Everything You Need to Know About DORA: A Comprehensive Guide

Are you prepared for the upcoming Digital Operational Resilience Act (DORA)?

With its enforcement starting on January 17th, 2025, failing to comply with DORA could lead to significant fines for your organisation. Entities found to be in violation of the Act’s requirements may face fines of up to 2% of their total annual worldwide turnover. The supervisory body may also issue cease-and-desist orders, termination notices, additional pecuniary measures, and public notices.

With only 10 months to go it is crucial to begin preparations now.

Katie Barnett, Director of Cyber Security of Toro shares vital insights into DORA, including its purpose, key components, and what you need to do to get your organisation ready.

What is the purpose of DORA?

The financial sector’s reliance on ICT and digital information has grown significantly over the last several years.

Covid-19 acted as a further catalyst as organisations became more reliant on the availability of digital systems to conduct day-to-day operations in a remote setting.

More than ever, the finance sector is a prime target for cyber-attacks.

DORA aims to tackle this vulnerability by providing clear guidance and standards to effectively manage and mitigate information, communication, and technology (ICT) risks.

Who does DORA impact?

DORA applies to a broad range of financial entities, including investment firms, (re)insurance undertakings and electronic money organisations operating in the European Union. It also extends to ‘critical ICT providers,’ including cloud service providers who support financial organisations.

Understanding DORA

DORA is an EU (European Union) regulation designed to strengthen the financial sector’s IT security posture.

As articulated in Recital 105, its objective is to achieve a high level of digital operational resilience for regulated financial entities.

The regulation has two main goals: comprehensively addressing ICT risk management within the financial services sector and harmonising existing ICT risk management regulations across the EU.

What does it cover?

The focus for DORA is to set a clear standard on how financial institutes will manage their ICT risks. These risks have been broken into five foundational pillars.

  1. ICT Risk Management: DORA mandates the development of strategies and capabilities around governance, threat identification and protection, and ICT change management policy. Financial entities are responsible for setting up a completed ICT Risk Management framework.
  2. Incident Reporting and Information Sharing: DORA introduces a new framework for incident reporting and information sharing. This includes reporting incidents to relevant authorities to improve transparency and response to cyber threats; as well as sharing information on threats and vulnerabilities with other financial entities.
  3. Digital Operational Resilience Testing DORA mandates that all entities undertake several crucial steps to ensure the robustness of their digital operations. Firstly, basic IT testing of IT tools and systems must be conducted annually to uncover any potential vulnerabilities. Additionally, measures need to be implemented consistently to identify, mitigate, and eliminate any gaps or weaknesses that could be exploited in digital operations. Periodic advanced Threat-Led Penetration Testing (TLPT) for IT services that may affect vital assets is also necessary to stay ahead of potential threats. Furthermore, IT third-party service providers must actively participate in these testing procedures to uphold the resilience and security of digital operations across the board.
  4. ICT Third Party Risk Management: DORA emphasizes the management of third-party risks to ensure consistent provision of services across the entire supply chain.
  5. Information Sharing Arrangements: the DORA regulation will allow financial entities to connect amongst themselves to exchange cyber threat information and intelligence. The supervisory authority will provide anonymised intelligence and information regarding cyber threat to financial institutions. It will be for financial entities to review and act on information shared by authorities.

What should I do now?

Based on my experience, preparing for the initial implementation of new regulations can be much more time-consuming and resource-intensive than anticipated.

The first thing I would recommend is that you speak to your IT team and ask them to conduct a gap analysis and create a roadmap to compliance. If required, external providers such as Toro can help by giving you access to DORA gap assessment tools and services.

It is important that you thoroughly analyse your current process for risk management, incident management and reporting, resilience testing, third-party management, and threat intelligence to understand where your gaps exist.

Once you know your gaps, you can identify and implement remediations to meet the DORA requirements.

By taking a proactive approach now you will be able to develop a realistic and achievable implementation plan that will keep you on the front foot and ensure your compliance with the regulation.

If you have questions regarding DORA and want to understand how Toro can support, please get in touch.

Katie Barnett, Director of Cyber Security, Toro Solutions

info@torosolutions.co.uk.