WEBINAR
GigaOm Radar Report for PTaaS: How to Make a Smarter Investment in Pentesting
WEBINAR
GigaOm Radar Report for PTaaS: How to Make a Smarter Investment in Pentesting

Demystifying the Digital Operational Resilience Act (DORA)

Are you a financial institution within the European Union, or do you provide financial market services in the EU or Information and Communication Technology (ICT) support to EU financial firms (even if you are based outside the EU)?

If the answer to any of these questions is yes, you should be aware of the new Digital Operational Resilience Act (DORA) coming into force, beginning in January 2025.

The introduction of DORA marks a significant step towards enhancing the financial sector’s defenses against digital threats. For Covered Entities, understanding and complying with DORA is now not merely a regulatory requirement, it is a strategic imperative.

Below is an overview of how DORA impacts the financial sector and how Cobalt’s services can serve to support your company’s compliance efforts to help avoid breaching this new regulatory framework.

What is DORA?

The Digital Operational Resilience Act or DORA is a uniform and binding regulatory framework, designed to bolster the financial sector’s ability to withstand, respond to, and recover from ICT related disruptions and threats. 

Set to be enforced by the European Banking Authority, DORA is meant to introduce a single standard for digital resilience, cybersecurity measures, incident reporting, and third-party risk management across the financial services sector. DORA aims to strengthen the financial sector’s resilience with regard to ICT and cyber related incidents. DORA provides a specific set of standards that intend to shape how financial organizations manage ICT and cyber risks and incidents.

Does DORA apply to you?

DORA applies to all financial institutions in the EU (Covered Entities). This includes traditional entities such as banks, investment firms, credit institutions as well as non-traditional entities, such as crypto-asset service providers and crowdfunding platforms. DORA also applies to third-party service providers that supply EU financial institutions with ICT systems and services (such as data centers and cloud service providers). DORA further applies to the ICT infrastructure supporting those providers too, even if located outside of the EU.  

Implications for Covered Entities


1. ICT risk management

DORA emphasizes the need for Covered Entities to enact comprehensive risk management frameworks for managing ICT risks. Covered Entities must implement and maintain advanced security protocols to protect against cyber threats. Cobalt’s services can help our customer’s identify vulnerabilities and assess the effectiveness of their security measures, ensuring the efficacy of their defenses.

2. ICT related incident reporting

A foundational element of DORA compliance requires that Covered Entities establish adequate incident detection and reporting mechanisms. Covered Entities must establish clear procedures for managing and reporting significant ICT incidents. Cobalt’s services simulate real-world attacks, using the same tools and techniques of malicious actors, to evaluate our customer’s incident response protocols, ensuring they are robust, effective, and compliant with DORA.

3. ICT third-party risk

With Covered Entities increasingly reliant on all manner of third-party service providers, being able to manage the associated risks is another crucial requirement of DORA. Covered Entities must ensure third-party ICT providers are able to maintain the same level of resilience as the Covered Entities itself. Cobalt’s services can assist our customers in assessing their security posture through rigorous testing, helping them to ensure that their security measures align with their internal requirements.

4. Digital operational resilience testing

DORA mandates regular testing of Covered Entity’s ICT systems to ensure that they are robust and that any emerging threats become known. Cobalt’s services are designed to provide in-depth assessments of your ICT systems, discovering vulnerabilities, evaluating your response mechanisms, and providing guidance on closing discovered vulnerabilities (including retesting of individual findings to validate fixes). Regular engagement with our testing services will help ensure that your systems are resilient and compliant.

5. Information sharing

DORA encourages Covered Entities to engage in information sharing with regard to ICT risks and incidents to advance the aims of DORA and improve overall resilience within the whole of the financial sector.

How will DORA be enforced?

National “competent authorities” (NCAs), designated regulators in each EU member state, will be responsible for enforcement, fine levels, inspections, audits and generally ensuring compliance with the regulation. The NCAs will have the power to ask financial firms to take specific security measures and remedy any vulnerabilities it becomes aware of.

These competent authorities will have the ability to impose administrative, and in certain cases, criminal, penalties for non-compliance.

The European Supervisory Authorities (ESAs), the regulators that oversee the EU financial system (e.g. European Banking Authority (EBA), European Securities and Markets Authority (ESMA) and European Insurance and Occupational Pensions Authority (EIOPA), provide guidance to the NCAs to help ensure a consistent approach and the ESAs also draft technical standards covered entities must implement.

Financial penalties for entities may include fines of up to 2% of the Covered Entity’s global revenue or up to 1% of its average global daily revenue. Fines for individuals (e.g. senior managers or directors), may be up to €1 million.

What action should you take now?

Covered Entities who fall within the scope of DORA are encouraged, as a preliminary step, to:

  •   Conduct a comprehensive gap analysis to evaluate existing internal ICT risks and cybersecurity processes,
  •   Review all of your existing ICT contracts and connections in order to document and review third-party vulnerabilities,
  •   Increase your resourcing dedicated to threat and incident detection, and prevention training,
  •   Understand the capabilities required to conduct resilience testing and address the requirements, and
  •   Proactively prepare for DORA.

Conclusion

DORA represents a significant evolution in the regulatory landscape for the financial services sector, emphasizing the need for comprehensive digital operational resilience. If your organization falls within the scope of DORA, you need to be aware of these new requirements, and take action now to demonstrate compliance. Cobalt encourages Covered Entities to view DORA as an opportunity to enhance their cybersecurity posture and operational resilience. By leveraging our expertise in penetration testing services, you can proactively address vulnerabilities, strengthen your defenses, and ensure compliance with DORA’s stringent requirements. Engage with our teams to perform a detailed assessment of your current cybersecurity posture and identify gaps.

In an era of escalating digital threats, strengthening your cybersecurity framework is not just about compliance—it’s about securing your organization’s future. Let’s work together to understand DORA and build a resilient, secure financial ecosystem.

Back to Blog
About Steven Dimirsky
Steven Dimirsky is an experienced General Counsel with over a decade of experience in SaaS, including oversight and implementation of privacy and infosec programs globally. He is well-versed in the negotiation of all manner of commercial agreements, IP portfolio management, and providing counsel regarding compliance with the various privacy law and regimes in North America and Europe. More By Steven Dimirsky