document ICT business functions, information assets, roles, and dependencies.
▢ Assess cyber threats and vulnerabilities relevant to ICT-supported business functions.
▢ Perform additional risk assessments upon major changes in the network or infrastructure.
▢ Maintain inventories of information assets, processes that depend on ICT third-party service providers, and legacy ICT systems and technologies.
▢ Perform regular ICT risk assessments on all legacy ICT systems.
💡 How UpGuard helps
UpGuard continuously monitors your external attack surface to identify vulnerabilities, detect changes, and uncover potential threats around the clock.
8. Understand the responsibilities of the Board
Article 5 of the DORA stipulates that board directors and executive management must accept ultimate responsibility for managing ICT risk and ensuring digital operational resilience.
▢ Set information security policies to ensure the maintenance of data security.
▢ Define roles and responsibilities for ICT-related functions and the establishment of governance arrangements.
▢ Define and approve a digital operational resilience strategy.
▢ Review and approve ICT business continuity plans, ICT internal audit plans, and the use of ICT services provided by third parties.
▢ Keep up-to-date on the latest knowledge and skills about ICT risks.
▢ Allocate sufficient budget to ICT resources, security awareness programs, and digital operational resilience training.
💡 How UpGuard helps
With UpGuard, you can generate downloadable PDFs that summarize your security posture and that of your vendors. The reports provide a high-level overview suitable for gaining buy-in with non-technical stakeholders.
How UpGuard helps organizations comply with the DORA framework
UpGuard provides automatic compliance mapping and reporting against DORA through NIST CSF and ISO 27001 for you and your vendors. Assess your DORA compliance today. Start your free 7-day trial.
