What is DORA?

The Digital Operational Resilience Act (DORA) is a key step in bolstering digital operational resilience across the EU financial sector. It’s a regulatory framework designed to safeguard banks, insurance firms, and other financial services companies: Preventing, detecting, and reacting to cyber threats and operational disruptions.  

DORA was introduced in January 2023, and financial firms have two years to ensure they are compliant with the major new regulations. For compliance and IT teams in finance companies, the January 2025 deadline is a crucial milestone.  

Does the DORA legislation apply to your firm?  

If you’re a bank, payment service provider, investment firm, or crypto assets service provider in the EU, then yes — DORA does apply to you. It also applies to your firm if you provide critical infrastructure to the European financial sector, or if you’re a third-party IT provider for companies in the sector. 

Exploring the 5 pillars of DORA 

The measures set out by the Digital Operational Resilience Act are essential to maintain the stability and trustworthiness of the European financial system and to strengthen the sector’s digital resilience. It spans five core pillars:  

Pillar 1: IT risk management 

EU financial entities will need to demonstrate they have strong, consistent, and reliable methods in place to manage any IT-related risks. All entities’ risk-management schemes must take into account risk identification, assessment, and mitigation.  

Risk identification: IT and compliance teams at DORA-relevant entities will need to collaborate to identify any threats and weaknesses — both actual and potential —  throughout their firm’s IT landscape and processes.  

Risk assessment: Financial entities will need to assess the chances of flagged threats occurring, as well as the potential impact of any cyber-attack or operational disruption.  

Risk mitigation: To minimize any identified risks, DORA requires firms to put in place relevant plans, controls, and safeguarding processes.     

Pillar 2: Managing, classifying, and reporting on IT-related incidents 

Under this pillar, EU financial firms will be required to adopt a structure including:  

Reporting protocols: To share any incidents with the relevant supervisory authorities that DORA highlights, firms will need clear reporting protocols. 

A framework for incident management: This will need to set out clear processes to identify, understand, and react to any incidents.   

Categorizing incidents: Firms will need to classify IT-related incidents according to their intensity, as well as their potential effects. From there, this categorization can inform prompt, right-sized responses.  

Pillar 3: Testing resilience in digital operations  

To safeguard operational resilience, financial firms need to be running proactive tests across their IT landscape (and considering third-party contingencies, too). Entities within DORA’s scope need to demonstrate an understanding of their capacity to resist digital disruptions, as well as to recover from them if they occur. Specifically, DORA requires:  

Running drills for incident response: Firms will need to pressure-test the plans they have created to react to cyber incidents. The regular testing that DORA mandates aims to guarantee effective, efficient reactions and recovery if real cyber attacks do happen. 

Penetration testing: Simulating digital-security incidents will enable EU financial firms to flag any weak points in their infrastructure and contingency planning, and put their digital security protection measures to the test. The DORA scope for this includes threat-led testing, which utilizes the tactics of actual cyber attackers.  

Gauging an entity’s vulnerability: Periodic assessments need to be carried out across entities’ IT systems and infrastructure (considering both internal and third-party elements).  
 

Pillar 4: Looking outwards — third-party risk management 

A stand-out element of DORA is that it brings in an Oversight Framework for key IT third-party providers across the European Union. This is a critical recognition of the interconnections underpinning the financial system: It broadens firms’ responsibilities to include considering their providers’ digital resilience, too.  

Conducting due diligence when bringing in providers: Financial entities will need to assess any third-party providers in detail. The decision to work with any external providers will have to include assessing their cybersecurity protocols and approach to risk management. 

Third-party performance monitoring: Firms will need to put in place frameworks to track all their providers’ records on cybersecurity. 

Updating contracts for DORA requirements: DORA’s scope will shift how financial entities approach contracting third parties. They’ll need to include requirements for third-party providers to demonstrate and maintain DORA-compliant levels of security against cyber threats.  

Pillar 5: Agreeing to share data  

To better defend the European finance sector against cyber attacks, sharing information is key. DORA aims to encourage a collaborative approach, sharing information between entities so that all firms can better safeguard their digital security and operational resilience. The regulations promote:  

Collaborating to shape best practices: DORA asks entities across the EU finance ecosystem to contribute to co-developing and rolling out best practices for ensuring resilience in digital operations.  

Sharing intelligence about cyber threats: If firms detect (potential) threats or weaknesses, they will be encouraged to communicate them to other entities in the sector, as well as competent authorities. 
 

Be ready for DORA compliance 

DORA is a needed step in keeping Europe’s finance system trusted, stable, and protected from bad actors. Until the compliance deadline in early 2025, it will be a top priority for IT and compliance teams in financial firms.  

Need to master DORA compliance? Find out from one of our experts how ServiceNow can help you get there.