A summary of the DORA regulation
A quick explainer of DORA and what this regulation means for European financials.
8 QUESTIONS AND ANSWERS ABOUT THE DIGITAL OPERATIONAL RESILIENCE ACT
Can you give us a summary of the DORA regulation? This is a question Secura often gets asked. Anne de Nies and Ben Brücker, both experts at Secura, answer the most frequently asked questions about DORA.
DORA stands for Digital Operational Resilience Act. The European financial sector must comply with this European cybersecurity regulation by the start of 2025.
1. What is DORA?
'DORA focuses on protecting networks and information systems. It is a European directive that the whole financial sector in the EU must follow,’ says Anne de Nies. She works as Group Manager Finance at Secura and helps organizations in the financial sector with their digital security. ‘The aim of this law is to make the sector more resilient against digital risks.’
2. WHEN WILL DORA APPLY TO MY ORGANIZATION?
De Nies: ‘The DORA regulation came into effect on January 16 of 2023. From the 17th of January 2025, all European financials must comply. The details of the regulation are becoming more clear. Batch 1 of the Regulatory Technical Standards, or RTS, and the Implementing Technical Standards (ITS) were published on 17th January 2024. Batch 2 of these standards is under consultation.’ This means you have 1 year to prepare for DORA-compliance.
3. WHY WAS DORA CREATED?
‘Of course the financial world is already covered by all kinds of laws and regulations and the supervision that comes with these laws,’ says De Nies. ‘But they mainly focus on the financial aspect, like credit risks or anti-fraud.’
The last few years have seen an increase in cybersecurity requirements: ‘In 2016 we had the NIS directive, aimed at securing network and information systems. But DORA is the first European standard for the financial sector that explicitly says: you must map your digital ICT risks.’
All financial organizations will have to meet the same requirements, more or less, De Nies explains: ‘This regulation doesn’t only apply to the major banks, who are often well regulated anyway and who really prioritize cybersecurity.’
‘The biggest advantage of DORA is that the entire sector will become more resilient to threats,’ says De Nies. ‘And we expect international cooperation to become easier, because we’re all required to work in the same way.’
Anne de Nies
Group Manager Finance
Secura
‘The biggest advantage of DORA is that the entire financial sector of the EU will become more resilient to threats.'
4. WHO DOES DORA APPLY TO?
DORA does not only apply to banks and financial institutions, but also to critical suppliers to the financial sector, explains De Nies: ‘For example: the company that manages the network of a bank.’
‘If the bank is safe, but the ICT supplier is not, you still have a major risk. That is why these suppliers are also covered by DORA.’ However, critical service providers will have slightly different rules than banks or asset managers.
Ben Brücker
Red Teaming Lead
Secura
‘It is important to execute a test that has sufficient depth to create an accurate picture of a company’s cyber resilience, but in a way that makes the test affordable.’
5. WHAT DOES DORA MEAN FOR MY ORGANIZATION?
‘I don’t expect DORA will be very exciting for large banks and pension funds that already spend a lot of time on security’, says De Nies. These large companies should do a gap analysis: in which areas are we already compliant and what do we still need to do?
‘It’s the smaller companies that face a challenge. They may need to start taking measures they haven’t needed before.’
The 5 main elements of DORA are:
- An organization must have an ICT Risk Management Framework
- An organization must have an Incident Response Process
- Security testing must be done more often and will be mandatory
- Third party risks must be mapped out, for example the risks your suppliers run
- Threat intelligence sharing will be mandatory
INCIDENT PROCESS EXPANDED
DORA means an expanded incident response process, says De Nies: ‘Previously, this process was a standard part of the risk management framework that an organization already had. But DORA takes it a step further. You have to classify an incident and, in certain cases, report it correctly.’
MORE FREQUENT AND MANDATORY TESTING
The new legislation also means: more and mandatory testing, says Ben Brücker, Red Teaming expert at Secura. ‘Financial institutions must perform a Threat-Led Penetration Test, or TLPT, once every three years. These tests can also include IT service providers. Testing is not yet mandatory at the moment, so that is a change.'
The type of TLPT (Threat-Led Penetration Test) that DORA will make mandatory will probably be a variation on the existing Red Teaming standards. However, the Regulatory Technical Standards on this topic are not yet definite.
6. WHAT IS THE RELATIONSHIP BETWEEN NIS2 AND DORA?
DORA is not the only major cybersecurity directive to come into force in 2025. NIS2, applicable from October 2024, also sets requirements for the digital security of companies and organizations in Europe.
How do these two directives relate to each other? De Nies: ‘Both involve IT security. The difference is that DORA focuses purely on the financial sector and NIS2 covers all critical sectors. DORA will be leading for the financial sector.’
Another difference is that NIS2 is a directive that each member state must integrate into their national law. DORA is an Act that applies to every member state.
7. WHERE SHOULD MY ORGANIZATION START WITH DORA?
01
STEP 1: MAP OUT YOUR RISK MANAGEMENT
‘Preparing for DORA starts on the process side,’ advises De Nies. ‘It is a good idea to first check whether you have an ICT Risk Management Framework. That’s the basis. There are standard frameworks you can use if you don’t already have one.’
02
STEP 2: DO A GAP ASSESSMENT
If you already have a framework in place, check whether there are gaps between your framework and the new regulation. Is security testing already part of your risk management or not? And what about your suppliers?
03
STEP 3: CHECK YOUR INCIDENT PROCESS
Think about your incident process. Do you have the capacity to report incidents in a proper way?
04
STEP 4: CREATE OR IMPROVE YOUR TEST PLAN
‘What am I going to test? When will I test it? How am I going to demonstrate what I have tested? Make sure you have a test program or test plan in place for the upcoming years, and find a partner with the capacity to help you execute it.’
Does your organization already have a mature security posture? In that case De Nies’ advice is to conduct a gap analysis to check which additional measures you need to implement for DORA.
8. WHAT’S THE BIGGEST CHALLENGE WHEN IT COMES TO DORA?
Although De Nies and Brücker are generally positive about DORA, they do expect a few problems.
1. HEAVY WORK LOAD
‘If you are a CISO working solo at an organization that hasn’t spent a lot of resources on cybersecurity, DORA will mean a lot of extra work,’ says De Nies.
‘There is so much work coming up for the sector due to DORA and NIS2, that there probably won’t be enough people to complete it all in the time we have. Security people are scarce, so that’s the first challenge.’
2. REPORTING INCIDENTS
‘DORA will require you to report security incidents. But the question is: how is that requirement managed?’ asks De Nies. ‘Where will that information end up? It can make organizations uneasy to have to report these kinds of incidents.’
3. THIRD PARTY RISKS
A third challenge when it comes to DORA: gaining control of the third party risks, says De Nies: ‘What if your third party is a small IT supplier or a foreign party that you don’t have any control of? How are you going to manage that? That is unclear.'
You are invited
Join our upcoming webinar where we will discuss the latest Regulatory Technical Standards (RTS) within DORA. Discover in an interactive, engaging way how to interpret and apply these standards in your organization.
This webinar offers two essential perspectives: from a technical perspective and from a procedural perspective.
ABOUT SECURA
Secura is a leading cybersecurity expert. Our customers range from government and healthcare to finance and industry worldwide. Secura offers technical services, such as vulnerability assessments, penetration testing and red teaming. We also provide certification for IoT and industrial environments, as well as audits, forensic services and awareness training. Our goal is to raise your cyber resilience.
Secura is a Bureau Veritas company. Bureau Veritas (BV) is a publicly listed company specialized in testing, inspection and certification. BV was founded in 1828, has over 80.000 employees and is active in 140 countries. Secura is the cornerstone of the cybersecurity strategy of Bureau Veritas.