The Digital Operational Resilience Act (DORA) is set to revolutionise financial sector cybersecurity practices across the European Union (EU), imposing far-reaching obligations on institutions to bolster digital resilience. As the January 17, 2025 deadline looms, financial institutions face the daunting task of overhauling their systems, processes, and partnerships to meet DORA's exacting standards, which will have significant implications for their operations, budgets, and strategic planning.
DORA's overarching aim is to strengthen the EU financial sector's digital resilience, but it has three main objectives. “First, DORA seeks to enhance operational resilience by improving financial institutions' ability to prevent, manage, and recover from operational disruptions”, explains SANS Instructor Maxim Deweerdt. This includes bolstering their capacity to withstand and respond to cyber threats and other information and communication technology (ICT) -related incidents. “Second, the regulation aims to protect consumers by safeguarding the interests of financial service users”. DORA helps maintain public trust in the financial system by ensuring the continuity and reliability of financial services. It protects consumers from potential losses or service interruptions caused by cyber incidents.
Finally, DORA contributes to ensuring financial stability across the EU. Creating a uniform framework for digital operational resilience aims to reduce systemic risks and prevent localised ICT incidents from cascading into broader financial crises. “These three objectives - enhancing operational resilience, protecting consumers, and ensuring financial stability - form the core of DORA's mission to create a more secure and resilient financial ecosystem in the European Union”.
The Scope of DORA
The regulation encompasses a wide range of financial entities, including banks, insurance companies, investment firms, and crypto-asset service providers. It sets out uniform requirements for ICT risk management, incident reporting, digital operational resilience testing, and the management of ICT third-party risk. Deweerdt predicts that the latter will have a significant impact on financial institutions. “DORA also applies to any service providers towards financial institutions. They also need to have the same stringent requirements for escalating incidents".
This extension of responsibility creates a significant challenge, particularly for smaller service providers. Financial institutions must now carefully assess and monitor the risks associated with their third-party relationships, potentially leading to reevaluating existing partnerships. This expanded scope of compliance increases the complexity of risk management for financial institutions and raises the bar for service providers seeking to work within the EU financial sector.
Several key factors should be considered to determine if an organisation falls within the scope of DORA. First, the type of financial institution is crucial; if it's one of the types listed in DORA's scope (such as a credit institution, investment firm, or payment institution), it's likely subject to the regulation. Second, DORA applies to financial institutions operating within the EU, so a significant presence in the EU is a determining factor. The size and nature of operations also play a role, as larger and more complex institutions may face more stringent requirements. “If there's any uncertainty, I would recommend consulting with legal or regulatory experts who can provide specific guidance on DORA's applicability”, says Deweerdt. Additionally, the European Commission and national supervisory authorities may publish guidance or FAQs to assist financial institutions in determining their applicability to DORA.
The Key Components of DORA
At its core, DORA mandates financial institutions implement a thorough ICT risk management framework, encompassing everything from strategy alignment to incident detection and mitigation. The regulation also imposes strict incident reporting timelines and requires regular resilience testing, including threat-led penetration testing. It extends its reach to third-party service providers, ensuring a holistic approach to digital operational resilience across the financial sector. DORA is built upon the following five key pillars.
1. ICT Risk Management — The comprehensive ICT risk management framework requirement lies at the heart of DORA. Deweerdt emphasises its importance: “The biggest impact will be on the security teams, specifically the Chief Information Security Officer (CISO). They will need to understand the DORA implications and be able to put that into an organisational risk program”.
This framework must include a digital operational resilience strategy aligned with business objectives, risk tolerance levels and impact analysis for ICT disruptions, clear information security objectives with key performance indicators and risk metrics, and mechanisms for detecting and mitigating ICT-related incidents.
2. Incident Reporting — DORA introduces stringent incident reporting obligations. When dealing with major ICT-related incidents, financial entities must submit three distinct incident reports to the relevant competent authority. The process begins with an initial notification, providing immediate awareness of the incident. An intermediate report follows this as the incident status changes significantly, with updates provided as new information becomes available or upon request from the authority. Finally, a comprehensive final report is submitted once the root cause analysis is completed and actual impact figures are available, regardless of whether mitigation measures have been fully implemented.
Deweerdt notes, “According to DORA, you need to be able to respond quickly and swiftly to incidents. I am guessing there will probably be a lot more tabletop exercises happening at those financial institutes where many people need to participate so that they can practice”.
3. Digital Operational Resilience Testing — The regulation mandates regular testing of digital operational resilience. This includes vulnerability assessments and scans, network security assessments, gap analyses, software security reviews, penetration tests, and threat-led penetration testing (TLPT).
“There's a huge opportunity here in DORA for all red teams and the penetration testers because we now have those TLPTs. These are basically the TIBER-EU framework tests. It's a big opportunity for security organisations if they become certified. They'll have a lot of work because all the financial institutions and, by extension, all of their service providers, need to be able to show that they do these types of assessments”, says Deweerdt.
4. Third-Party Risk Management — DORA extends its reach beyond the organisation itself, imposing strict requirements on third-party providers. “DORA also applies to any service providers to financial institutions. This means they also need to have the same stringent requirements for escalating any incident”.
This aspect of DORA is particularly challenging for smaller service providers. Deweerdt adds, “It will be very challenging for the small ones to comply under the DORA regulation. I think that's going to be the biggest challenge”.
5. Information Sharing — DORA encourages financial institutions and relevant authorities to share information on cyber threats and vulnerabilities. This collaborative approach aims to enhance the financial sector's collective security posture.
“DORA establishes a legal framework to encourage financial entities to exchange information and intelligence on cyber threats. The goals and conditions for such information and intelligence sharing are to enhance the digital operation resilience of financial entities, to be organised within trusted communities of financial entities, and to protect the information shared with respect for confidentiality, protection of personal data, and competition policy. The provisions related to information sharing are not binding and differ from those related to incident reporting, which are mandatory”.
DORA’s Impact On Security Operations Centres and Skillsets
DORA's impact on Security Operations Centres (SOCs) is significant, primarily in expanding their scope and responsibilities. “The biggest implications are on the scope of what needs to be monitored. There is an increase of ensuring we have the right visibility to report all the right incidents”. For financial institutions that already have a SOC, this means enhancing their capabilities to meet DORA's stringent requirements for incident detection, classification, and reporting.
Moreover, DORA mandates that financial institutions without a SOC must establish one. This requirement also extends to service providers, potentially placing a considerable burden on smaller companies. “The biggest implication there is for financial organisations that do not have a SOC environment – is that they need one", says Deweerdt. “However, DORA is a lot more challenging for the overall security organisation than it will be for the SOC. The main challenge for DORA is really going to be for the risk teams to figure out how to get that framework in there”.
Also, DORA is set to significantly impact the skill sets required of security teams in the financial sector, particularly in reshaping the CISO role. “The regulation demands a shift from a purely technical approach to a more business-focused risk management mindset”, Deweerdt explains. “CISOs must evolve into strategic leaders who understand technology and effectively communicate with business leadership and the board”. This transformation requires developing expertise in operational resilience, including incident response, business continuity planning, and crisis management.
Security professionals will need to deepen their knowledge of cybersecurity threats, vulnerabilities, and mitigation techniques, especially concerning an organisation's critical assets. The regulation's emphasis on third-party risk management necessitates due diligence and contract negotiation skills. “Moreover, DORA's complex requirements create a pressing need for continuous learning and development. Security teams must stay updated with evolving threats, regulatory changes, and emerging technologies. This ongoing education is crucial for maintaining compliance and effectively identifying risks, developing mitigation strategies, and demonstrating compliance to regulators”.
Deweerdt explains that the regulation also places new demands on procurement teams. “Anyone working in procurement must be aware of the third-party risk management restrictions that are part of DORA. It is becoming much more challenging for procurement departments to understand what they're feeling and what is required from a security perspective”.
Preparing for DORA Compliance
As the deadline for DORA compliance approaches, financial institutions and their service providers must take proactive steps to prepare. Deweerdt suggests: “Start from the ICT risk management perspective, which is like the foundation of DORA. Go through identification and enumeration of critical services you provide because many other activities are based on these”. Strengthening third-party risk management practices is another crucial aspect of preparation. This involves assessing the risks associated with current providers, developing strategies for ongoing monitoring, and establishing clear exit plans for critical services. “Create a DORA implementation plan, outlining the steps that need to be taken to achieve compliance with DORA. This plan should include timelines, responsibilities, and resource requirements”, Deweerdt says. Training and education will also be crucial as organisations work towards DORA compliance. “Consider seeking advice from external experts to help with the implementation as well as training”.
By proactively understanding and implementing DORA's requirements, organisations can achieve compliance and strengthen their overall cybersecurity posture. As the financial sector continues to evolve in an increasingly digital world, DORA will play a crucial role in ensuring its stability, security, and resilience.
Ready to tackle the challenges of DORA and TIBER-EU? Visit the SANS DORA Resource Hub for expert guidance and practical tools to strengthen your cyber defences today.
