You may have heard about the European Union's Digital Operational Resilience Act, or DORA, that takes effect next year. While 2025 may seem far away, the time to start planning for this new regulation is now. Here's what you need to know as your organization prepares to comply with DORA.
The Purpose of DORA
DORA aims to protect the financial sector against critical cyberattacks or technological failures. The goal of the regulation is to make sure the financial sector in Europe is able to stay resilient through a severe disruption to operations. DORA requires financial institutions, and in certain instances, third-party vendors to comply with duties and obligations, with financial institutions carrying most of the responsibilities.
DORA will take effect on January 17, 2025.
Who DORA affects
The goal of DORA is to bolster the risk management and monitoring activities in the information and communications technology (ICT) systems of certain financial institutions, as well as the third-party providers of that technology. Financial institutions affected by DORA include:
- Credit or electronic money institutions
- Payment institutions
- Account information service providers
- Trade repositories
- Investment firms
- Crypto-asset service providers
- Central securities depositories
- Central counterparties
- Trading venues
- Managers of alternative investment funds
- Management companies
- Data reporting service providers
- Insurance and reinsurance undertakings and their intermediaries and ancillary insurance intermediaries
- Institutions for occupational retirement provision
- Information service providers
- Credit rating agencies
- Administrators of critical benchmarks
- Securitization repositories
- Crowdfunding service providers
DORA loosely defines “third-party ICT vendors” as those who provide digital and data services through ICT systems, which includes hardware and software to financial institutions. Vendors who will likely be affected include cloud computing services, software providers, and data analytics and data center services.
Obligations Under DORA
If you are affected by DORA, you should prepare to withstand, respond and recover from all types of ICT-related disruptions and threats. If you are a third-party vendor serving financial institutions, you must include clauses on specific topics, including but not limited to:
- Assessing risks and conflicts of interests
- Data mapping
- Security and portability similar to GDPR
- Requiring vendors to participate in regulatory audits of the financial institutions
- Providing specific termination rights
Additionally, vendors must assist financial institutions after an incident, either at no extra cost or at a cost determined after the incident, and fully cooperate with authorities.
Vendors also have audit requirements that include 1) participating in security training and digital operational resilience training, 2) participating in the financial institution's penetration test, 3) reviewing their risk to the risk profile of the financial entity, and 4) verifying their due diligence process on potential threats.
Requirements for Critical Vendors
DORA also allows regulators to impose heightened requirements on vendors deemed critical to financial institutions, meaning their failure would cause a material impairment to the financial performance or ability to operate. These vendors will have additional requirements to verify data integrity, clarify corporate governance, test ICT systems, and identify ICT risks.
Stay Informed
More details for DORA will be finalized this summer, so it's important to stay up to date on new developments to properly prepare for the January 17, 2025, effective date. Organizations may also want to test their current systems now to understand how they stack up against potential requirements. Secureworks has a variety of services such as penetration testing and adversary exercises that can find detection and prevention gaps and measure response. Contact one of our security experts to get started.
*Please note that the content provided in this blog is for informational purposes only and is not intended to be legal advice. It is important for readers to consult with their own legal counsel to obtain advice specific to their situation and to ensure compliance with all applicable laws and rules.