Understanding DORA: The EU's Digital Operational Resilience Act

8 May 2024

by Deborah Theseira

Introducing DORA

The European Union (EU) is taking an important step towards safeguarding the financial landscape with the Digital Operational Resilience Act (DORA), an initiative that falls into the new Digital Finance Strategy with the specific focus of addressing how financial firms should manage digital risk. This piece of legislation was introduced on 16 January 2023, giving financial entities two years to become compliant when it comes into effect on 17 January 2025.

This is a change that Enterprise Architects and CIOs in the financial sector will want to pay attention to. DORA represents a major shift in regulatory requirements, mandating robust cybersecurity measures and contingency plans for both financial institutions and their third-party service providers.

The Digital Operational Resilience Act is more than just regulatory compliance. Enhanced digital operational resilience fosters a more secure financial ecosystem, protecting sensitive customer data, boosting consumer confidence, and minimizing systemic risk. By proactively preparing for DORA EU regulation, businesses can not only ensure compliance but also gain a competitive advantage in the evolving financial landscape.

Learn how the Ardoq platform is empowering financial institutions with their digital transformations and resilience, including preparing for DORA compliance: Why Ardoq's Approach to DORA

Jump to:


What Is DORA (the Digital Operational Resilience Act), and Why Is It Important?

DORA establishes a robust regulatory framework that aims to prevent, detect, and respond to cyber threats and operational disruptions. Here's an overview to explain what is DORA and what it entails at a high level:

  • Focus on Risk Management: DORA requires establishing a comprehensive ICT risk management framework involving vulnerability assessments, mitigation strategies, and ongoing monitoring.
  • Third-Party Scrutiny: Financial institutions must conduct thorough due diligence and potentially onboard only DORA-compliant third-party providers to strengthen the overall security posture.
  • Incident Response and Testing: DORA mandates periodic digital operational resilience testing capabilities and requires the implementation of management systems to monitor and report significant ICT-based incidents to the relevant authorities.

Who Does the DORA Regulation Apply to?

The Digital Operational Resilience Act applies to a wide range of financial institutions, including banks, payment service providers, and critical infrastructure providers within the financial sector. Additionally, any third-party service providers delivering Information and Communication Technology (ICT) services to these financial institutions fall under DORA's purview. KPMG has a detailed list of entities impacted by DORA.

Safeguarding Our Financial Future: Why is DORA Needed?

Modern finance thrives on robust digital infrastructure. Banks, payment services, and investment firms rely heavily on technology to deliver core services. From secure online banking platforms to real-time transactions, these systems underpin the smooth functioning of the financial ecosystem.

This dependence on technology brings inherent risks. Cyberattacks are a constant threat, with the potential to cripple financial operations, compromise sensitive data, and erode consumer confidence. Additionally, IT disruptions caused by technical failures or natural disasters can have equally devastating consequences.

According to a Lloyds of London scenario analysis,

“If a cyber attack on a major financial services payment system were to take place, the global loss could reach $3.5 trillion over a five-year period.”

DORA has been introduced in an attempt to mitigate this tremendous potential cost to organizations and to the larger economy, while also safeguarding the security and privacy of individual citizens and the services upon which they rely.

The Benefits of Compliance With DORA

In 2020, the FBI determined that business email compromise remains the most significant cyber threat. The UK’s National Cyber Security Centre (NCSC) also warned about phishing campaigns and issued guidance that includes deploying the global industry standard protocol, DMARC, as the first line of defense. 

Businesses, however, generally have been slow to address significant cyber threats. While the Digital Operational Resilience Act presents challenges for IT leaders in the financial sector, it also brings the opportunity to address potential security weaknesses. Though implementing DORA provisions requires effort, the benefits are substantial:

  • Enhanced security: DORA compels financial institutions to adopt robust cybersecurity measures, which translates to a more secure financial ecosystem as a whole. A more secure financial environment protects valuable data, and fosters trust with customers.
  • Reduced systemic risk: DORA promotes proactive risk management and incident response planning. Increased resilience enables financial institutions to better withstand disruptions and recover faster from unforeseen crises, minimizing their economic impact.
  • Competitive advantage: DORA fosters a more secure and resilient financial landscape. By demonstrably prioritizing digital operational resilience, financial institutions can boost consumer trust in the financial services they rely upon and gain a competitive edge.

Understanding DORA_ The EUs Digital Operational Resilience Act

What Are the 5 Pillars of DORA Regulation?

The EU's Digital Operational Resilience Act (DORA) establishes a comprehensive framework to strengthen the digital resilience of the financial sector. DORA's regulatory framework rests upon five key pillars:

  1. ICT Risk Management:

This pillar focuses on establishing a robust and consistent approach to managing risks associated with ICT. DORA mandates financial institutions to develop a comprehensive ICT risk management framework. This framework should include:

  • Risk Identification: Identifying potential threats and vulnerabilities across the entire ICT infrastructure and operations.
  • Risk Assessment: Evaluating the likelihood and potential impact of identified threats.
  • Risk Mitigation: Implementing appropriate controls and safeguards to minimize identified risks.
  1. ICT-related Incident Management, Classification & Reporting:

This pillar introduces a structured approach to identifying, managing, and reporting ICT-related incidents. Key aspects include:

  • Incident Management Framework: Establishing clear procedures for detecting, investigating, and responding to ICT-related incidents.
  • Incident Classification: Categorizing incidents based on severity and potential impact to facilitate timely and appropriate response measures.
  • Incident Reporting: Implementing clear protocols for reporting major ICT-related incidents to the relevant supervisory authorities.
  1. Digital Operational Resilience Testing:

This pillar emphasizes the importance of proactively testing and verifying an institution's ability to withstand and recover from disruptions. DORA mandates:

  • Vulnerability Assessments: Regularly assessing vulnerabilities in ICT systems and infrastructure.
  • Penetration Testing: Conducting simulated cyberattacks to identify weaknesses and assess the effectiveness of cybersecurity controls (including "threat-led" penetration testing that considers real-world attacker tactics).
  • Incident Response Drills: Testing incident response plans and procedures to ensure effective response and recovery in case of actual disruptions.
  1. ICT Third-Party Risk Management:

Recognizing the interconnectedness of the financial ecosystem, DORA also focuses on managing risks associated with third-party ICT service providers. Key elements include:

  • Third-Party Due Diligence: Conducting thorough assessments of the cybersecurity practices and risk management posture of third-party service providers.
  • Contractual Safeguards: Incorporating contractual clauses that obligate third-party providers to maintain adequate cybersecurity standards and comply with relevant DORA requirements.
  • Oversight Mechanisms: Implementing processes to monitor the performance and adherence to cybersecurity best practices by third-party providers.
  1. Information Sharing Arrangements:

This pillar aims to foster collaboration and information exchange within the financial sector to combat cyber threats more effectively. DORA encourages:

  • Sharing of Threat Intelligence: Sharing information about identified threats and vulnerabilities among financial institutions and relevant authorities.
  • Collaboration on Best Practices: Collaborating on developing and implementing best practices for digital operational resilience across the financial sector.

By implementing these five pillars, DORA fosters a holistic approach to managing digital operational risks and building a more secure and resilient financial ecosystem in the European Union.

The unique aspect of the DORA regulation is its introduction of a Union-wide Oversight Framework on critical ICT third-party providers, as designated by the European Supervisory Authorities (ESAs).

The Timeline for DORA EU Implementation

Here are the key dates of the Digital Operational Resilience Act’s Implementation in the EU:

  • November 2022: DORA was formally adopted by the European Union, marking the official starting point for the implementation process.
  • 16 January 2023: Entry into force of DORA.
  • 29 September 2023: Following the call for advice on criticality criteria and fees, the European Supervisory Authorities (ESAs) published their response.
  • 17 January 2024: ESAs published the first set of rules under DORA for ICT and third-party risk management and incident classification.
  • 12 March 2024: The ESAs published joint feedback on the second batch of DORA policy products, addressing areas like oversight of critical third-party providers, penetration testing, and major incident reporting.
  • 17 July 2024: Expected delivery of the second batch of policy products.
  • 17 January 2025: DORA comes into full effect. Financial institutions and relevant third-party service providers must be compliant with the Act's requirements by this date.

Milestones for Financial Sector Preparation for DORA Compliance

  • Ongoing: Financial institutions should familiarize themselves with DORA's objectives and key provisions. This includes reviewing the official EU documents and available resources from relevant supervisory authorities.
  • From now until September 2024: Financial institutions should conduct gap assessments to identify areas where existing policies and practices need to be adjusted to meet DORA's requirements. They need to develop a DORA compliance roadmap based on the published RTS and ITS. This roadmap should prioritize actions and establish deadlines for achieving compliance.
  • Between September 2024 and January 2025: Financial institutions to implement according to their DORA compliance roadmap. This may involve activities like:
    • Updating risk management frameworks to align with DORA's requirements.
    • Conducting due diligence and potentially renegotiating contracts with third-party service providers to ensure their compliance with DORA.
    • Developing and testing incident response plans and reporting procedures.
    • Training staff on DORA requirements and new operational procedures.
    • Conducting internal audits to ensure compliance with DORA's provisions.
  • By January 17, 2025: Financial institutions should be fully compliant with DORA's requirements. This includes having established risk management frameworks, robust incident response plans, and procedures for reporting major ICT-related incidents.

Financial institutions should stay updated with official announcements from the EU and relevant supervisory authorities for any changes to the timeline or specific requirements.

DORA’s Impact on Financial Entities

DORA EU regulation represents a significant shift for financial institutions. Here's how it will impact operational practices:

  • Focus on Risk Management: DORA mandates a proactive approach to cybersecurity. Financial institutions will need to establish dedicated teams or invest in expertise to effectively implement and maintain a comprehensive ICT risk management framework.
  • Third-Party Scrutiny: DORA emphasizes the role of third-party providers in ensuring digital resilience. Financial institutions will need to conduct thorough due diligence, implement contractual safeguards, and potentially onboard only DORA-compliant service providers.
  • Enhanced Reporting: DORA establishes clear reporting protocols for major ICT-related incidents. This will require financial institutions to develop robust incident detection and reporting capabilities.
  • Regular Testing: DORA mandates regular vulnerability assessments, penetration testing, and incident response drills. This necessitates investment in specialized security tools and expertise.
  • Increased Transparency: DORA fosters a culture of transparency within financial institutions. Supervisory authorities will have increased oversight, requiring clear communication regarding risk management practices and incident response plans.

However, these changes come with substantial benefits, not just for individual institutions but for the entire financial ecosystem:

  • Improved Consumer Protection: Enhanced digital resilience translates to a more secure financial environment, safeguarding sensitive customer data and boosting consumer confidence.
  • Reduced Systemic Risk: DORA strengthens the financial sector's overall resilience, minimizing the impact of cyberattacks and operational disruptions on the broader economy.
  • Competitive Advantage: By demonstrably prioritizing digital operational resilience, financial institutions can gain a competitive edge by fostering trust and attracting new customers.

Implementing DORA in Organizations

If your organization will be impacted by DORA EU regulation, here's what needs to be done to prepare for the legislation to come into effect:

  • Assess Current State: Evaluate the existing cybersecurity infrastructure and risk management practices. Identify gaps and areas requiring improvement.
  • Develop a DORA Compliance Strategy: Establish a roadmap for implementing the necessary changes, including the development of a risk management framework, vendor management processes, and incident response procedures.
  • Invest in Tools and Resources: Secure the necessary budget and personnel to execute the DORA compliance plan. Explore potential partnerships with security specialists to bridge kill gaps and data-driven Enterprise Architecture platforms like Ardoq which can speed up assessment, compliance, and reporting on DORA's requirements.

How Enterprise Architecture Can Lead the Charge in Large Organizations

The EU's Digital Operational Resilience Act (DORA) significantly affects the financial sector, demanding a paradigm shift in how large organizations approach cybersecurity and operational resilience. While the Act lays a comprehensive foundation, successfully implementing DORA requires a strategic and coordinated effort. This is where Enterprise Architecture (EA) steps in, playing a crucial role in navigating DORA's complexities and ensuring long-term compliance.

The Role of Enterprise Architecture in DORA Compliance

Enterprise Architecture provides a holistic view of an organization's IT landscape, encompassing applications, data, infrastructure, and business processes. This unique perspective makes EA ideally suited to spearhead DORA implementation within large organizations. Here's how:

  • Gap Analysis: EA can conduct a comprehensive gap analysis to identify discrepancies between existing practices and DORA's requirements. This analysis will highlight areas for improvement in risk management, incident response, and third-party management.
  • Mapping ICT Infrastructure: A well-defined EA blueprint can greatly aid road mapping for DORA compliance, allowing organizations to map their ICT infrastructure and identify potential vulnerabilities across the entire technology stack. This comprehensive view facilitates targeted risk mitigation strategies.
  • Standardization and Consistency: DORA emphasizes the need for consistent risk management practices across the organization. EA can play a vital role in standardizing processes, ensuring consistent control application, and streamlining compliance efforts.
  • Change Management: DORA implementation will undoubtedly necessitate changes in IT processes and potentially organizational structures. EA can act as a bridge between technical and business stakeholders, facilitating effective change management and user adoption of new practices.

How Enterprise Architecture Supports Digital Resilience

Beyond DORA compliance, EA fosters a culture of digital resilience within large organizations.  EA provides the organizational and process awareness to follow regulations, a strong technical foundation to scale, and the insights to support innovation and new opportunities. 

Here are some key ways EA contributes to digital resilience:

  • Alignment with Business Strategy: EA ensures that IT infrastructure and processes are aligned with the organization's overall business strategy. This alignment strengthens operational resilience by ensuring technology supports core business functions and facilitates swift adaptation to unforeseen disruptions.
  • Visibility and Transparency: A robust EA model provides clear visibility into the organization's technological landscape, including dependencies and potential weaknesses. This transparency allows for proactive risk identification and mitigation strategies, bolstering overall resilience.
  • Process Optimization: EA fosters continuous improvement of IT processes by identifying redundancies and inefficiencies. Streamlined processes translate to a more agile and adaptable organization, better equipped to respond to disruptions and maintain operational continuity during crises.

Combining EA with collaborative business process management establishes a common language throughout a company, so more informed decisions become the norm. Agility is easier when you can see how changes in any one area affect others.

A Collaborative Approach Is Key

Implementing DORA and building digital resilience require collaboration across various departments. EA can act as a central hub, facilitating communication and information sharing between IT, security, risk management, and business units. This collaborative approach ensures a holistic and coordinated effort toward achieving DORA compliance and fostering a culture of digital resilience within the organization.

By leading DORA implementation and improving digital resilience, Enterprise Architecture can empower large organizations in the financial sector to navigate the evolving regulatory landscape and thrive in an increasingly complex digital landscape.

 

 

 

Why Ardoq's Approach to DORA

Ardoq can support organizations across all five key areas covered by DORA. Ardoq helps organizations meet DORA's requirements by identifying, documenting, and managing the impact of this regulatory change. Ardoq also complements and enhances incident management practices by modeling the existing IT Service Management (ITSM) practice and relevant frameworks, such as NIST or ISO27001. Compared to other risk assessment or compliance tools, Ardoq's unique capabilities offer organizations: 

  • Comprehensive Risk Management: Aiding organizations in developing and managing ICT risk management frameworks that align with DORA requirements, including mapping business capabilities to regulatory requirements, assessing these business capabilities, and documenting and visualizing risk assessments to ensure compliance
  • Enhanced Compliance Tracking: Documenting ICT incident management processes, recording resilience testing results, capturing third-party vendor assessments through surveys, and assisting with annual audit requirements.
  • Efficient Resource Allocation: Identifying critical business capabilities and applications, strengthening risk management practices, and helping organizations optimize spending on ICT risk management and compliance initiatives for a balanced cost-benefit approach.
  • Improved Information Sharing: Modeling processes to show how threats and vulnerabilities are communicated and facilitating collaboration with external bodies, third-party providers, and industry partners.
  • Automated Processes and Accountability: Conducting risk assessments, monitoring compliance, keeping information current for decision-making, while also enforcing ownership and accountability by assigning responsibility for updating information on capabilities, processes, risks, controls, and applications.

"DORA is a game-changer for the European financial sector, setting a new bar for operational resilience. As we near the compliance deadline, we're here to support organizations in navigating these regulatory requirements with confidence and efficiency.”
- Bo Kristoffersen, EU VP of Sales at Ardoq

Learn more about how Ardoq enables organizations to achieve and demonstrate DORA compliance more effectively: The Digital Operational Resilience Act (DORA) and Ardoq


How Enterprises are Using Ardoq to Support DORA

One of the companies already leveraging Ardoq to prepare for DORA is a Norwegian pension company. They have used Ardoq Discover to prepare criticality assessments for the business and their applications.

"We've gained significant momentum using Discover, partly due to requirements outlined in the EU's DORA regulation, which mandates criticality assessments for both the business area and underlying applications. The solution has performed very well, even for non-technical users."
- Chief Enterprise Architect

Ardoq currently counts numerous financial service companies as customers, including MUFG, OMERS, IG Group, and WSECU. They have leveraged the unique flexibility of the Ardoq platform towards key business goals such as:

“One of Ardoq’s strengths is easing the pain of compliance. The collaborative features and flexibility of the platform make it adaptable to the specific needs of different regulatory frameworks, including DORA.”
- Sean Gibson, Senior Enterprise Architect at Ardoq


How to Implement DORA in Ardoq

Ardoq has developed a framework that helps organizations address the regulatory requirements for the EU Digital Operational Resilience Act (DORA). Ardoq's step-by-step approach can be customized to the needs of different organizations, enabling businesses to smoothly integrate DORA's requirements into existing processes. Here is a high-level overview of how to implement DORA in Ardoq.

  1. Model DORA's Regulatory Requirements: Define DORA requirements as "Requirement" components within Ardoq’s Policies, Principles, Standards, and Frameworks workspace. Use Ardoq's Excel template to import DORA requirements to build a structured model and create a clear hierarchy of regulatory obligations.
  2. Integrate DORA with Existing Frameworks: Ardoq allows organizations to link existing standards or frameworks to the individual DORA requirements. Reports can be created to demonstrate compliance and progress in addressing these requirements by the standards, frameworks, and policies you have already implemented.
  3. Conduct Business Capability Assessments: Establish a "DORA Capability Assessment" workspace in Ardoq to evaluate and identify critical business capabilities, assessing each against DORA requirements. Use surveys and scripts to analyze results, highlighting which capabilities require prioritization and resources.
  4. Identify DORA-Critical Applications: Assess applications that support DORA-critical capabilities by creating application-specific assessments. Capture essential details, such as DORA criticality and data types processed, to report on and monitor application compliance and establish a focused risk assessment approach.
  5. Document and Assess Critical Vendors: Identify vendors that support DORA-critical applications, creating assessments for each vendor. Gather relevant details about each organization and use reports and heat maps to monitor vendor compliance and manage DORA-related vendor risks efficiently.
Learn more about how organizations can leverage Ardoq to address the EU Digital Operational Resilience Act (DORA) regulatory requirements: Implementing the Digital Operational Resilience Act in Ardoq

New Call-to-action

Ensure Your Organization Is Operationally Resilient and Compliant

DORA marks a crucial step towards a more secure and resilient financial landscape in the European Union. Its provisions will reshape the operational practices of financial institutions, requiring a proactive approach to cybersecurity and risk management. With the January 2025 deadline approaching, now is the time for CIOs within the financial sector to initiate or accelerate their DORA compliance journey. By taking immediate action, financial institutions can ensure they are well-positioned to navigate the evolving digital threat landscape and contribute to a more secure and stable financial ecosystem.

To learn more about how Ardoq can support compliance and risk management, see our solution for Application Risk Management or get in touch for a demo.

More to Explore
Deborah Theseira Deborah Theseira Deborah is a Senior Content Specialist at Ardoq. She wields words in the hope of demystifying the complex and ever-evolving world of Enterprise Architecture. She is excited about helping the curious understand the immense potential it has for driving effective change.
Ardoq Insights & Events

Subscribe to Ardoq's Newsletter

A monthly digest of the latest news, articles, and resources.