DORA
Digital Operational Resilience Act
The financial sector within the EU faces increased demands on cyber security and business continuity. To meet these challenges, the European Union has introduced DORA. This regulatory framework aims to strengthen financial actors' ability to deal with cyber threats and ensure that their operations can continue to function even during digital disruptions. Starting on January 1, 2023, companies have until January 2025 to implement the measures to be fully compliant.
What is DORA
DORA is a comprehensive framework that focuses on building digital resilience within the financial sector. By harmonizing and standardizing security requirements in information and communication technology (ICT), companies should be able to face and resist cyber attacks and other digital disruptions. A central goal of DORA is to ensure that companies not only react to threats, but also actively prevent and minimize the risks of disruption.
Technical requirements in DORA
One of the most prominent parts of DORA is the technical requirements placed on financial actors and their IT infrastructure. These requirements are intended to ensure a robust and secure digital environment that can handle today's increasingly sophisticated cyber threats.
Risk management
One of DORA's most important requirements is that all financial actors must have comprehensive systems to manage risks linked to their ICT infrastructure. Companies must identify critical functions and assets, ensure these are protected with appropriate security systems, and monitor to quickly detect anomalies or cyber threats. This includes both technical solutions such as intrusion detection systems and processes to continuously review and update protection against new threats.
Incident management and reporting
DORA also introduces requirements for companies to effectively manage and report cyber incidents. Companies need to be able to classify each incident according to specific criteria set by the EU regulatory authorities (ESA) and deliver multiple reports – from initial to final. This reporting structure helps create transparency and coordination at EU level, and ensures that cyber incidents are dealt with in a consistent manner.
Regular security tests
To ensure IT systems are resilient against cyber threats, DORA requires all financial firms to carry out regular testing of their systems. These include annual testing to identify vulnerabilities and, for some larger players, comprehensive penetration testing (TLPT) every three years. Through these tests, real attacks are simulated to ensure that the systems are resistant to attacks. Vulnerabilities discovered during testing must be addressed immediately.
Third Party Providers
Another important part of DORAs is the management of ICT services from third-party providers. The regulations require companies to carefully review and monitor their external suppliers to ensure that they too maintain the same high security standards. This applies not only to cloud providers, who were previously a particular focus point, but to all providers of IT services. The agreements with these providers must include detailed information about service levels, data storage and security measures.
Data Protection and Privacy
To meet the technical requirements of DORA, encryption plays a central role. Encryption is one of the most effective methods of protecting sensitive information, and DORA emphasizes the need to use strong encryption both for data at rest and in transit. By encrypting customer data, financial transactions and other critical information, companies can reduce the risk of data breaches and ensure that even if the data were to be accessed by unauthorized persons, it is unusable without the right encryption key.
In addition to encryption, companies under DORA must ensure the integrity and availability of data, whether internal information or customer data. Technical solutions are required to prevent data loss and ensure that only authorized personnel have access to critical systems. Here, the use of multi-factor authentication (MFA) and other security tools can help further strengthen protection.
Impact on Financial Actors
DORA gäller för ett brett spektrum av finansiella aktörer, från banker och försäkringsbolag till kryptotjänstleverantörer och crowdfunding-plattformar. Tredjepartsleverantörer, som erbjuder kritiska IKT-tjänster, omfattas också. För leverantörer utanför EU innebär detta att de måste etablera dotterbolag inom unionen för att kunna fortsätta erbjuda tjänster till EU-baserade företag. Genom att inkludera nya aktörer, såsom kryptobaserade finansiella tjänster och alternativa investeringsfonder, speglar DORA hur snabbt finansbranschen har digitaliserats. Regelverket gör att alla aktörer, stora som små, måste ta ett större ansvar för cybersäkerheten.
Continuity and Resilience
Ett av DORAs primära mål är att säkerställa att finansiella företag kan fortsätta sin verksamhet även vid cyberattacker eller större IT-haverier. Detta ställer höga krav på företagens förmåga att bygga motståndskraftiga system, där tekniker som kryptering och avancerade säkerhetslösningar spelar en avgörande roll. I praktiken innebär detta att företag måste ha detaljerade krisplaner och lösningar som tillåter dem att snabbt återgå till normal verksamhet efter en incident. Genom att ställa höga krav på digital säkerhet, incidenthantering och samarbete med tredjepartsleverantörer, skapar DORA en robust grund för att finanssektorn ska kunna motstå framtida cyberhot och säkerställa stabilitet i en alltmer digital värld.