Are you a financial institution within the European Union, or do you provide financial market services in the EU or Information and Communication Technology (ICT) support to EU financial firms (even if you are based outside the EU)?
If the answer to any of these questions is yes, you should be aware that the new Digital Operational Resilience Act (DORA) came into force, beginning in January 2025.
The introduction of DORA marks a significant step towards enhancing financial entities’ defenses against digital threats. For Covered Entities, understanding and complying with DORA is now not only a strategic imperative; it’s a regulatory mandate.
Below is an overview of how DORA impacts the financial sector and how Cobalt helps support your company’s compliance efforts to help avoid unexpected findings slowing down the audit process.
The Digital Operational Resilience Act, or DORA, is a uniform and binding regulatory framework designed to bolster the financial sector’s ability to withstand, respond to, and recover from ICT-related disruptions and threats.
Now enforced by the European Banking Authority, DORA introduces a single standard for digital resilience, cybersecurity measures, incident reporting, and third-party risk management across the financial services sector. DORA aims to strengthen the financial sector’s resilience with regard to major ICT-related incidents. DORA provides a specific set of standards that are intended to shape how financial organizations manage ICT, cyber risks, and incidents.
DORA applies to all financial institutions in the EU, known as Covered Entities. This includes traditional entities such as banks, investment firms, and credit institutions, as well as non-traditional entities, such as crypto-asset service providers and crowdfunding platforms. DORA also applies to third-party service providers that supply EU financial institutions with ICT systems and services (such as data centers and cloud service providers). DORA further applies to the ICT infrastructure supporting those providers, too, even if located outside of the EU.
DORA emphasizes the need for Covered Entities to enact comprehensive risk management frameworks for managing ICT risks. Covered Entities must implement and maintain advanced security protocols to protect against cyber threats. Particular focus must be placed on safeguarding important functions—critical business services whose disruption could threaten financial stability or the functioning of markets. Cobalt’s services can help our customers identify vulnerabilities and assess the effectiveness of their security measures, ensuring the efficacy of their defenses.
A foundational element of DORA compliance requires that Covered Entities establish adequate incident detection and reporting mechanisms. Covered Entities must establish clear procedures for managing and reporting significant ICT incidents. These reports must be submitted using the standardized templates developed under DORA to ensure consistency and comparability across the EU. Additionally, DORA requires timely notifications of major ICT-related incidents to the relevant national competent authorities (NCAs), ensuring regulators are promptly informed and can coordinate responses across the financial sector. Cobalt’s services simulate real-world attacks, using the same tools and techniques of malicious actors, to evaluate our customers’ incident response protocols, ensuring they are robust, effective, and compliant with DORA.
With Covered Entities increasingly reliant on all manner of third-party service providers, being able to manage the associated risks is another crucial requirement of DORA. Covered Entities must ensure third-party ICT providers are able to maintain the same level of resilience as the Covered Entities itself. In addition, they must maintain a comprehensive register of information documenting all contractual arrangements with ICT third-party service providers, ensuring visibility and traceability across their supply chain. Cobalt’s services can assist our customers in assessing their security posture through rigorous testing, helping them to ensure that their security measures align with their internal requirements.
DORA mandates regular testing of Covered Entity’s ICT systems to ensure that they are robust and that any emerging threats become known. Cobalt’s services are designed to provide in-depth assessments of your ICT systems, discovering vulnerabilities, evaluating your response mechanisms, and providing guidance on closing discovered vulnerabilities (including retesting of individual findings to validate fixes). Regular engagement with our testing services will help ensure that your systems are resilient and compliant.
DORA encourages Covered Entities to engage in information sharing with regard to ICT risks and incidents to advance the aims of DORA and improve overall resilience within the whole of the financial sector.
National “competent authorities” (NCAs), designated regulators in each EU member state, will be responsible for enforcement, fine levels, inspections, audits and generally ensuring compliance with the regulation. The NCAs will have the power to ask financial firms to take specific security measures and remedy any vulnerabilities it becomes aware of.
These competent authorities will have the ability to impose administrative, and in certain cases, criminal, penalties for non-compliance.
The European Supervisory Authorities (ESAs), the regulators that oversee the EU financial system (e.g. European Banking Authority (EBA), European Securities and Markets Authority (ESMA) and European Insurance and Occupational Pensions Authority (EIOPA)), provide guidance to the NCAs to help ensure a consistent approach. The ESAs also draft Implementing Technical Standards (ITS), which set out the detailed reporting formats, registers, and resilience-testing requirements that Covered Entities must implement.
Financial penalties for entities may include fines of up to 2% of the Covered Entity’s global revenue or up to 1% of its average global daily revenue. Fines for individuals (e.g. senior managers or directors), may be up to €1 million.
Covered Entities who fall within the scope of DORA are required, as a preliminary step, to:
DORA represents a significant evolution in the regulatory landscape for the financial services sector, emphasizing the need for comprehensive digital operational resilience. If your organization falls within the scope of DORA, you need to be aware of these new requirements and take action now to demonstrate compliance. Cobalt encourages Covered Entities to view DORA as an opportunity to enhance their cybersecurity posture and operational resilience.
By leveraging our expertise in threat-led penetration testing services, you can proactively address vulnerabilities and strengthen your defenses. Engage with our teams to perform a detailed assessment of your current cybersecurity posture and identify gaps before you start your DORA compliance journey.
In an era of escalating digital threats, strengthening your cybersecurity framework is not just about compliance—it’s about securing your organization’s future. Let’s work together to understand DORA and build a resilient, secure financial ecosystem.