The deadline for DORA compliance is fast approaching – the regulation demands mandatory compliance by January 17, 2025. CIOs and CISOs in financial institutions have less than a month left to address any remaining gaps to compliance with DORA.
In this blog post, we will focus on the five most frequently asked questions about DORA.
1. Why is DORA needed?
From cloud computing to AI, fintech to e-commerce, the rapidly evolving digital landscape is creating new opportunities, but also bringing new risks too. The EU introduced the Digital Operational Resilience Act (DORA) to harmonise ICT risk requirements across Europe and to strengthen the defences and cyber resilience in the heavily targeted financial sector.
2. What is DORA?
DORA outlines rules and standards for managing, testing, reporting, and mitigating digital operational risk, and for monitoring the use of third-party service providers. Additionally, the act consolidates all these requirements into a single regulatory instrument.
In short, DORA aims to ensure that financial entities can withstand, effectively respond and recover from unplanned disruptions while minimising the impact on their operations and customers.
DORA applies to financial entities such as traditional and digital banks, credit institutions, insurance and reinsurance, investment firms, credit institutions and private equity houses operating in the European Union (EU). Third-party service providers that deliver ICT systems and services to financial firms are also included within the scope of the act.
3. What is unique about DORA?
– Rigorous responsibility. The act makes it clear that responsibility for adhering to DORA regulations lies squarely at the feet of the board-level within financial entities. The board is responsible, but the detail in the requirements reveal that the burden of work will fall on compliance and IT departments.
– The level of detail. DORA provides detailed requirements around resilience testing, third-party risk management, and incident reporting. IT leaders should ensure that their teams are aware of the requirements and have the necessary skills.
– Attention to risks introduced by suppliers and subcontractors. DORA mandates a proactive method for managing third-party risks, ensuring that the company adheres to all regulatory and financial service requirements.
4. What are the five pillars of DORA regulation?
DORA requires financial entities establish a sound digital operational resilience framework by covering five pillars.
1. ICT risk management and governance
Financial sector must classify and document every ICT asset across all premises, and they will need to establish a risk tolerance level in accordance with the company’s profile. It is also essential to implement an ICT business continuity, response and recovery plan with backups, redundant capacity and secondary facilities ensuring alignment with the supplier’s plans.
2. Third-party risk management
It is incumbent on each company to regularly review risks identified around contractual arrangements and they must report at least annually on the number and type of new services they procure.
3. ICT-related reporting
Processes must be in place to detect, track, log and notify about incidents, using integrated monitoring tools with early warning alerts. The root cause of any issues must be identified, documented, and addressed to prevent reoccurrence.
4. Digital Operational Resilience Testing
To identify weaknesses and gaps in digital operational resilience, a comprehensive testing programme will need to be instigated with a range of assessments, methodologies, practices and tools, appropriate to the threat surface of each individual company and its risk levels. Most large financial services companies must conduct more advanced threat-led penetration tests on an annual basis.
5. Information sharing
To increase resilience awareness, financial services companies are encouraged to exchange information amongst themselves about cyber threat information and intelligence.
To learn more about these five pillars, download our ‘Get ready for DORA’ e-book.
5. What is the penalty for noncompliance?
Entities violating the Act may be fined up to 2% of their annual worldwide turnover or, for individuals, a maximum of EUR 1,000,000. The fine varies based on the violation’s severity and the entity’s cooperation with authorities.
Financial entities not reporting major ICT incidents or cyber may also be fined. Critical third-party ICT service providers designated by the European Supervisory Authorities face fines up to EUR 5,000,000 or, for individuals, a maximum of EUR 500,000. The ESAs have the authority to impose these fines.
6. How can Ergo help?
For more than 30 years, Ergo has been providing IT services to leading players in banking, insurance, AMIF (Asset Management and Investment Funds), helping them navigate new regulations in a fast-changing threat landscape. Now Ergo is bringing all its experience to bear on readying companies for DORA.
If you still have gaps in addressing your DORA readiness, reach out to us! Our team of experts possesses extensive knowledge and expertise in technologies and can assist you with:
1. Cyber resilience and disaster recovery services
2. Managed detection and response
3. Penetration testing