Key Provisions for DORA Preparation

5 minute read

August 2024

by Julia Winer

The EU’s Digital Operations Resilience Act (DORA) will be enforceable starting January 27th 2025, and many teams are scrambling to get their organisations into compliance before they face a potential penalty. DORA preparation is a cross-departmental, time consuming job that detracts from everyday TPRM work, but by studying and addressing the key DORA provisions, your team can reach the enforcement deadline confident in its compliance status. 

First, though, it’s helpful to review the goals of the DORA standard. DORA requires European financial organisations and their Information and Communications technology (ICT) providers to meet new cyber risk criteria, marking a significant step forward in the EU’s efforts to regulate cybersecurity practices. Not only does this legislation place a new burden on financial services organisations to achieve a strong cyber risk posture, it also places a newfound emphasis on operational resilience, or the ability to prevent, detect, and recover from potential disruptions. 

On top of taking preventative measures, entities regulated under DORA must put procedures in place to continuously assess and treat ICT risk, report and respond to incidents as they occur, and make adjustments in the aftermath of an incident to reduce the likelihood and impact of similar events in the future. If DORA impacts an organisation, knowing how to stop an incident is not enough—it needs to know how it would control the impact after one occurs. 

Entities Regulated Under DORA 

As stated above, DORA regulates European financial services firms and their ICT providers. For that reason, you need to be confident in not just your own ICT policies but those of your suppliers—after all, a violation at the supplier level can still lead to costly breaches, reputational damage, and stiff regulatory penalties. On the same token, because DORA prohibits firms from working with non-compliant suppliers, ICT service providers that work with financial service organisations in the EU should be ready to update their policies to meet the new requirements.  

Entities regulated by DORA include:

Financial Services Entities 

  • Accounting Services 
  • Banks  
  • Brokerages 
  • FinTech 
  • Government / Financial 
  • Insurance Companies 
  • Investment Management 
  • Legal Services  
  • Mortgage Lenders 
  • Payment Services 
  • Real Estate Services 
  • Tax Services 
  • Wealth Management  

 ICT Third-Party Service Providers  

  • Cloud Platforms 
  • Computers & Laptops 
  • Data Analytics Services 
  • Information Systems 
  • Internet  
  • Mobile Devices 
  • Multimedia 
  • Networking Systems 
  • Software 
  • Telecom Systems

Risk Assessments 

To ensure DORA compliance, you must first assess your ICT assets and suppliers to determine the degree of risk you face, where it’s concentrated, and how the mitigation methods you currently have in place compare to the provisions demanded by the DORA controls framework. 

Sometimes, this process may include Threat-Led Penetration Testing (TLPT) for ICT services that, were they impacted by a cybersecurity incident, would disrupt critical functions at your organisation. TLPT uses threat intelligence to determine the techniques a hacker would use to exploit a given vulnerability, then attempts to compromise the organisation’s systems to determine how effective attacks would be. By mandating risk testing at this degree of scrutiny, DORA ensures that your critical ICT is resilient against the techniques likely to be used against it.  

In addition to mitigating internal ICT risk, your team should assess its vendors to see how their controls match the DORA framework. Once you’ve determined which vendors need to make improvements to achieve compliance in the supplier ecosystem, you can revise contracts to ensure the necessary provisions are included as requirements. After all, contractual obligation is the best way to ensure action at the supplier level. 

Mandatory Incident Reporting 

One goal of DORA is to make organisations respond more diligently in the face of an incident; the bill requires entities to have procedures in place to detect and report ICT-related incidents, organise incident data according to DORA policies, and distribute reports to both the appropriate regulatory authorities and to customers who may be affected. Every financial entity in the EU knows that incident reporting has traditionally been a complex, difficult process. By streamlining reporting requirements, DORA seeks to reduce the burden of reporting and increase the efficacy of reports for the stakeholders who most need to stay informed. 

Once an incident is identified, there should be a clear, documented procedure for gathering the relevant data, completing report templates, and distributing initial, intermediate, and final reports. While you develop these procedures, it helps to remember that incident reporting takes time. By documenting reporting roles, responsibilities, and procedures thoroughly from the start, you can avoid hasty and inadequate incident response and get needed information to the key stakeholders.  

Oversight and Penalties 

DORA violations can result in fines of up to 2% of your annual worldwide turnover. The fine will be determined based on the violation’s scale and the effort you put into cooperating with the authorities. For this reason, it’s crucial to ensure compliance at both the internal and ICT supplier levels and to maintain good standing with the regulatory bodies if they detect a violation.   

Additionally, as discussed above, you must terminate and replace relationships with non-compliant suppliers, or, in other words, non-compliance threatens regulatory fines and lost business. Thus, compliance is a business imperative. By the time enforcement begins in January 2025, you should have a plan to demonstrate your commitment to strong ICT practices and your ongoing effort to build a DORA-friendly ICT management program. Because enforcement will be conducted on a case-by-case basis, the most crucial step you can take is to create practices that show an investment in the regulation and then plan for further improvements. 

Conclusion 

DORA enforcement is coming, and if your organisation is within its scope, you have a responsibility to achieve compliance. Luckily, the information is out there to help your team stay on top of this challenge. Read our white paper, “DORA: Key Provisions and Best Practices,” for a more comprehensive overview of the upcoming enforcement deadline and the actions you can take to prepare for the new legislation. 

ProcessUnity 

While it can be seriously taxing to attempt compliance using only spreadsheets and emails, ProcessUnity DORA helps your team quickly identify control gaps and work to remediate them. Click here to request a demo today. 

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit www.processunity.com.