The European Parliament enacted the Digital Operational Resilience Act (DORA) in 2022 to push financial services providers to implement robust operational procedures, policies, cybersecurity capabilities and controls to ensure that the financial world will continue to operate even in the face of cyberattacks or other significant disruptions. It brings new, wide-reaching obligations in contract management, incident response and reporting, due diligence and business continuity planning.
Starting on January 17, 2025, financial services providers with operations or customers in the European Union will need to comply with DORA requirements if they meet specific thresholds: €120 billion (about $130 billion) in payment transactions for payment institutions or electronic money institutions (or €40 billion in total value of the amount of outstanding electronic money); €500 million ($540 million) in gross premiums for insurance and reinsurance institutions; or either having the largest national market share or 5% at the European level for trading platforms.
Each EU member state will determine its own sanctions for DORA noncompliance, but financial penalties could be as hefty as 1% of a company’s average daily global revenue, and criminal penalties could be included as well.
While the list of entities that DORA impacts ranges from banks and credit card companies to crowdfunding platforms, it notably does not stop at financial organizations. DORA also aims to strengthen the supporting players, such as the third-party information and communication technology (ICT) vendors that supply services to financial service organizations.
Requirements for Achieving DORA Compliance
According to DORA, financial organizations must have a “sound, comprehensive and well-documented ICT risk management framework” to locate and mitigate digital risks quickly. There are also six key areas businesses must ensure are up to standard in the coming months regarding reducing third-party risk:
Due Diligence: Procedures must be in place to carefully assess all vendors’ operational resilience, security practices and regulatory compliance, both past and present. This due diligence must happen before entering contracts with new vendors and continue via monitoring and routine reviews to ensure that vendors stay above designated standards for operational resilience.
Contract Management: DORA stipulates that contracts with ICT vendors have defined roles and responsibilities, expectations for incident reporting, defined audit rights and mandated training on operational resilience. Contracts should also stipulate permissible subcontracting to ensure the vendor can operate with resilience.
Vendor Registers: As part of the act’s reporting requirements, financial firms must maintain an up-to-date registry of all vendors under contract, with details on the size of those contractual obligations and other pertinent details. Firms should be able to hand over these registers to regulators if necessary.
Incident Reporting: Organizations must promptly report any significant disruptive incidents involving third-party vendors to relevant authorities. Those vendors will also be required to assist with any regulatory investigations resulting from such an incident. This is one of the reasons that audit rights are an important part of contract management when complying with DORA, as are provisions mandating that vendors report any incidents that may have compromised customer data.
Testing: Companies must frequently test third-party risk management procedures under DORA. Simulations that present disaster scenarios or more routine disruptions are important for ascertaining the effectiveness of internal controls and processes to keep the financial services organization resilient. Formal audits of risk programs might also be required.
Business Continuity Planning: In the event of a vendor failure, DORA requires that businesses have a plan for continuity of operations. This could include alternative vendors that have already been assessed or are already under contract for a situation where they can step in for a disrupted or compromised vendor.
Steps for Meeting DORA Requirements
As January approaches and the window shrinks for financial services organizations to implement provisions to comply with DORA, companies need to address the following key steps:
Determine who is in charge of DORA compliance. DORA’s focus on cybersecurity and other types of risk management might require firms to bring together a small, varied team to tackle DORA compliance. Executives spanning multiple disciplines, including IT security, procurement, third-party risk, data privacy and information security, will likely need to provide their insights to the team, and one individual should oversee them to ensure the organization meets all compliance obligations.
Un-silo information. Cybersecurity data, contract data, vendor information and much more are all parts of required due diligence, and any effective operational resiliency plan requires data to be available in aggregate. Data mapping capabilities will be necessary to locate critical information, as well as the ability to consolidate such data for analysis and documentation for reporting purposes.
Adopt stress testing. DORA stipulates that organizations put a specific framework in place for stress testing core IT systems, known as threat-led penetration testing. Such tests must demonstrate technical and organizational domain expertise to withstand broad-scale cyberattacks. DORA requires that testing occur at least once every three years and be performed by an external provider. Internal testers must be approved by regulatory authorities.
Develop audit-ready systems. Financial companies will need to provide regulators with evidence of their DORA compliance, which will require vendors to have similar capabilities. Vendors will need to provide audit trails and quick access to relevant data whenever the company requests it for reporting or incident review purposes. Ideally, such data should be in a single repository for easy access.
Anticipate the need for audits. Gathering specific information from vendors for routine reporting or incident-related use is essential, so financial institutions should review their current contracts carefully. Right-to-audit clauses should be part of every new contract, and those without such a clause should be amended quickly. It can also be helpful to include language requiring vendors to alert the organization within a specified time frame of any incident that could compromise customer data.