DORA:
Digital Operational Resilience Act

The financial sector within the EU faces increased demands on cyber security and business continuity. To meet these challenges, the European Union has introduced DORA. This regulatory framework aims to strengthen financial actors' ability to deal with cyber threats and ensure that their operations can continue to function even during digital disruptions. Starting on January 1, 2023, companies have until January 2025 to implement the measures to be fully compliant.

What is DORA

DORA is a comprehensive framework that focuses on building digital resilience within the financial sector. By harmonizing and standardizing security requirements in information and communication technology (ICT), companies should be able to face and resist cyber attacks and other digital disruptions. A central goal of DORA is to ensure that companies not only react to threats, but also actively prevent and minimize the risks of disruption.

Technical requirements in DORA

One of the most prominent parts of DORA is the technical requirements placed on financial actors and their IT infrastructure. These requirements are intended to ensure a robust and secure digital environment that can handle today's increasingly sophisticated cyber threats.

Risk management
 One of DORA's most important requirements is that all financial actors must have comprehensive systems to manage risks linked to their ICT infrastructure. Companies must identify critical functions and assets, ensure these are protected with appropriate security systems, and monitor to quickly detect anomalies or cyber threats. This includes both technical solutions such as intrusion detection systems and processes to continuously review and update protection against new threats.

Incident management and reporting
 DORA also introduces requirements for companies to effectively manage and report cyber incidents. Companies need to be able to classify each incident according to specific criteria set by the EU regulatory authorities (ESA) and deliver multiple reports – from initial to final. This reporting structure helps create transparency and coordination at EU level, and ensures that cyber incidents are dealt with in a consistent manner.

Regular security tests
 To ensure IT systems are resilient against cyber threats, DORA requires all financial firms to carry out regular testing of their systems. These include annual testing to identify vulnerabilities and, for some larger players, comprehensive penetration testing (TLPT) every three years. Through these tests, real attacks are simulated to ensure that the systems are resistant to attacks. Vulnerabilities discovered during testing must be addressed immediately.

Third Party Providers
 Another important part of DORAs is the management of ICT services from third-party providers. The regulations require companies to carefully review and monitor their external suppliers to ensure that they too maintain the same high security standards. This applies not only to cloud providers, who were previously a particular focus point, but to all providers of IT services. The agreements with these providers must include detailed information about service levels, data storage and security measures.

Data Protection and Privacy
 To meet the technical requirements of DORA, encryption plays a central role. Encryption is one of the most effective methods of protecting sensitive information, and DORA emphasizes the need to use strong encryption both for data at rest and in transit. By encrypting customer data, financial transactions and other critical information, companies can reduce the risk of data breaches and ensure that even if the data were to be accessed by unauthorized persons, it is unusable without the right encryption key.
In addition to encryption, companies under DORA must ensure the integrity and availability of data, whether internal information or customer data. Technical solutions are required to prevent data loss and ensure that only authorized personnel have access to critical systems. Here, the use of multi-factor authentication (MFA) and other security tools can help further strengthen protection.

Impact on Financial Actors

DORA applies to a wide range of financial actors, from banks and insurance companies to crypto service providers and crowdfunding platforms. Third-party providers, who offer critical ICT services, are also covered. For suppliers outside the EU, this means that they must establish subsidiaries within the Union in order to continue offering services to EU-based companies. By including new players, such as crypto-based financial services and alternative investment funds, DORA reflects how quickly the financial industry has been digitized. The regulations mean that all actors, large and small, must take greater responsibility for cyber security.

Continuity and Resilience

One of DORA's primary goals is to ensure that financial companies can continue their operations even in the event of cyber attacks or major IT breakdowns. This places high demands on companies' ability to build resilient systems, where technologies such as encryption and advanced security solutions play a decisive role. In practice, this means that companies must have detailed crisis plans and solutions that allow them to quickly return to normal operations after an incident. By placing high demands on digital security, incident management and collaboration with third-party providers, DORA creates a robust foundation for the financial sector to withstand future cyber threats and ensure stability in an increasingly digital world.

GET STARTED TODAY

Contact us

Copyright 2024 Complior AB. All rights reserved.