Exploring DORA: Everything You Need to Know About the Forthcoming Regulation

With less than a year until the DORA deadline, and the promise of monetary penalties for non-compliance, it’s time to get serious about the EU’s Digital Operational Resilience Act. Phil Muncaster looks at the what, why, when and how…

The financial services industry is about as critical as critical national infrastructure (CNI) can get. Its low tolerance for outages and the vast volumes of sensitive corporate and consumer financial data it holds make the sector a popular target for attack. And when attacks do come, they often arrive via the supply chain. That’s why the EU has designed the Digital Operational Resilience Act (DORA).

DORA mandates strict new levels of baseline security for network and information systems – both for the financial sector and its IT suppliers. Depending on existing levels of cyber maturity, it may be a heavy lift for some organisations. UK firms operating in the region will be expected to comply, and the deadline is less than a year away. Experts Assured Intelligence spoke to have the same, simple message: “There’s no time to waste.”

The buck stops with the board

Despite having arguably more money to spend on cybersecurity than many sectors, financial services firms continue to be targeted relentlessly and successfully by threat actors.

According to Moody’s, cybersecurity spend increased by 51% between 2019 and 2023 to reach around 7% of the overall IT budget. Financial services firms also grew their cybersecurity staff by 25% from 2019-22.

“There’s a lot to do before the January 17 2025 compliance deadline”

Yet in the year leading up to June 30 2023, UK financial services providers reported three times more breaches to regulator, the Information Commissioner’s Office (ICO) than in the previous year, according to one estimate. Pension schemes recorded a 4000% increase in breach reports annually.

A separate analysis reveals a 10% increase in cyber incident reports to the Financial Conduct Authority (FCA) between 1H 2022 and 1H 2023. Nearly a third (31%) of these were categorised as ransomware, up 11% during the period. The supply chain continues to be a significant source of cyber risk. Three-quarters (75%) of financial services IT and business leaders admit they are concerned with the growing size of their attack surface.

Against this backdrop, DORA aims to harmonise and strengthen the sector’s ICT governance, risk management and incident reporting, especially among its ‘critical’ IT suppliers such as cloud providers. This could cover a potentially huge list of firms, from payment providers to crypto-asset issuers and investment firms to reinsurers. In line with NIS2 and new SEC cybersecurity rules, it aims to hold boardrooms ultimately responsible for risk and compliance.

What’s in DORA?

As befits an EU cybersecurity regulation, DORA is rigorous and detailed. It breaks down into five key areas:

Cyber risk management: This may require updates to governance, policies, controls, risk assessment, and mapping activities. The board must actively understand and direct cyber risk management strategy and undertake regular training to keep knowledge current.

Incident response/reporting: New requirements for preparation, response and reporting on significant IT incidents, including data breaches.

Supply chain: Contracts with critical third-party IT suppliers must meet a prescriptive set of requirements – including any conditions for subcontracting and maintenance of information registers covering contractual arrangements.

Resilience testing: All IT systems and applications supporting critical/important functions must be tested, and any gaps must be remediated.

Information sharing: DORA seeks to create a “trusted community of financial entities” with regulators and tech providers engaged in proactive information and threat intelligence sharing for the greater good.

Less than a year to go

There’s a lot to do before the January 17 2025 compliance deadline. Sheila Pancholi, partner and national technology and cyber risk assurance lead at accounting giant RSM International, describes DORA as a “juggernaut piece of regulation” applicable to over 22,000 financial and IT companies serving the bloc.

Pancholi tells Assured Intelligence that CISOs should build “threat-led offensive security testing” into cyber programmes to identify security gaps and enhance operational resilience.

“To ensure swift compliance with DORA, CISOs must integrate security within the firm’s operational resilience framework, enforce clear governance and accountability at all levels, and increase their influence on the board amidst growing scrutiny,” she adds.

“They should also collaborate across business areas to map Important Business Services (IBSs), focusing on resilience over mere risk management, including vulnerability assessment and architecture of IT systems, especially concerning third-party dependencies.”

Pancholi claims that ensuring incident classifications align with the European Supervisory Authorities’ criteria and maintaining open communication with regulators and industry peers will also be essential to accelerate compliance.

When managing third-party risk, organisations should carry out comprehensive assessments to determine which contracts are in-scope and how subcontracting arrangements might be impacted, she continues.

“Similar to GDPR, UK organisations may need to include DORA-related compliance assurance within contracts with third-party partners within the EU, including intra-group agreements,” Pancholi adds. “There are many lessons to be learned from introducing previous EU regulatory requirements – with only a year before DORA applies in full, it’s never too early to prepare.”

Use the GDPR and security frameworks

Ropes & Gray counsel, Edward Machin, agrees that the experience of complying with previous EU regulations could help accelerate the DORA process.

“Much like they did when preparing for the GDPR, organisations will need to map how DORA applies to them – which business lines, which data, which suppliers, and so on. In doing so, businesses can leverage the processes they put in place for assessing their GDPR obligations,” he tells Assured Intelligence.

“Similar to GDPR, UK organisations may need to include DORA-related compliance assurance within contracts with third-party partners within the EU” Sheila Pancholi

“However, these processes will only go so far. They will need to spend additional time and energy understanding how and where DORA obligations can’t be covered by their existing compliance programme and put a step plan in place to address those obligations. Once that’s done, updating current policies, procedures, and processes to address DORA-specific requirements will be less challenging, particularly where the GDPR and DORA overlap.”

The experience of updating contracts to meet GDPR requirements could also be instructive in building out a process for managing IT service providers in line with DORA, Machin adds.

“However, anyone who lived through a GDPR preparation exercise will remember that it usually took longer – in some cases, much longer – than expected,” he continues. “That lesson should inform your DORA compliance strategy, meaning that if you haven’t already started preparing for DORA, you should do so as soon as possible.”

Sarah-Jayne Van Greune, COO at payments provider Payen, argues that best practice security standards like ISO 27001 can also be a good place to start.

“This globally recognised framework isn’t just a regulatory tick-boxing exercise; it creates a robust information security management system (ISMS) that benefits the entire organisation,” she tells Assured Intelligence.

“An ISMS streamlines internal processes, facilitates communication, and helps identify and address vulnerabilities before they become breaches. ISO 27001 provides a map for teams that guides them toward proactive risk management. Think of this framework as compliance-by-design.”

“Using standardised approaches like this will help organisations navigate DORA compliance with confidence and perhaps even drive competitive advantage by attracting new customers and partners,” Van Greune continues.

She also praises AI-powered RegTech solutions for driving down the risk of reputational damage and hefty fines and turning compliance from a hindrance to a strategic asset. However, first must come training.

“While AI promises huge potential in the world of compliance, such as trawling through large amounts of know your customer data in near-real-time, employees need to know how to use the technology correctly and safely,” Van Greune concludes.

“Equipping staff with a deep understanding of regulations and internal policies through continuous training will make teams more active in the compliance landscape, rather than just passive bystanders.”

It’s important to note that financial services or IT suppliers don’t need to suffer a breach to be fined under DORA: non-compliance is enough grounds for monetary penalties. This could cost 1% of daily turnover for up to six months – a sum that may reach hundreds of millions of pounds.

With just under a year to go until the compliance deadline, there’s plenty at stake.