DORA: The EU Digital Operational Resilience Act

Financial companies are facing mounting pressure to enhance their cybersecurity measures, as recent data places the financial sector as the second-highest globally in terms of cyber incident damage, with losses reaching approximately $5.9 million per incident, surpassing the $4.45 million industry average.

In response to these escalating cyber threats, the European Union has introduced the Digital Operational Resilience Act (DORA), which focuses on strengthening the IT security of financial entities, including banks, insurance companies, and investment firms, to ensure resilience in the event of serious operational disruptions and to prevent and mitigate cyber threats.

With DORA officially in force since January 2023, and a two-year implementation period underway, financial institutions are expected to achieve full compliance by early 2025. 

Prior to the introduction of DORA, many organisations were not effectively managing all components of operational resilience. The legislation fills this gap by mandating rules for protecting against ICT incidents and monitoring third-party risks.

Below, we explore DORA’s key aspects, its impact, and the importance of cybersecurity within the sector and ICT third-party services. 

What is DORA?

DORA is a comprehensive legislative framework designed to enhance the cybersecurity and operational resilience of the financial sector within the European Union. The act aims to address the increasing challenges posed by cyber threats, ensuring that financial companies are well-prepared to withstand and recover from potential disruptions.

What are the key components of DORA?

DORA comprises five key pillars: 

Rethinking Risk Management: DORA drives a shift in financial risk management, requiring institutions to reassess governance, policies, controls, and risk assessments.

New Incident Reporting: DORA introduces updated rules for handling ICT incidents, extending beyond GDPR to include broader incidents and voluntary reporting of cyber threats.

Focus on Resilience Testing: DORA emphasises resilience testing through threat-led penetration testing on critical ICT systems, with a focus on effective follow-up actions.

Revamping Third-Party Risk Management: Companies using third-party ICT services are accountable for legal and regulatory compliance. Management of third-party ICT risk should align with the scale and complexity of business operations. 

Encouraging Information Sharing: DORA promotes enhanced threat intelligence sharing among financial institutions, fostering a “trusted community” for exchanging information.

These pillars safeguard digital infrastructure and ensure compliance with rules for protecting against ICT risks.

Specifically for third-party risk management DORA requires: 

ICT Third-Party Risk Strategy: Businesses, except micro-enterprises, must adopt and regularly review a strategy for managing ICT third-party risk, especially for critical functions.

Maintenance of Register: Businesses must document and update contracts with third-party providers and distinguish critical functions from others, accessible to competent authorities.

Reporting: Yearly reporting on new arrangements and timely notification of planned contractual arrangements for critical functions are mandated.

Pre-Contract Due Diligence: Before contracting, businesses must assess risks, costs, subcontracting possibilities, insolvency laws, data protection, and subcontracting chains.

Access, Audit, and Inspection: Businesses must pre-determine audit frequencies and areas, ensuring auditors possess necessary skills, especially for highly complex ICT services.

Exit Strategies: Contracts must allow termination under various circumstances, with comprehensive exit strategies focusing on risk mitigation and continuity of services.

Contractual Requirements: Contracts must be in writing and include details such as service level agreements, data protection provisions, termination rights, and participation in security awareness programs. 

How C2 can support with the requirements of DORA and third party risk management

To address these requirements, companies can utilise solutions like C2’s DORA Compliance Vendor Assessment. With the DORA Compliance Vendor Assessment, companies can visualise and manage digital risk in one place. By segmenting suppliers based on risk severity and utilising C2’s simple 5-step process – Segment, Assess, Manage, Monitor, and Report. Businesses can efficiently reduce and mitigate supplier chain vulnerabilities and ensure adherence to DORA legislation.

C2 enables active monitoring through 100,000 data points, facilitates collaboration for remediations, and generates meaningful reports for different stakeholders. With C2’s DORA Compliance Vendor Assessment, businesses can streamline their third-party risk management processes, ensuring compliance and resilience in the face of evolving regulatory landscapes.

By setting forth comprehensive guidelines and requirements, DORA aims to create a resilient and secure digital environment for the financial sector, ultimately safeguarding the interests of both consumers and the financial industry as a whole. Leveraging C2’s solution for DORA assessments will ensure that your organisation is adhering to the DORA comprehensive legislative framework. 

To find out more about how C2 can help your business meet the requirements of DORA, get in touch with a member of our team today.

About C2

C2 is a UK risk management scaleup on a mission to help businesses survive and thrive in the digital economy. C2 helps organisations manage security and compliance in a way that’s unique to their business and that does more than simply ticking off digital checkboxes. C2’s industry-leading platform supports the public and private sectors in managing their threat landscape and improving vendor controls, project, privacy, and ESG risks.