The Digital Operational Resilience Act (DORA) is a new regulation that impacts financial entities including banks, insurance companies, investment firms, and information and communication technology (ICT) vendors doing business in the European Union. After years of drafting and debate, the DORA deadline is officially set for January 17, 2025. Failure to achieve DORA compliance by the deadline could result in substantial fines accruing for each day of noncompliance.
Financial institutions can ensure DORA compliance ahead of the regulation deadline by implementing a comprehensive operational resilience framework. To get started, explore this overview covering DORA requirements, its impact, and more. Ready to proceed further? Reach out to the Hammer team to ensure DORA compliance and enhance customer experiences.
What does DORA do?
The DORA is designed to ensure operational resilience across the financial sector in the event of a severe operational disruption. According to the regulation text, “After DORA, [financial institutions] must follow rules for the protection, detection, containment, recovery and repair capabilities against ICT-related incidents. DORA explicitly refers to ICT risk and sets rules on ICT risk-management, incident reporting, operational resilience testing and ICT third-party risk monitoring. This Regulation acknowledges that ICT incidents and a lack of operational resilience have the possibility to jeopardize the soundness of the entire financial system, even if there is ‘adequate’ capital for the traditional risk categories.”
To do that, the DORA regulation establishes requirements for all financial institutions who do business in the EU. It’s important to note that this extends the impact of DORA compliance to a wide variety of financial institutions who do business of any kind in the EU – estimated to be more than 22,000 organizations.
How to achieve DORA compliance
The Digital Operational Resilience Act has five chapters that detail new regulations essential to financial institutions achieving DORA compliance. These five pillars of operational resilience can be found in full on the DORA compliance page. Below are summaries of their requirements.
DORA Chapter II: ICT risk management
For DORA compliance financial entities need to develop an internal governance and control framework to ensure ICT risk management. This internal body will be responsible for
- managing ICT risk within the acceptable risk thresholds they establish
- implementing policies that ensure high standards of availability, authenticity, integrity and confidentiality of data
- conducting business impact analyses that determine the organization’s ability to rapidly recover from severe business disruptions
DORA Chapter III: ICT-related incident management, classification, and reporting
Building on the definitions of ICT risk management established in chapter two, the DORA requires financial entities to develop and ICT-related incident management process to identify, track, log, categorize, and classify issues. This article also requires institutions to establish ICT-related response procedures to reduce the impact of incidents and ensure that services are back up and running quickly.
DORA Chapter IV: Digital operational resilience testing
To assess a financial institution’s ability to identify digital operational resilience vulnerabilities and respond to ICT-related incidents, the DORA requires financial entities to perform comprehensive digital operational resilience testing. These tests must be undertaken by independent parties and the issues revealed through testing must be classified and fixed until all identified vulnerabilities are resolved. Moreover, to ensure ongoing digital resilience, financial entities must test all their ICT systems and applications that support critical or important functions at least once a year.
DORA Chapter V: Managing ICT third-party risk
DORA compliance requires financial entities to treat third-party ICT systems and applications (and the risk that stems from them) as part of their own ICT risk management framework. This means that financial entities need to have contractual arrangements for the use of ICT services used to run their business operations. At all times, these ICT services must remain fully in compliance with the same DORA requirements as the financial entity they serve.
Penalties for not being DORA compliant
Under DORA, noncomplying financial institutions may be fined up to one percent of their average daily worldwide turnover in the preceding fiscal year. This fine can be levied every day until the financial entity is found to have achieved compliance.
Other consequences for noncompliance include brand damage, loss of customers eager for the security offered by DORA regulations, increased regulatory scrutiny, and potential criminal liability.
Get DORA compliant with Hammer
Hammer streamlines the complexity of DORA compliance, helping you to ensure adherence to DORA security requirements and mitigate risks with automated testing and monitoring solutions that empower financial entities and ICT service providers to:
- Identify, assess, and manage ICT risks with a comprehensive view of threats and vulnerabilities in their ICT environments.
- Report major ICT-related incidents to the relevant DORA authorities with real-time monitoring and alerting capabilities.
- Maintain robust operational resiliency and redundancy with comprehensive end-to-end performance and quality assurance testing.
- Manage vulnerabilities associated with outsourced ICT-related services by providing visibility into the third party’s ICT environment and security posture.
Contact our team today to explore how Hammer can assist your organization in meeting DORA compliance needs, ensuring secure, optimized performance within your critical ICT environments.
Additional Information
• Achieve operational resilience and DORA compliance with Hammer
• Assure customer experience with flexible, cloud-based test automation
• Hammer solutions for banking and financial services
