An introduction to DORA (Digital Operation Resilience Act)
Do you know about DORA?
How familiar are you with DORA? And no, we don’t mean the young explorer we were all subjected to by our children! DORA or Digital Operation Resilience Act is an EU regulation. Whilst DORA is not a law in the UK, there is a strong possibility that it will still apply. There have also been hints from UK authorities that it may become UK law in the future.
In short the Act is EU Legislation focused on cybersecurity resilience for financial organisations, which is set to into force on the 17th of January 2025. This new legislation is the EU taking a more robust stance on the finance sector’s resilience to ICT issues. It contains prescriptive requirements for businesses and third parties (for financial organisations; it covers 21 types of financial organisations (called out in Article 2). It is worth noting it also covers ICT third-party service providers so is quite wide. There is a list of exceptions which I won’t list here; however, they can be found in Article 2(3) if you need more details.
DORA aims
DORA aims to achieve a high level of digital operational resilience for regulated financial entities. By resilience, it means the ability of financial entities to build, assure and review their operational integrity and reliability. This next bit is key - by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses and which support the continued provision of financial services and their quality – another bit worth noting - INCLUDING THROUGHOUT DISRUPTIONS – DORA, 3(1).
So compared to past requirements, and looking at the wording, DORA is now more about being able to be persistent through any form of disruption – if something goes wrong, financial organisations should be able to continue and maintain services, not forgetting it now also covers outsourced ICT risk management.
At a very top-level, financial entities need to meet the following requirements:
- information and communication technology (ICT) risk management
- reporting of major ICT-related incidents to the competent authorities and notifying, on a voluntary basis, of significant cyber threats
- reporting of major operational or security payment-related incidents to the competent authorities
- digital operational resilience testing
- information and intelligence sharing in relation to cyber threats and vulnerabilities
- measures for the sound management of ICT third-party risk
- requirements in relation to the contractual arrangements concluded between ICT third-party service providers and financial entities
You can take away from the above that there is a strong focus on risk management and having a framework in place – businesses must detail the things they have to protect, the organisation’s ICT – this is not just software or equipment, it is also data. All the DORA-related documentation will need to be maintained and kept available to relevant authorities.
Let’s not forget that DORA puts the ‘final responsibility’ to ensure that measures, policies, tools, and protocols are enacted to mitigate cyber threats on a business’ management body (i.e. its boards and directors). If they fail to do this, they could face reputational damage, shareholder litigation, regulatory fines, and even criminal sanctions.
If you think that this piece of legislation may affect your business, now is the time to start thinking about out, you may have been thinking about developing a framework for sometime, if that is the case be proactive and create one, but more importantly, update and test it!
If you need assistance with interpreting the requirements and applicability of DORA to your business, feel free to get in touch with us at CyberScale, we can help translate the requirements for your business into clear and precise guidance.
NOTE: This short note is not intended to provide legal guidance and is for ICT and Risk teams to help aid understanding – as stated this is not a current UK Law, but there have been hints it may become one in the future.