Jonathan Evans on DORA: Strengthening Cyber Resilience in the EU’s Financial Sector
Date Posted:
Reading Time:
The introduction of the Digital Operational Resilience Act (DORA) by the European Union is a significant step towards fortifying the digital resilience of its financial sector.
As the January 17, 2025 deadline looms closer, financial institutions face critical milestones to ensure compliance with DORA’s requirements.
Jonathan Evans, Founder of IT Security Locksmith and former Head of Global IT Security at Rothschild & Co, sat down withDan Haagman, CEO of Chaleit, to discuss DORA’s background, important features, and practical implications.
Watch the video and read the key considerations and practical steps for effectively navigating this new regulatory landscape below.
DORA is designed to ensure the digital operational resilience of the EU financial system against various technological threats and vulnerabilities.
Concerns driving DORA
The Digital Operational Resilience Act appeared in the context of the increased reliance on technology within the financial services sector, coupled with the growing interconnectedness of these technologies.
EU regulators were concerned about the potential for a cascade effect, where a resilience issue affecting one bank could propagate to impact more financial services, ultimately undermining the stability of the European financial markets.
Regulators were also wary of concentration risk, where numerous financial institutions use the same third-party service, potentially leading to simultaneous disruptions across multiple organisations.
DORA is designed to address these risks and ensure the digital operational resilience of the EU financial system against various technological threats and vulnerabilities.
Steps towards stability and digital security
The Digital Operational Resilience Act is part of the EU’s Digital Decade Strategy, which is in effect until 2030. This strategy aims to build a skilled digital workforce, ensure secure digital infrastructure, drive digital transformation in businesses and enhance the digitisation of public services.
In this framework, DORA comes as a regulation, not a directive, which means it is uniformly applied across all EU member states. As a result, compliance should be simpler for companies operating or providing services across multiple EU countries.
The regulation primarily targets the financial sector, encompassing credit institutions, payment institutions, investment firms, and insurance and reinsurance companies. Additionally, ICT third-party service providers are explicitly included within DORA’s scope.
DORA fundamentally reshapes operational risk management within financial services firms, focusing on robust governance and accountability at the highest levels.
DORA’s key implications and requirements
DORA fundamentally reshapes operational risk management within financial services firms, focusing on robust governance and accountability at the highest levels. It outlines several main compliance components, covering ICT risk management, reporting incidents, operational resilience testing, and information sharing.
Approximately a quarter of DORA focuses on ICT third-party risk management, emphasising the importance of operational resilience across third-party service providers.
The Act formulates specific responsibilities for the management body, shifting the ownership of ICT risks from functional roles to strategic decision-makers, Jonathan explains.
Key requirements of DORA include:
Implementation of ICT risk management frameworks overseen by the management body.
Authorisation of policies, roles, and responsibilities related to operational resilience and business continuity.
Approval ofinternal audit plans covering DORA compliance.
Allocation of budgets for operational resilience initiatives, including ICT third-party reporting.
These requirements highlight the need for enhanced process documentation, clearer information source identification, and improved controls to align with DORA’s operational resilience standards.
Third-party service providers are expected to enhance operational resilience and align with DORA's requirements to continue supporting financial services.
Implications for service providers
DORA extends regulatory oversight beyond financial institutions to include third-party service providers, ensuring they meet specific operational resilience standards if they support financial services within the EU.
Third-party service providers are expected to enhance operational resilience and align with DORA’s requirements to continue supporting financial services. This shift requires these providers to adapt and improve their resilience measures in line with regulatory expectations.
Providers outside the EU are also subject to DORA compliance if they wish to maintain business relationships with EU financial institutions. Although penalties may not directly apply, compliance is necessary to sustain commercial relationships.
Threat-based modelling and penetration testing
Regulators aim to standardise and enhance consistency in how firms approach threat-led penetration testing to improve cyber security resilience.
As a result, DORA mandates a structured approach to threat-led penetration testing, specifying the qualifications and competencies required for testers. Companies will need to adhere to a technical standard on threat-led penetration testing, outlining scoping and methodology guidelines.
This approach will foster a more strategic and risk-focused approach to cyber security, with the overarching goal of improving digital resilience and business continuity within the financial services landscape.
DORA is an extensive piece of legislation that mandates thorough compliance measures beyond standard certifications.
Overlap between DORA and existing practices
Many financial services firms are already engaged in operational resilience practices, which may cover a significant portion (estimated at around 60-70%) of what is required by DORA. The level of sophistication varies among firms, influencing the extent of existing compliance efforts, Jonathan explains.
It’s crucial for firms to conduct a gap analysis between their current practices and the specific requirements outlined in DORA. While existing certifications like NIST cyber security framework or ISO 27001 can provide a good foundation, they will not fully cover DORA’s extensive scope.
DORA is an extensive piece of legislation that mandates thorough compliance measures beyond standard certifications. While some overlap exists between current industry practices and DORA’s requirements, financial institutions must make a significant effort to bridge the gap and achieve full compliance with the regulatory framework.
Compliance deadlines and urgency for action
With the January 17, 2025, deadline approaching, financial services firms must prioritise compliance efforts to meet DORA’s requirements.
Jonathan notes that certain aspects of DORA, such as incorporating clauses into third-party contracts, should have been addressed over the past year. Companies must review and amend existing contracts to align with DORA’s specifications, especially in recent renewals.
Operational resilience testing remains a critical activity that businesses should continue and learn from. This ongoing preparation is essential for meeting reporting obligations post-January 2025 and ensuring a smooth transition to the regulatory framework outlined by DORA.
Larger service providers are likely aware of DORA’s impending enforcement. However, smaller third-party service providers may face surprises when regulators request compliance information they must provide.
DORA’s benefits include enhanced organisational resilience against shocks, improved risk awareness, and a more comprehensive approach to addressing emerging operational challenges in the digital age.
Practical steps for compliance
To navigate DORA effectively and achieve compliance by the deadline, Jonathan advises financial institutions to take proactive measures, such as the following:
Review existing third-party contracts and ensure DORA requirements are incorporated, especially in recent renewals.
Address any gaps in clause inclusion retrospectively to avoid regulatory scrutiny.
Continue and enhance operational resilience testing to identify and mitigate risks effectively.
Learn from testing outcomes to strengthen overall resilience capabilities.
Leverage existing knowledge of DORA to initiate compliance activities promptly.
Prioritise the implementation of ICT risk management frameworks and necessary controls that are aligned with DORA’s requirements.
The impact of DORA extends beyond compliance to transform how financial institutions approach operational resilience and ICT risk management, with an emphasis on governance, oversight, and strategic alignment at the management level.
DORA’s benefits include enhanced organisational resilience against shocks, improved risk awareness, and a more comprehensive approach to addressing emerging operational challenges in the digital age, Jonathan emphasises.
DORA is a significant step forward in improving the digital resilience of the EU’s financial sector. By promoting a culture of proactive risk management, robust operational controls, and threat-based testing, DORA paves the way for a more secure and stable financial ecosystem within the European Union.
If you’d like to discuss the implications of DORA for your organisation, contact us.