Last Updated on January 17, 2024
With cyber threats and related digital risks always escalating, robust regulations are increasingly necessary to protect the stability of our global digital ecosystem and economy. The Digital Operational Resilience Act (DORA) is a new regulation to bolster information security and overall resilience across the European Union (EU) financial sector.
This blog post overviews DORA and its impacts on organizations within the EU, the US, and worldwide.
What is DORA?
DORA became law in January 2023 and takes effect in January 2025. DORA’s primary goal is to ensure that financial institutions, market infrastructure providers, and other organizations are prepared to withstand and respond to operational disruptions caused by cyberattacks, IT failures, or other unforeseen events.
Key points to know about DORA include:
- It aims to establish a consistent framework for building operational resilience across the EU financial sector and its global supply chain. EU financial institutions and associated entities—including third parties subject to compliance requirements—are being held to a uniform standard of best practice.
- It identifies Critical Information Systems (CIS) as a key focus. CIS are those whose unavailability or failure could significantly impact EU financial stability. DORA requires covered businesses to identify their CIS and meet specific protection standards.
- It mandates timely incident reporting to both national authorities and potentially the European Banking Authority (EBA).
- It emphasizes third-party risk and supply chain risk. Cloud service providers and other vendors plan an increasingly important role in financial firms’ digital operations. DORA places requirements on risk assessment, due diligence, and contracts to ensure the resilience of third-party services.
Why is DORA important?
While DORA is EU legislation, its impact will be global. Because financial markets are globally interconnected, financial institutions, fintechs, and other tech companies will need to comply with DORA to do business in the EU.
Important DORA goals and outcomes include:
- Better information security. DORA defines robust cybersecurity controls and risk management practices that will both stabilize financial institutions and protect consumer data and other assets.
- Improved privacy/data protection. DORA converges with the EU’s General Data Protection Regulation (GDPR) to promote a holistic approach to information security and consumer privacy protections and rights.
- Cross-border consistency. DORA holds covered financial entities across the EU to the same standards. This supports and simplifies compliance for cross-border financial businesses.
- Stronger regulatory oversight. DORA expands the roles of both the EBA and national regulators in overseeing financial operational resilience.
How will DORA impact my business?
Especially because it reaches beyond cybersecurity to address operational resilience best practices, DORA compliance may require significant technology investments and process changes. This could increase operational costs for many businesses in the financial services supply chain.
Increasing compliance demands will also require organizations to find “win-win” approaches that support compliance without hindering digital innovation. Agility remains hyper critical as the pace of change relentlessly accelerates across the financial services digital landscape.
With the need to prove DORA compliance just one year away, financial firms and their implicated vendors must move decisively to ensure competitive success. This includes proactively incorporating a focus of operational resilience into their risk management practices.
As the global digital landscape continues to progress and mature, DORA sets a new worldwide model for how regulators can effectively address existing and emerging cybersecurity and business continuity challenges.
To connect with an expert on how your business can best prepare for and benefit from DORA, contact CBIZ Pivot Point Security.