What Is the Digital Operational Resilience Act (DORA)?

For many financial institutions and information and communication technology (ICT) providers, the Digital Operational Resilience Act (DORA) has already become a familiar topic. But now that it's shifted from a future concern to a current reality, you likely have questions about how it could affect your organization.

How should you prepare? Are you responsible for compliance? Does the legislation really affect you?

In this article, we'll cover what you need to know about DORA, including the five main requirements and how to comply with them. We'll also share how Livestorm has enhanced security and data protection, which benefits users in the financial sector and beyond.

What is DORA?

DORA is an EU regulation that establishes ICT risk management guidelines for the financial sector. It comes into effect on January 17, 2025, aiming to protect financial entities and their customers from digital threats and cybersecurity issues.

European Supervisory Authorities (ESAs) including the European Insurance and Occupational Pensions Authority (EIOPA), the European Banking Authority (EBA), and the European Securities and Markets Authority (ESMA) oversee the act's technical standards.

Who DORA affects

DORA was drafted by the European Commission, and it affects all EU member states. The regulation applies to financial institutions and the third-party ICT providers that service them.

In addition to hardware like computers and mobile devices, ICT also includes software companies and data providers. This encompasses everything from data centers to cloud service providers, including live events platforms like Livestorm.

Why DORA matters

In the past decade, financial entities have increasingly adopted cloud-based technology and digital services like video banking. While this shift toward digital operations makes financial services more accessible, it has also introduced serious risk.

DORA creates a framework for making this sector more resilient and less susceptible to ICT incidents. It reduces disruptions to financial services, outlines risk management standards, and addresses conflicts between existing regulations.

5 DORA act requirements

While DORA is relatively complex, the act has five main requirements. The last one is optional but recommended.

1. ICT risk management and governance

First and foremost, DORA requires all covered entities to take responsibility for their own risk management. Each organization must develop its own guidelines for risk management and set up its own resilient ICT systems.

This involves:

• Identifying critical ICT assets and potential security issues
• Mapping dependencies between assets and systems
• Assessing potential risks for severity and likelihood
• Determining priority for outstanding issues

Creating a risk management framework is just the first step. DORA also requires organizations to assess risk continuously. If your organization identifies an issue, you must keep a record of the steps you took to address it.

To encourage resiliency, DORA requires financial entities to create business continuity plans. In the event of a major cyberattack or an ICT provider failure, your team can use this plan to access data backups, restore ICT systems, and update both customers and authorities.

Major disruptions and ICT-related incidents can become expensive quickly. DORA requires organizations to analyze the business impact of various cyber risk scenarios to make risk assessment and related ICT decisions more straightforward.

2. ICT incident response and reporting

Don't wait until your organization experiences a data breach or a cyber threat to think about managing ICT issues. DORA requires covered entities to set up a system for monitoring ICT incidents. This system must include processes for documenting issues, classifying their severity, and reporting them.

Any incident you classify as critical requires you to notify authorities, provide a progress report, and share a final analysis of the cause. Your organization may also need to notify any customers or business partners the issue affects.

3. Digital operational resilience testing

Think you've done enough to protect your organization from cyberattacks? Instead of assuming, put it to the test.

DORA requires covered entities to proactively evaluate protections and seek vulnerabilities. At least once a year, organizations must undergo vulnerability assessments and test for specific cyber risk scenarios.

Any entity considered critical to the financial system must complete penetration testing at least once every three years. ICT service providers who supply these organizations must be involved in the testing.

After each round of testing, your organization must submit a report to authorities for review. If you identify any vulnerabilities, you must also provide a plan of action for addressing them.

4. ICT third-party risk management

Are your ICT service providers compliant with DORA? Because the regulation also applies to ICT, covered entities must take a proactive approach to managing the risk these providers could create.

At a minimum, your organization should confirm that any data or cloud service provider you contract with follows accessibility and monitoring guidelines. ICT providers should also be transparent about data processing locations.

In addition, your organization must keep records of which ICT providers handle critical and important functions. To increase resilience, no one provider should control a large portion of these functions.

Organizations that outsource these functions may need to revisit existing ICT contracts. Authorities may render some contracts invalid if they don't cover DORA accessibility and security requirements.

5. Information and intelligence sharing

The four requirements above focus on implementing internal guidelines and providing essential data to authorities. While it isn't required, DORA encourages financial entities to share information about cyber threats.

By sharing information and intelligence with other organizations in the financial sector, you can take steps to make the environment more secure for everyone. As a result, you can improve the sector's resilience.

If your organization opts to collaborate with other financial organizations, you must protect any sensitive data. This includes following the EU's General Data Protection Regulation (GDPR).

How to comply with the Digital Operational Resilience Act

Use this guide as a starting point for following DORA requirements. To make sure that your organization complies with DORA, consult with your legal team.

Assemble a compliance task force

DORA requires financial institutions and ICT providers to set up internal systems for managing risk assessments, testing, and reporting. Because these systems often involve extensive research, ongoing vendor communication, and specific reporting processes, they need active management.

Instead of letting each department handle its own risk management, take a unified approach. Create a task force that's responsible for overseeing evaluations, testing, and reporting throughout the organization. Depending on the size of the organization, this may require a significant resource investment.

Conduct routine testing

Because DORA is designed to improve resilience, the act requires organizations to take a proactive approach to identifying security concerns. For most organizations, annual testing is sufficient.

However, critical financial institutions and their ICT providers must undergo penetration testing every three years. This includes software for employee onboarding, customer engagement, internal communications, data analysis, and other purposes.

Plan for real-time monitoring and incident reporting

Develop a system that allows your team to monitor security concerns and report incidents in real time. This way, you can avoid unnecessary delays or compromising additional data.

While DORA requires you to report critical incidents, you can also take additional steps. Consider participating in information and intelligence sharing to increase operational resilience for more financial institutions.

Vet third-party vendors

For financial institutions, ensuring that internal systems comply with DORA is an important first step. However, you also need confirmation that your ICT providers comply with DORA requirements.

As a result, you must thoroughly vet the third-party vendors you use for payment processing, customer training, video banking, and other digital finance initiatives. Any ICT service provider you choose must meet DORA requirements for security and accessibility.

As one of the most secure video conferencing software providers, Livestorm is equipped for enterprise customers in the financial sector.

Our software platform has achieved both ISO certification and GDPR compliance. Livestorm's security portal includes ISO 27001 documentation and information on our risk profile, product and data security, infrastructure, and reporting.

Keep records of compliance efforts

Simply checking all the compliance boxes isn't enough. Your organization should also keep records of all compliance efforts, including audits, testing, plans for improvement, and incidents.

Documenting risk management processes is a crucial part of DORA. The act requires covered entities to provide documentation of everything from asset dependencies to threat classification to mitigation steps.

FAQs about DORA compliance

When does DORA take effect?

DORA came into effect on January 16, 2023. However, the requirements related to the act are enforceable starting on January 17, 2025.

What are the penalties for noncompliance with DORA?

ESAs can levy financial penalties if they identify DORA compliance issues. Penalties for noncompliance can equal 1% of the entity's average daily turnover worldwide.

These fines can add up quickly. ESA overseers can fine noncompliant ICT providers daily for up to six months—or until they achieve compliance.

Does DORA affect organizations outside of the EU?

The short answer is yes. While DORA is a European Union regulation, it has the potential to apply to organizations worldwide.

Any software or technology provider that supplies ICT systems to covered EU customers must comply with DORA. This means if your organization is an analytics or cloud service provider for the financial sector, it's in your best interest to meet DORA requirements.