DORA: How EU Finance Orgs Can Prepare

Published on December 26, 2022 by

Andrew Sweeney

In November, the European Council formally adopted the Digital Operational Resilience Act (DORA), to ensure the European financial sector maintains resilient operations through disruptions, such as cyberattacks.

The DORA lays out uniform requirements for companies’ network and information system security including financial organizations and their critical ICT providers. But what does it mean for your organization, and how can you prepare?

The DORA: Why is it needed?

As companies digitalized their operations to remain competitive during 2020 lockdowns, EU figures showed that the number of significant attacks against critical targets doubled. Because of the valuable data they manage FinTech companies have long been a target for cybercrime and by accelerating digitalization, they are becoming increasingly reliant on third-party ICT providers for services such as cloud storage. As a result, a growing number of cybercriminals are targeting those suppliers to gain access to finance companies’ data.

It wasn’t hard for the European Council to see how, with companies sharing providers, a localized breach could quickly spread and impact economies. And with regulations for tackling digital operational resilience different from one member state to another it was also easy to see where inconsistencies could open the door to risk. To address these disparities, the European Council proposed the DORA in September 2020.

What is the aim of the DORA?

The DORA implements a unified approach for financial companies in the EU around risk management, incident reporting, resilience testing, ICT third-party risk, and information sharing. It aims to harmonize the way that risk management is handled and formalize communications channels to give authorities more information to act rapidly and tackle cybercrime at the source.

What it means to your company

The DORA will impact a wide range of financial entities within the EU as well as their critical third-party ICT providers. Companies will be required to:

  • Develop and maintain a comprehensive risk management framework leveraging robust processes and tools that allow them to identify, respond to and mitigate risks across their ICT estate. These should incorporate comprehensive continuity and disaster recovery plans.
  • Incorporate a digital operational resilience testing program within the above framework, including a range of tests, processes and tools that enable anomalies to be classified, prioritized, and remedied. Companies will also be required to conduct regular testing, using either an external company or an independent internal party.
  • Categorize incident risk levels and report significant incidents to a central EU hub.
  • Share cybersecurity intelligence with other finance companies.
  • Manage third-party ICT risks: DORA will incorporate requirements for contracts between financial companies and their critical ICT providers, including the location where data is processed, service level agreement descriptions, reporting requirements, rights of access, and circumstances that would lead to terminating the contract. Critical third-party ICT providers will need to set up a subsidiary in the EU (if they don’t already have one) so that they can be regulated.
Learn how ReadyWorks helps ensure conformance with DORA guidelines/key performance indicators. Download The Solution Brief

Learn how ReadyWorks helps ensure conformance with DORA guidelines/key performance indicators.


What are the next steps?

Now the DORA has been formally adopted, it needs to be made into law in each EU member state. During this time, relevant European Supervisory Authorities (ESAs) will develop the technical standards that all financial services institutions must follow.

How can you prepare?

Think about the following:

  • Risk Management: Audit your current process to understand gaps and inconsistencies. Ask yourself:
    • Can you easily access a comprehensive inventory of all your assets and interdependencies?
    • Can you regularly conduct scans of the environment to identify and mitigate vulnerabilities such as unpatched software or old operating systems?
    • Do you need to implement a more stringent disaster recovery plan?
  • Resilience Testing: Identify the tests that you need to comply with and identify if you can manage resilience testing in-house or require a third-party organization to manage this.
  • Incident Reporting: Can you categorize risk levels and rapidly create reports on critical incidents?
  • Information Sharing: Can you adapt templates and automate communications with other companies?
  • Third-party ICT providers: What is your service providers’ risk management policy? Are they adapting their policy to meet new requirements? Understanding their vulnerabilities will allow you to develop a risk mitigation plan.

It’s vital to act now to prepare for when the legislation comes into effect. Your IT estate, like many other organizations, has likely increased complexity as you’ve implemented new capabilities. You’re probably interacting with multiple IT management tools that don’t interact with each other and using manual processes to bridge the gaps between them.

If that’s the case, you may be struggling to prepare for the DORA. But, there is a way to do so, without increasing your stress levels and that’s by implementing a digital platform conductor (DPC), a tool recognized by Gartner in 4 hype cycles in 2022.

Simplify risk management and reporting using intelligent automation

A DPC provides new agility by connecting to all your IT management tools and orchestrating them to deliver end-to-end workflow automation. This will allow you to prepare for the DORA by:

  • Implementing a risk management strategy that incorporates a holistic automated IT asset management (ITAM) program. A DPC enables this using intelligent automation to collect and analyze data at scale, giving you an accurate, real-time view of your estate and all interdependencies that you can view from any angle to identify vulnerabilities such as unpatched software or outdated operating systems.
  • Setting up automated scans, triggered by dates and events pre-defined in a DPC, to comply with resilience testing requirements and quickly access comprehensive reports for compliance audits.
  • Allowing you to categorize risk levels within the DPC and quickly access reports on incidents and the workflows employed to act against them to share with authorities.
  • Giving you access to customizable templates and allowing you to automate communications to share information with other finance companies.
  • Digitally record and document interactions with third-party ICT providers to maintain compliance with regulations.

Book a demo to understand how ReadyWorks can help your organization prepare for the DORA.