Primer on the New DORA Cybersecurity Regulations

A staggering increase in cyberattacks with wide-reaching impacts has spurred the introduction of cybersecurity regulations across the globe. You’ve probably heard about DORA, which stands for the “Digital Operations Resilience Act.” One of the most expansive acts of its kind, DORA was recently adopted by the European Union as a way to strengthen the IT security of financial organizations like banks, investment firms and insurance companies. Read on to get a primer on what DORA entails.

What is DORA?

DORA came about several years ago as it became clear that the lack of unified cybersecurity standards among financial entities across Europe posed a significant risk to countries’ financial resilience. The biggest issue? Lack of supply chain regulations among the third-party information and communication technology (ICT) vendors. These are the companies providing services to financial organizations such as cloud computing, mobile devices and apps, search engines, data analytics, database management, internet services and more.

As we’ve seen in recent history, third parties can often be the source of a breach, as the cybersecurity guidelines they follow may not be as stringent as the companies to which they’re providing their products and services.

DORA mandates these third-party ICT companies, along with the financial entities they serve, follow a set of strict new guidelines aimed at ensuring operational resilience.

What makes DORA different than other regulations?

Financial institutions are no stranger to regulatory requirements, but DORA takes a different approach to what these institutions are accustomed to. Instead of looking at risk from a capital (quantitative) perspective, financial organizations are now required to address behavior- and performance-based requirements that support a more operationally sound cybersecurity posture.

According to the EU, these include a focus on more qualitative elements like, “…protection, detection, containment, recovery and repair capabilities against ICT-related incidents or through setting out reporting and digital testing capabilities.”

DORA’s inclusion of third-party ICT companies is also a bit different. In recent years, ICT companies have focused their compliance efforts on data privacy and data breach notifications (i.e., GDPR). Now these companies will not only need to follow those regulatory frameworks, but also DORA, making ICT companies almost an extension of the financial organizations they serve.

Where is DORA applicable?

DORA applies to financial institutions and their ICT vendors in all 27 EU member countries, including France, Germany, Spain, Sweden, Finland, Netherlands and Greece. While financial institutions or ICT companies operating outside of the EU aren’t affected, any enterprises servicing the EU finance sector in any way will most likely be required to adhere to DORA regulations.

When does DORA go into effect?

DORA was adopted by The Council of the European Union on Nov. 28, 2022 and will likely have a 24-month implementation period. Therefore, it’s expected to be fully instituted in late 2024. While it might seem like a long way away, it’s never too soon for organizations to begin preparing and training for the regulatory changes.

Where can I get more information about DORA?

DORA has a comprehensive website with information you can review to learn more about it. You can also view the Council’s press release, which provides links to an abundance of helpful DORA resources.