Today the Digital Operational Resilience Act (DORA) becomes binding across the EU, aiming to strengthen financial entities’ stability and security. Arguably, it’s never been more needed than now. According to SailPoint, the financial industry was the most targeted sector for data breaches in 2024. Close to 65 per cent of financial organisations said they experienced a ransomware incident, up from 34 per cent in 2021.

DORA is designed to promote operational resilience within the EU’s financial ecosystem. It provides a comprehensive framework to ensure that financial entities can withstand, respond to, and recover from ICT-related disruptions and threats. In this blog, we will break down the key components of the act, its scope, and how organisations covered under the regulation can get ready to meet its demands.

Why is DORA needed and how did it come about?

With the increasing reliance on digital systems and the growing sophistication of cyberattacks, DORA harmonises requirements across member states, reduces fragmentation and ensures a consistent approach to ICT risk management. The Act also mandates robust oversight of third-party ICT service providers, standardises incident reporting, and enhances operational resilience testing. It’s worth emphasising that under DORA, incident reporting extends to operational outages and cybersecurity-related incidents.

What organisations are in scope?

DORA mainly covers organisations in the financial services sector. Article 2 of the Act gives a full list of the types of organisations that it covers, including: credit institutions, payment institutions, account information service providers; investment firms; crypto-asset service providers; central securities depositories; trading venues; alternative investment funds managers; insurance and reinsurance providers; credit rating agencies; and ICT third-party service providers.

What do organisations need to do to become compliant with DORA?

Once they have established whether they are in scope, they need to complete a gap analysis against the Act’s core requirements, which can be broken down into the following five pillars::

• Pillar 1- Governance
• Pillar 2- ICT risk Management
• Pillar 3- Incident Management
• Pillar 4 Digital Operational Resilience Testing
• Pillar 5 – ICT Third Party Supplier Management

The resulting analysis will inform a DORA compliance roadmap.

Are there any parts of the regulation that organisations aren’t yet aware of or familiar with?

Incident response is an important day 1 requirement. Organisations should ensure they understand the requirements and implement appropriate technical controls, and policy and procedures to meet them.

What changes for reporting incidents will come into effect under DORA?

DORA-covered entities will be required to enhance their incident detection and handling policies and procedures. They need to ensure they assess any incidents that impact Critical and Important Functions/Services (CIFS) to establish if they are notifiable, or major incidents. DORA defines very specific impact criteria and thresholds, which if met, will require covered entities to notify their regulatory authority following a very defined approach.

In practice, organisations will need to maintain and test the effectiveness of the following policies, plans and procedures:

• Crisis management policy
• Crisis communications plan
• Incident management policy
• DORA incident classification procedure
• DORA incident reporting procedure.

What is the supervisory authority for reporting to?

In Ireland, it’s the Central Bank of Ireland. For other EU countries, it will be designed financial authorities, i.e. CBI equivalents.

What are the reporting requirements?

Covered entities must submit an initial notification as early as possible within four hours from the moment they have classified an incident as major, but no later than 24 hours from the moment the firm has become aware of the incident.

In cases where an incident that wasn’t classified as major within the 24 hours is later reclassified as major, the firm shall submit the initial notification within the four hours after the classification of the incident. Where accurate data is not available for this notification, the firm must submit estimated values based on other available data and information to the extent possible.

Organisations also need to need to ensure they have the procedures in place to enable submission of an intermediate report within 72 hours at the latest from when it made the initial notification. Additional intermediate reports may be required as new incident-related information becomes available, or when requested to provide additional information for example.

A final report must be made no later than one month from the submission of the latest updated intermediate report. The firm must update the information that was previously provided with the intermediate report, and should reclassify major incidents as non-major, where necessary. When assessing incidents, covered entities also need to be mindful of lower severity incidents over the past six months, which individually do not hit major incident thresholds, but collectively do.

In your experience, how ready are organisations for DORA?

It’s fair to say financial entities are starting from a better initial position than those covered solely by NIS2, for example. In other words, DORA preparation has been helped by somewhat related compliance requirements which preceded it over the last few years

Covered entities in Ireland were required to comply with the Central Bank of Ireland’s CP 140 Guidelines on Operational Resilience a number of years ago. Between this and the Central Bank of Ireland’s guidance on ICT risk management and outsourcing, covered entities have had to put many good operational resilience and ICT risk management practices in place already.

Is it expensive to comply with DORA? 

It depends on the starting position, but complying with DORA represents a cost in terms of money and time. Covered entities will need to mature their risk management practices, better formalise and possibly automate policies and procedures. They may need to install additional tooling such as systems to enhance security and availability monitoring of technologies. Organisations will also be required to formalise operational resilience testing and ICT supplier management policies and procedures.

DORA-related ICT risk reporting will also need to be squeezed onto the already bulging board agenda. Organisations may also need to invest to eliminate legacy or unreliable systems or systems which pose unacceptable risk to the resilient delivery of critical and important services.

Apart from organisations that are directly in scope, does DORA bring in others through supply chain connections?

DORA directly covers IT managed service providers (MSPs) providing services in support of Critical and Important Functions/Services. Covered entities will also be required to better management their supply chain. This will translate into a higher degree of scrutiny of critical and important ICT suppliers, such as software providers, or SaaS service providers. Simply put, DORA ICT risk management requirements will cascade down into the covered entities’ supply chains to ensure ICT risk is managed proportionate to the risk the supplier poses.

Are there any security frameworks that will help organisations to comply?

Yes. Aligning or certifying your ICT risk management with a recognised framework supports compliance. We recommend adopting a standard-based approach where available because these hold up to regulatory scrutiny. ISO 27001, for example, requires the “needs and expectations of interested parties” to be considered. For a covered entity, that interested party would be the regulator as well as its customers or clients for example.

One would then implement DORA using the ISO controls framework, tailoring it as required to meet specific DORA requirements, e.g. ICT risk management policy requirements and major incident handling and reporting. (By the way, ISO 27001 compliance is also a great way for ICT suppliers to meet most regulated customers’ DORA requirements.)

Does the Act apply equally to organisations regardless of their size?

One question we get asked a lot is around the Act’s “proportionality principle”. Most organisations are somewhat nervous of applying this. In a nutshell, the principle allows lower risk organisations, and those in the supply chain, to implement DORA requirements in proportion to the risk their organisations services represent to the markets and service users.

So for example, a Tier 1 bank based on its high-risk assessment necessitates a robust  implementation of DORA’s requirements, whereas a small credit union does not have to reach the same bar. The risk assessment is key to justifying the approach an organisation takes.

Will DORA lead to improvements in understanding the threat landscape?

Yes, by increasing communication and information sharing of vulnerabilities once they’re known. Further, the incident reporting requirements and associated lessons learned obligations will lead to better visibility of incident root causes leading to enhanced resilience levels or incident recurrence.

What advice would you have for organisations that need to comply, and produce evidence of compliance?

Complete an initial gap analysis to understand your organisations compliance gaps and develop a remediation plan to close the gaps.

• Take the time to read and understand the Act’s technical and implementation standards
• Maintain an action plan to support ongoing compliance. This is a statement of management intent to meet the requirements if your organisation is not compliant as of yet
• Align your ICT risk management practices to a recognised framework, e.g. ISO27001, and preferably get certified to it
• Enable your board to meet their accountability requirements through structured training plans
• Establish concise board reporting-related documentation and metrics
• Regularly review your risk assessment
• Test your processes and procedures
• Mature the management of your supply chain
• Appropriately test the technologies underpinning the delivery of your critical and important services against robust yet plausible threat scenarios.

DORA should lead to a more resilient financial sector, but its stringent requirements demand careful planning and execution. To manage this process or get help with it, consider working with a reputable expert that specialises in this field.