DORA Regulation – Digital Operational Resilience Act Guide and Compliance

Jun 5, 2023 | Cybersecurity Compliance

Introducing the Digital Operational Resilience Act (DORA), a pivotal EU regulation set to transform the financial sector. Gain valuable insights on its objectives, key requirements, and implementation timeline, while understanding the implications for affected institutions. Explore the roles of supervisory authorities, DORA’s relationship with GDPR, and prepare for compliance with our expert summary, checklist, and data-focused key points. Enhance your knowledge and ensure readiness with our comprehensive guide.

Table of contents:

1. What is DORA, Digital Operational Resilience Act?

The European Commission has issued the Digital Operational Resilience Act (DORA) with the aim of enhancing the operational resilience of the European Union’s financial sector. DORA is structured around three fundamental principles:

1. IT and Cybersecurity Risk Management: Financial institutions would be mandated to identify, assess, and manage their IT and cybersecurity risks. The regulation would necessitate institutions to establish policies and procedures that safeguard their systems and data from cyber threats.

2. Business Continuity Management: Financial institutions would be obligated to develop comprehensive business continuity plans, ensuring their ability to provide services to clients during operational disruptions. This encompasses the implementation of backup systems, alternative communication channels, and disaster recovery plans.

3. Supervision and Oversight: The regulation would introduce a framework for supervisory and oversight authorities to monitor and evaluate the operational resilience of financial institutions. This includes granting supervisory authorities the authority to conduct inspections, request information, and impose sanctions when necessary.

DORA is designed to fortify the EU’s financial sector by guaranteeing that financial institutions possess the essential processes, systems, and controls to withstand and respond to operational disruptions effectively.

2. When will the DORA regulation come into effect?

The DORA regulation is set to come into effect on the 17th of January 2025. This date marks a key milestone for financial institutions, as they will need to comply with the new requirements outlined in the legislation.

As we approach the implementation date, it’s essential for financial institutions to familiarize themselves with the DORA regulation and take the necessary steps to ensure compliance. With the regulation coming into effect on January 17th, 2025, now is the time for financial institutions to prepare and adapt to these new requirements.

3. Who will be affected by the DORA regulation?

The Digital Operational Resilience Act regulation will be applicable to all financial institutions operating within the European Union (EU), encompassing banks, investment firms, trading platforms, central counterparties, and other financial market infrastructures. The standard specifically mentions the following:

“…The regulation covers a range of financial entities regulated at Union level namely credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, central securities depositories, central counterparties, trading venues, trade repositories, managers of alternative investment funds and management companies, data reporting service providers, insurance and reinsurance undertakings, insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries, institutions for occupational retirement pensions, credit rating agencies, statutory auditors and audit firms, administrators of critical benchmarks and crowdfunding service providers”.


 

The regulation specifically states that it applies to all financial institutions, irrespective of their size or complexity.

In conclusion, the DORA regulation will impact all financial institutions operating within the EU.

4. What are the main objectives of the DORA regulation?

The main objectives of (DORA) regulation are 4:

1. Enhancing the EU’s Financial Sector Operational Resilience: The regulation strives to guarantee that financial institutions possess robust processes and systems to withstand and respond to operational disruptions such as cyberattacks, IT failures, and other threats.

2. Augmenting Customer Data Protection: The regulation mandates financial institutions to implement effective cybersecurity measures to safeguard customer data and avert data breaches.

3. Establishing a Level Playing Field across the EU: The regulation introduces a uniform set of standards and requirements for operational resilience, ensuring that all financial institutions operating within the EU adhere to the same standards.

4. Reinforcing the Role of Supervisory Authorities: The regulation endows supervisory authorities with enhanced powers to monitor and evaluate the operational resilience of financial institutions, and take necessary actions to address any weaknesses or failures.

5. What are the key requirements of the DORA regulation?

The European Commission’s issued regulation outlines several crucial requirements that financial institutions operating within the EU must adhere to. These requirements encompass:

  • Mapping and testing: Financial institutions must map and test their critical business services, processes, and IT systems to identify and manage operational risks.
  • Outsourcing: Financial institutions must implement adequate measures to manage risks associated with outsourcing critical functions or services.
  • Incident reporting: Financial institutions must report incidents that significantly impact the continuity of their services or pose a threat to the financial system.
  • Cybersecurity: Financial institutions must adopt appropriate and effective cybersecurity measures to prevent cyber threats and data breaches.
  • Risk management: Financial institutions must establish a robust risk management framework, fully integrated into their overall business strategy.
  • Governance and oversight: Financial institutions must maintain clear lines of responsibility and accountability for operational resilience, with the board of directors responsible for overseeing the institution’s operational resilience.
  • Business continuity planning: Financial institutions must develop comprehensive and effective business continuity plans to ensure the continuity of their critical business services in the event of a disruption.
  • Testing and training: Financial institutions must regularly test and update their operational resilience plans and provide training to staff, ensuring preparedness to respond to operational disruptions.

6. How will the DORA regulation impact financial institutions?

DORA is expected to significantly affect financial institutions operating within the European Union (EU). Here are some ways the regulation is likely to influence these institutions:

  • Increased compliance costs: Financial institutions will need to invest in additional resources, processes, and systems to comply with the new requirements outlined in the regulation, potentially leading to increased compliance costs.
  • Increased regulatory oversight: The regulation grants supervisory authorities heightened powers to monitor and assess the operational resilience of financial institutions, resulting in increased regulatory oversight and potentially more frequent and rigorous regulatory examinations.
  • Changes in business practices: Financial institutions may need to modify their business practices to comply with the new requirements outlined in the regulation. For instance, they may need to review and update their outsourcing arrangements, enhance their cybersecurity measures, and improve their business continuity plans.
  • Greater emphasis on risk management: The regulation emphasizes risk management and mandates financial institutions to establish a robust risk management framework, requiring the development and implementation of more rigorous risk management processes and procedures.
  • Improved operational resilience: Ultimately, the regulation aims to improve the operational resilience of financial institutions. By complying with the requirements, financial institutions will be better prepared to withstand and respond to operational disruptions, such as cyberattacks, IT failures, and other threats.

While the DORA regulation may pose challenges for financial institutions, it is also expected to result in improved operational resilience, ultimately benefiting both the institutions and their customers.

7. What are the penalties for non-compliance with the DORA regulation?

Financial institutions may face various consequences for failing to comply with the regulation, such as:


 

  • Administrative fines: Financial institutions can be fined up to 10 million euros or 5% of their total annual turnover, whichever is higher, for serious infringements of the regulation.
  • Remedial measures: Supervisory authorities may require financial institutions to take remedial measures to address any weaknesses or failures in their operational resilience.
  • Public reprimands: Supervisory authorities may publicly reprimand financial institutions that fail to comply with the requirements of the regulation.
  • Withdrawal of authorization: Supervisory authorities may withdraw the authorization of financial institutions that repeatedly fail to comply with the requirements of the regulation.
  • Compensation for damages: Financial institutions may be required to compensate customers or third parties for any damages resulting from a failure to comply with the requirements of the regulation.

It is important to note that the exact penalties for non-compliance may vary depending on the specific circumstances and the severity of the infringement.

8. What role will supervisory authorities play in enforcing the DORA regulation?

Supervisory authorities hold a vital role in the enforcement of DORA regulation. The regulation suggests that these authorities, including national competent authorities and the European Banking Authority (EBA), will oversee and ensure compliance with the regulation’s requirements.

Key responsibilities of supervisory authorities encompass:

  • Evaluating operational resilience: Authorities will assess the operational resilience of financial institutions in their jurisdiction, which involves examining operational resilience plans, mapping and testing critical business services, IT systems, processes, and reviewing outsourcing arrangements.
  • Performing on-site inspections: Authorities may carry out on-site inspections at financial institutions to confirm compliance with the regulation’s requirements. Inspections can target specific risk areas or encompass the entire organization.
  • Enforcing penalties: Authorities have the power to impose penalties on financial institutions that fail to meet the regulation’s requirements. Penalties can range from administrative fines, remedial actions, public reprimands, to withdrawal of authorization.
  • Providing guidance: Authorities may offer guidance and best practices to support financial institutions in complying with the regulation’s requirements. This guidance may cover risk management, cybersecurity, business continuity planning, and other aspects of operational resilience.
  • Fostering coordination: DORA regulation highlights the importance of coordination and cooperation among supervisory authorities at national and European levels. Authorities will be accountable for promoting this coordination, ensuring that financial institutions adhere to consistent and harmonized supervisory practices throughout the EU.

9. How does the DORA regulation relate to other EU regulations, such as GDPR?

The Digital Operational Resilience Act (DORA) regulation and the General Data Protection Regulation (GDPR) are distinct regulations addressing various aspects of data protection and cybersecurity within the European Union. Nevertheless, there are crucial ways in which these two regulations intersect.

First, both DORA and GDPR emphasize the protection of personal data and the assurance of its confidentiality, integrity, and availability. While DORA primarily targets the operational resilience of financial institutions, it also mandates these institutions to safeguard customer data and adhere to data protection regulations.

Second, DORA and GDPR require financial institutions to perform risk assessments and implement suitable risk management measures to defend against cyber threats and data breaches. DORA sets specific requirements for financial institutions to identify and mitigate operational risks, while GDPR obliges organizations to evaluate risks to personal data and apply appropriate technical and organizational measures to protect it.

Lastly, DORA and GDPR impose substantial penalties for non-compliance. Financial institutions failing to meet DORA requirements may face fines up to 10 million euros or 5% of their total annual turnover. Meanwhile, GDPR can impose fines up to 20 million euros or 4% of the total annual global turnover, whichever is higher.

Financial institutions subject to both regulations must carefully examine their obligations under each regulation and ensure the implementation of appropriate measures to comply with both regulations.

10. DORA Summary for CIOs and CISOs

DORA regulation is a crucial legislation impacting the management of operational risks, including cyber threats and data breaches, for organizations.

Here’s a summary of the essential points to understand about DORA:

  • Scope: DORA applies to all financial institutions in the European Union, such as banks, insurance companies, and investment firms.
  • Objectives: The regulation aims to guarantee the operational resilience of financial institutions by requiring them to identify and manage operational risks and adopt measures to prevent and mitigate cyber threats and data breaches.
  • Requirements: DORA mandates financial institutions to conduct regular risk assessments, develop business continuity plans, and test their IT systems and processes to ensure resilience against cyber threats and other operational risks. Additionally, institutions must protect customer data and adhere to data protection regulations.
  • Supervision: National competent authorities and the European Banking Authority (EBA) will oversee and enforce compliance with the regulation, which may include on-site inspections, issuing guidance, and imposing penalties for non-compliance.
  • Penalties: Non-compliant financial institutions may face fines up to 10 million euros or 5% of their total annual turnover.

As a CISO or CIO, it is crucial to ensure your organization implements appropriate measures to comply with DORA. This may involve reviewing and updating your risk management framework, regularly testing and assessing your IT systems and processes, and ensuring compliance with data protection regulations. Staying up to date with guidance and best practices issued by supervisory authorities is also essential to ensure your organization meets its obligations under the regulation.

11. DORA Compliance Checklist

Here is a checklist of of essential areas to consider for ensuring compliance with DORA:

  • Risk management: Perform regular risk assessments to identify and manage operational risks. Establish a risk management framework comprising policies, procedures, and controls to mitigate identified risks.
  • Business continuity planning: Create and maintain a comprehensive business continuity plan detailing your organization’s response to operational disruptions, including cyber threats and data breaches.
  • IT and security testing: Test your IT systems and security controls regularly to ensure resilience against cyber threats and other operational risks. This may involve penetration testing, vulnerability assessments, and IT system audits.
  • Incident management: Develop and maintain an incident management plan outlining your organization’s response to operational incidents, including cyber threats and data breaches. Regularly test and update incident response procedures.
  • Data protection: Safeguard customer data and adhere to data protection regulations, such as the General Data Protection Regulation (GDPR). Implement appropriate technical and organizational measures to protect personal data and conduct regular audits to ensure compliance.
  • Outsourcing: Subject third-party service providers and vendors to proper oversight and due diligence processes. Consider incorporating contractual provisions requiring third parties to comply with DORA regulation requirements.
  • Reporting: Establish and maintain suitable reporting mechanisms to inform your organization’s management and supervisory authorities of significant operational incidents and risks.
  • Compliance monitoring: Monitor compliance with DORA requirements regularly, including self-assessments, internal audits, and risk assessments.

By addressing these key areas, your organization can take steps to ensure compliance with DORA and promote operational resilience.

12. DORA Key Points Related to Data

The DORA regulation emphasizes data management and protection, recognizing the critical role data plays in the operational resilience of the financial sector.

The regulation includes several key points related to data, as follows:

  • Data management: Financial institutions must establish robust data management frameworks to ensure the accuracy, completeness, and integrity of their data. This includes creating data governance structures, data quality assurance processes, and data lineage documentation.
  • Data sharing: Financial institutions need appropriate mechanisms for sharing data with competent authorities, including the European Banking Authority (EBA), national supervisory authorities, and other necessary third parties.
  • Outsourcing of data-related activities: Financial institutions must ensure that their outsourcing arrangements for data-related activities do not compromise the operational resilience of the institution. This includes guaranteeing that outsourcing arrangements do not result in a loss of control over data and that adequate oversight mechanisms are in place.
  • Cybersecurity: Financial institutions are required to implement effective cybersecurity measures to protect their data from cyber threats. This includes adopting measures such as access controls, encryption, and incident response plans.
  • Reporting requirements: Financial institutions must report significant incidents affecting their data and IT systems to competent authorities, including the EBA, within strict timeframes.

13. SealPath, Information Rights Management (IRM) tool helping to comply with DORA

An Information Rights Management (IRM) tool can help your company comply with several sections of the Digital Operational Resilience Act (DORA) regulation, including:

  • Risk management: An IRM tool can help your organization identify and manage operational risks associated with the protection of sensitive information. The tool can provide you with visibility into who has access to sensitive data, how it is being used, and whether there are any vulnerabilities in the data protection measures you have in place.
  • Data protection: The tool can help you classify and label sensitive data, enforce access controls, and track data usage to ensure compliance with regulatory requirements.
  • Incident management: An IRM tool can help your organization respond to operational incidents, including data breaches. The tool can provide you with real-time alerts when unauthorized access attempts occur, allowing you to take immediate action to mitigate the risk of a data breach.
  • Outsourcing: An IRM tool can help your organization ensure that third-party service providers and vendors are subject to appropriate oversight and due diligence processes. The tool can help you enforce data protection requirements and ensure that third parties are complying with the requirements of the DORA regulation.
  • Reporting: An IRM tool can provide you with detailed reports on data usage, access controls, and compliance with regulatory requirements. This can help you meet reporting obligations under the DORA regulation and provide supervisory authorities with the information they need to monitor compliance.

protected documentation

Here is a list of some of the relevant articles related to data and how SealPath’s features can help organizations comply with specific articles of DORA:

Article 5: Governance and organisation

“(b) put in place policies that aim to ensure the maintenance of high standards of availability, authenticity, integrity and confidentiality, of data;”

How SealPath can help?

Authenticity/Availability:

SealPath’s collaboration features, such as access to protected documents from the browser and cross-platform compatibility, ensure that authorized users can access the data they need, whenever they need it. The automation features like automatic protection in cloud repositories (Box, Dropbox, and G-Suite) and email (Outlook and Exchange) ensure that data remains available across various platforms.

Integrity:

Integrated authentication features like Active Directory (AD), LDAP, Single Sign-On (SSO), and Identity federation help in verifying the identity of users accessing the data, ensuring that only authorized users can access the sensitive information.
Auditing features like access audits and alerts for blocked users help in tracking and identifying any unauthorized attempts to access the data, further ensuring the authenticity of data access.

Confidentiality:

Data encryption ensures that the data remains confidential and is only accessible to authorized users.

The granular access rights, remote document deletion, and control over subnets or IPs from which the information can be accessed, all contribute to maintaining the confidentiality of the data by restricting access to only those who need it.

Article 6: ICT risk management framework

Requires entities to establish and maintain an ICT risk management framework that identifies, assesses, and manages risks associated with their ICT systems.

“2. The ICT risk management framework shall include at least strategies, policies, procedures, ICT protocols and tools that are necessary to duly and adequately protect all information assets and ICT assets, including computer software, hardware, servers, as well as to protect all relevant physical components and infrastructures, such as premises, data centres and sensitive designated areas, to ensure that all information assets and ICT assets are adequately protected from risks including damage and unauthorised access or usage.”

How SealPath can help?

Strategies and Policies:

SealPath’s dynamic data protection features, such as granular access rights and encryption, provide organizations with the necessary strategies to protect their information assets from unauthorized access or usage.

The ability to set expiry dates, watermarks, and offline access allows organizations to implement data protection policies tailored to their specific needs.

Procedures and ICT Protocols:

SealPath’s maximum ease of use features, such as the intuitive and easy-to-manage interface, facilitate the implementation of data protection procedures and ICT protocols.
The integrated authentication features (AD, LDAP, SSO, Identity federation) ensure that only authorized users can access the protected data, in line with the organization’s ICT protocols.

Article 9: Protection and prevention

“d) implement policies and protocols for strong authentication mechanisms, based on relevant standards and dedicated control systems, and protection measures of cryptographic keys whereby data is encrypted based on results of approved data classification and ICT risk assessment processes;”

How SealPath can help?

Data encryption:

SealPath ensures that sensitive data is encrypted and safe from improper access. This encryption process is based on the approved data classification and ICT risk assessment processes, which helps organizations protect their critical information.

Integrated authentication:

SealPath supports various authentication methods such as Active Directory (AD), LDAP, Single Sign-On (SSO), and Identity federation. These mechanisms provide strong authentication and ensure that only authorized users can access the protected data.

iconos vigilar controlar usuarios y documentos

Contact our team of experts to learn about all the sections of the regulation in which SealPath helps you to comply with the requirements.