Dora Compliance is Mandatory on January 17, 2025 - Are You Ready?

New cybersecurity requirements affect financial firms doing business in Europe plus IT and comm tech providers who serve them from U.S. and elsewhere

The Digital Operational Resilience Act (DORA), also known as EU 2022/2554, took initial effect January 16, 2023, and allowed two years for firms to comply. Full DORA compliance becomes mandatory on January 17, 2025—just four months from now. Are you ready?

This is not strictly a European regulation, as it affects related businesses beyond Europe. Specifically, DORA applies to:

• Organizations based in the European Union who provide financial services in the EU,
• Organizations in the U.S. and other countries who provide financial services within the EU, and
• Organizations, regardless of where they are based, who provide third-party information technology and communication technology services to members of the EU financial industry.

These organizations will be required to demonstrate DORA compliance by January 17, 2025. 

The Strength and Intent of DORA

The Digital Operational Resilience Act (DORA) establishes a comprehensive framework for resilient cybersecurity for financial entities doing business in the EU. DORA encompasses financial, insurance, and investment firms as well as payment processors, exchanges, and similar organizations. In addition, the Act sets an important precedent by requiring direct financial supervision of third-party information and communication technology (ICT) providers in order to strengthen security throughout the financial supply chain.

While all affected entities must comply with DORA, third-party providers of critical ICT services to financial entities are subject to additional oversight. The European Supervisory Authorities are assigned primary oversight responsibilities—including the authority to request information from third-party ICT providers, conduct off-site investigations and onsite inspections, impose non-compliance penalties, and issue recommendations. DORA also authorizes the European Network and Information Security Agency (ENISA) and other related authorities to assist with oversight activities and requires them to follow up on recommendations issued to the financial entities they supervise. 

In creating a new, comprehensive regulatory framework for digital operational resilience, DORA integrates the patchwork of financial regulations related to information and communication technology that has made regulatory compliance a challenge in the past. And the Act’s powerful focus on third-party information and communications technology providers highlights the importance of securing the financial supply chain. In much the same way, the PCI Data Security Standard 4.0 (PCI DSS 4.0) requires safeguards throughout the payment card industry supply chain in order to protect customer financial information.

Milestones for DORA from 2022 to 2024

DORA compliance becomes mandatory on January 17, 2025, which is just around the corner. There is absolutely no reason to expect that date will shift, since the established legal deadlines have been met by the European Supervisory Authorities. This group, founded in 2011 to replace several outdated institutions, consists of the European Banking Authority, the European Insurance and Occupational Pensions Authority, and the European Securities and Markets Authority—all regulatory authorities within the jurisdiction of the EU.

Following are examples of some key steps taken from 2022 to 2024 in preparation for the mandatory compliance date.

2024 - July 26. European Supervisory Authorities publish joint Final Report on draft Regulatory Technical Standards (RTS) that specify how to determine and assess conditions for subcontracting information and communication technology (ICT) services in order to reduce supply chain risk.

2024 - July 17. European Supervisory Authorities publish second group of policy products, consisting of four final draft Regulatory Technical Standards (RTS), one set of Implementing Technical Standards (ITS), and two guidelines (GL). In addition, the EAS begin work on Pan-European cyber incident coordination framework to enable effective response to cyber incidents that pose risks to financial stability in Europe.

2024 - May 31. European Supervisory Authorities publish templates, technical documents, and tools for a test exercise on the reporting of databases of information for contractual arrangements with third-party ICT service providers by EU financial organizations. These publicly accessible databases must be maintained beginning January 2025.

2024 - April 18. European Supervisory Authorities launch a public consultation on draft Regulatory Technical Standards (RTS) related to oversight activities to be conducted by the joint examination teams.

2024 - January 17. European Supervisory Authorities publish first set of final draft technical standards that will strengthen financial entities’ information and communication technology (ICT), third-party risk management, and incident reporting frameworks. Note that this date is one year out from DORA compliance date.

2023 - December 8. European Supervisory Authorities launch public forum, open until March 4, 2024, for input on second group of draft policy mandates required by DORA to ensure a consistent, coordinated legal framework for major ICT-related incident reporting, digital operational resilience testing, third-party ICT risk management, and oversight over critical third-party ICT providers.

​​​​​​​2023 - September 29. European Supervisory Authorities publish joint response to European Commission’s Call for Advice on specifying further criteria for critical third-party ICT service providers and determining oversight fees to be levied on such providers. Response was based on service provisioning map and overview of third-party ICT providers in EU as well as technical advice sought by European Commission between May 26 and June 23, 2023.

​​​​​​​2023 - February 6. European Supervisory Authorities hold online, public technical discussion to solicit views and concerns about DORA policy mandates required to be developed during 2023 and 2024. Included more than 2,000 representatives from credit and payment institutions, investment firms, (re)insurance firms, third-party ICT service providers, and other financial entities. ​​​​​​​

2022 - May 11. European Council and European Parliament announce provisional agreement for Digital Operational Resiliency Act, which sets uniform requirements for security of network and information systems of organizations operating in financial sector as well as critical third parties providing ICT-related services (two of many examples include cloud platforms and data analytics services). The uniform requirements are designed to strengthen IT security among banks, insurance companies, and investment firms and make sure EU financial sector is able to maintain resilient operations during severe disruptions.

2022 - January 27. European Supervisory Authorities publish statement welcoming recommendation by European Systemic Risk Board requiring ESAs to gradually develop Pan-European systemic cyber incident coordination framework to support effective, coordinated responses to major cross-border cyber incidents that could impact EU financial system.

Current Status. According to the Deadlines & Deliverable chart posted by the European Banking Authority, seven Phase 2 deliverables were due 18 months after July 16, 2023, known as the Date of Entry into Force. The latest press releases indicate the European Supervisory Authorities have completed Phase 2 as of July 26, 2024. By the mandatory DORA compliance date, which is 24 months after the Date of Entry into Force, the ESAs must deliver a report on the feasibility of creating a single center or hub for major ICT-related events. 

Overview of DORA Security Requirements

The requirements of the Digital Operational Resilience Act focus on information and communication technology (ICT), which is akin to information technology (IT) in the United States.

Below are the five security categories with several primary requirements in each to illustrate the nature of DORA security requirements—many of which appear to be based on the popular NIST Cybersecurity Framework and U.S. financial regulations.

Category 1 - ICT Risk Management 

This category includes identifying, preventing, responding to, and recovering from cyber threats. Key requirements include:

• Setting up and maintaining resilient ICT systems and tools designed to manage potential ICT risks and their impacts. 
• Performing ongoing event monitoring for cybersecurity and ICT to enable risk prevention or response. 
• Developing and implementing business continuity and disaster recovery (BC/DR) strategies for ICT-related incidents. 

Category 2 - ICT Third-Party Risk Management 

Third-party risk management to strengthen supply chain security is a critical element of DORA, just as HIPAA’s focus on business associate security and CMMC security requirements for members of the defense supply chain are in the U.S.

DORA specifies the content of contracts between financial entities and their third-party service providers, encompassing all phases of the third-party relationship, including:

• Planning and developing contractual arrangements, including the required risk assessment, due diligence activities, and the process for approving new or material changes to third-party contracts.
• Implementing, monitoring, and managing contractual arrangements for the use of ICT services that support functions considered either important or critical.
• Developing an exit strategy and contract termination process for each relationship.

Category 3 - Digital Operational Resilience Testing 

EU financial organizations must continually monitor evolving ICT risks and create programs to identify and address new ICT risks potentially affecting them, including: 

• Performing periodic tests of their ICT risk management frameworks. 
• Mitigating or eliminating any identified deficiencies, weaknesses, or vulnerabilities. 
• Developing testing appropriate to the size, business, and risk profile of the organization. 
• Addressing higher levels of risk exposure using Threat-Led Penetration Testing (TLTP). 

Category 4 - ICT-Related Incident Reporting 

In the European Union, data breach notification is beginning to emerge as a vital component of information security and cybersecurity, as it has been in the U.S. for many years. DORA establishes new incident response requirements that include: 

• Creating processes to monitor, log, and classify ICT-related incidents. 
• Reporting incidents to appropriate regulatory bodies using a provided template and procedure. 
• Developing notification protocols for incidents potentially affecting clients and users, such as the publication of initial, intermediate, and final incident reports. 

Category 5 - Information Sharing 

Recognizing that the sharing of information among organizations within an industry can enhance the prevention, detection, and response to cyberattacks, DORA requires that organizations work to determine what data is best shared, how to share it efficiently, and how to digest shared data for optimum results. This is expected to be an industry effort that will evolve over time, much like the mandated gradual development of a Pan-European systemic cyber incident coordination framework to support effective responses to cross-border cyber incidents that could affect the EU financial system.

Summary

The Digital Operational Resilience Act (DORA) recognizes the mission-critical nature of digital technology in the financial industry in the European Union and establishes an integrated, comprehensive regulatory framework to address that reliance. DORA is the first of its kind to bring the third-party providers of ICT services under direct financial supervision and regulation in order to reduce supply chain vulnerabilities and strengthen supply chain security.

If your organization offers financial services in the European Union or provides third-party ICT services to financial entities in the EU, you are almost certainly subject to DORA requirements. DORA compliance is mandatory as of January 17, 2025. If you have adopted the NIST Cybersecurity Framework or a similar security framework or standard, you are probably much closer to compliance than you think. Act now to conduct a risk assessment against DORA security requirements and find out where you stand.