What Is the Digital Operational Resilience Act (DORA)?

The finance sector is a target that adversaries never leave alone, consistently ranking as one of the top sectors victimized by cybercriminals. In 2023, it faced sophisticated attack campaigns from notorious ransomware groups such as LockBit, ALPHV/BlackCat, and Cl0p [1]. LockBit alone was responsible for 24% of total ransomware attacks, committing 1,047 successful breaches, while ALPHV and Cl0p targeted 445 and 384 victims, respectively [1]. A notable incident was the MOVEit campaign, which exploited the CVE-2023-34362 vulnerability, significantly affecting financial institutions that relied on MOVEit Transfer for their file transfer needs and underscoring the threat of supply chain attacks.

In response to escalating cyber risks, the European Union introduced the Digital Operational Resilience Act (DORA). This legislation aims to establish a unified framework for Information and Communication Technology (ICT) risk management, incident reporting, resilience testing, threat intelligence sharing, and third-party risk management. It requires that financial entities and their critical third-party technology service providers adhere to stringent technical standards in their ICT systems by January 17, 2025. By implementing these rigorous standards, DORA ensures that financial entities can continue operations even during severe cyberattacks, thereby safeguarding the stability of the entire financial system.

In this blog, we explain what the DORA framework is, its purpose, scope, and the five main pillars that construct it.

What Is the DORA Framework?

The Digital Operational Resilience Act, or DORA, is a European Union (EU) regulation that establishes a binding, comprehensive framework for managing information and communication technology (ICT) risks within the EU financial sector [2]. This regulation ensures that financial firms maintain both financial soundness and operational resilience during severe disruptions caused by cybersecurity and ICT-related issues.

Figure 1. What DORA Framework Covers [3]

To achieve this, DORA harmonizes security and resilience practices across the EU by introducing a consistent supervisory approach. 

It provides an end-to-end framework for managing third-party ICT and cybersecurity risks, which applies specific requirements to all financial market participants, including banks, investment firms, insurance companies, crypto asset providers, and cloud service providers. Furthermore, DORA has introduced a Union-wide Oversight Framework for critical ICT third-party providers, which is designated by the European Supervisory Authorities (ESAs).

By integrating these elements, DORA creates a unified and robust system that enhances the overall stability and security of the EU financial sector.

What Is the Purpose of the DORA Framework?

DORA is being implemented because there is currently no comprehensive framework for managing and mitigating ICT risks across the entire European financial sector. The act aims to harmonize risk management rules throughout the EU, ensuring that every financial institution is held to the same high standards. 

By eliminating the complexities caused by gaps, overlaps, and conflicts between different member states' regulations, DORA seeks to streamline compliance for financial entities and enhance the resilience of the entire EU financial system.

Scope of DORA: The EU Financial Sector

The scope of DORA encompasses a wide array of entities within the EU financial sector. It applies to 

• traditional financial institutions (e.g., banks, investment firms, and credit institutions) and
• non-traditional entities (e.g., crypto-asset service providers and crowdfunding platforms). 

Additionally, DORA extends to third-party service providers that offer critical ICT systems and services, such as cloud service providers, data centers, and payment processors. Firms that provide essential information services, like credit rating agencies and data analytics providers, are also covered. 

Essentially, DORA targets any entity involved in the financial ecosystem and its supporting IT infrastructure, ensuring comprehensive regulatory oversight.

The Five Pillars of DORA Framework

In this section, we will explain the five main requirements to the DORA framework.

Pillar 1: ICT Risk Management 

The ICT Risk Management pillar of the DORA framework requires financial entities to develop, document, and implement comprehensive ICT risk management policies. These measures ensure network security, safeguard against intrusions/breaches, and maintain data integrity and availability. 

To achieve these objectives, the framework outlines several key components, including

• proactive risk assessment,
• continuous practice of vulnerability and security gap monitoring,
• effective incident response,
• encryption,
• cryptographic controls, 
• ICT asset management, and 
• access control.

Central to the successful implementation of these components is the responsibility assigned to the entity's management body, which includes board members and senior managers. 

Thus, decision makers should define and execute risk management strategies while staying informed about the evolving ICT risk landscape. This involves mapping ICT systems, classifying critical assets, documenting dependencies, conducting continuous risk assessments, and mitigating identified risks. Business impact analyses further inform risk tolerance levels and the design of ICT infrastructure.

To further strengthen the security posture of financial organizations, the framework emphasizes identity and access management policies, patch management, extended detection and response systems, SIEM software, and SOAR tools. Moreover, business continuity and disaster recovery plans must address various cyber risk scenarios, including data backup, recovery measures, system restoration, and communication plans. 

Finally, the forthcoming Regulatory Technical Standards (RTSs) will align with existing EBA guidelines on ICT and security risk management.

Pillar 2: ICT-related Incident Reporting

The final report on the draft Regulatory Technical Standards (RTS) under DORA outlines the reporting requirements and specifies the criteria for classifying major ICT-related incidents [4]. These standards mandate that financial entities report incidents affecting critical services, particularly if they involve malicious unauthorized access leading to data loss. 

Furthermore, incidents must be reported if they meet certain materiality thresholds. These thresholds encompass various factors, including the 

• number of clients affected,
• the duration of service downtime,
• geographical spread,
• economic impact,
• data loss, and
• reputational impact​​. 

Additionally, recurring incidents are deemed major if they occur at least twice within six months, share the same root cause, and collectively meet the classification criteria​​. This approach ensures that ongoing issues are promptly addressed.

To maintain fairness, the approach ensures proportionality by implementing simplified requirements for smaller entities​​. An essential part of the reporting process is the sharing of relevant incident details with competent authorities in other member states, which helps in preventing market contagion​​.

Pillar 3: Digital Operational Resilience Testing

Entities must regularly test their ICT systems to evaluate the robustness of their defensive measures, including both prevention and detection layer solutions, and to identify vulnerabilities in their systems, networks, and applications. 

The results of these resilience tests, along with plans to remediate any identified security weaknesses and system vulnerabilities, must be reported to and validated by the relevant competent authorities. This process ensures a continuous improvement cycle and accountability in maintaining high levels of security.

Accordingly, DORA requires financial organizations to conduct basic tests, such as vulnerability assessments and scenario-based testing, on an annual basis. 

• Scenario-based testing may include Breach and Attack Simulations (BAS), which can simulate the full attack kill chain of APT groups, threat actors, or malware campaigns targeting financial organizations. 

• These simulations not only reveal potential security weaknesses but also help identify non-working, non-optimized, and misconfigured security solutions.

For financial entities deemed critical to the financial system, there is an additional requirement to undergo threat-led penetration testing (TLPT) every three years. These TLPTs are comprehensive and involve the participation of critical ICT providers. They are expected to follow forthcoming technical standards that will likely align with the TIBER-EU framework for threat intelligence-based ethical red-teaming. 

This multi-layered testing approach ensures that even the most critical financial entities maintain robust digital operational resilience.

Pillar 4: Third-party ICT Risk Management

The fourth pillar of the DORA framework mandates that financial organizations conduct thorough due diligence on their ICT third-party providers to ensure they comply with the same standards of security and resilience as the financial entities themselves. 

To achieve this, financial entities must establish robust contracts with their ICT third-party service providers, ensuring that these partners adopt high standards of digital security and operational resilience. These contracts must include obligatory provisions that align with EU standards for risk management and operational resilience.

Additionally, these contracts must be periodically reviewed to maintain the highest standards of monitoring and risk assessment. Financial entities are also required to document any risks identified with their third-party ICT providers, ensuring continuous oversight and management of potential vulnerabilities.

DORA emphasizes the importance of implementing a multi-vendor ICT third-party risk strategy, reflecting the financial sector's increasing reliance on external ICT services, particularly cloud computing. This strategy is critical for mitigating risks associated with dependence on single vendors and enhancing overall operational resilience. 

By enforcing these requirements, DORA ensures that financial entities maintain strong oversight of their ICT third-party providers, safeguarding the integrity and continuity of their operations.

Pillar 5: Information Sharing

The Information Sharing pillar of the DORA framework mandates that financial entities establish processes for learning from both internal and external ICT-related incidents. 

DORA encourages entities to participate in voluntary threat intelligence sharing arrangements to enhance their cybersecurity posture. However, any shared information must be protected under relevant guidelines, ensuring that personally identifiable information is handled in compliance with General Data Protection Regulation (GDPR) considerations. 

This collaborative approach aims to improve the overall resilience of the financial sector by fostering a culture of shared awareness and response to emerging threats.

DORA Implementation Timeline

DORA was proposed by the European Commission in September 2020 as part of a broader initiative to enhance the EU's digital finance framework, including the regulation of crypto-assets. 

Currently, the implementation phase is underway, with the 

• European Supervisory Authorities (ESAs), 

• including the European Banking Authority (EBA), 

• the European Securities and Markets Authority (ESMA), and 

• the European Insurance and Occupational Pensions Authority (EIOPA), 

tasked with finalizing the regulatory technical standards (RTS) and implementing technical standards (ITS). 

These are expected to be completed by 2024. Then, DORA is set to be enforced starting 17 January 2025, requiring compliance from financial entities and third-party ICT service providers.

Figure 2. DORA Implementation Timeline by ESMA [5] 

Additionally, the European Commission is developing an oversight framework for critical ICT providers, aiming for completion within the same timeframe.

References

[1] S. Gihon, “Ransomware Trends 2023 Report,” Cyberint, Apr. 07, 2024. Available: https://cyberint.com/blog/research/ransomware-trends-and-statistics-2023-report/. [Accessed: May 28, 2024]

[2] “Digital Operational Resilience Act (DORA) - Regulation (EU) 2022/2554.” Available: https://www.digital-operational-resilience-act.com. [Accessed: May 29, 2024]

[3] “Digital Operational Resilience Act (DORA)

.” Available: https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en

[4] “Final Report on Draft Regulatory Technical Standards.” Available: https://www.eiopa.europa.eu/document/download/3cc5f357-5431-40ff-b9d9-7528a436f771_en?filename=JC%202023%2083%20-%20Final%20Report%20on%20draft%20RTS%20on%20classification%20of%20major%20incidents%20and%20significant%20cyber%20threats.pdf. [Accessed: May 28, 2024]

[5] “Digital Operational Resilience Act (DORA).” Available: https://www.esma.europa.eu/esmas-activities/digital-finance-and-innovation/digital-operational-resilience-act-dora#:~:text=The%20Digital%20Operational%20Resilience%20Act,as%20of%2017%20January%202025. [Accessed: May 28, 2024]