Blog Posts

How to Prepare for the Digital Operational Resilience Act

Ensure your organization’s readiness for the Digital Operational Resilience Act (DORA). Learn about compliance, data protection strategies, and best practices as well as what the EU’s new DORA Act means for IT Security.

What is DORA - Digital Operational Resilience Act

The European Union is widely recognized as a global leader for data protection and privacy. Many countries, including the US, look to EU models such as General Data Protection Regulation (GDPR), when crafting their own laws for handling sensitive information, keeping data secure, and preventing data loss. Now, there is another significant regulation that businesses around the world need to understand.

In January 2025, the EU will begin enforcing a new regulation called the Digital Operational Resilience Act (DORA). Its aim is to ensure EU financial systems remain stable and secure in the face of digital threats.

What is the Digital Operational Resilience Act (DORA)?

In 2023, the EU introduced the Digital Operational Resilience Act. DORA’s purpose is to mitigate threats by establishing standardized practices for managing digital operational resilience. It mandates that financial entities establish robust frameworks to withstand, respond to, and recover from Information Communication Technologies (ICT) related disruptions. DORA encompasses a wide array of requirements, including risk management, incident reporting, resilience testing, and intelligence sharing.

Key Objectives of the Digital Operational Resilience Act

The primary objectives of the Digital Operational Resilience Act are:

  • Strengthening Digital Resilience: DORA aims to bolster the ICT systems and networks of financial institutions, making them more resilient to operational disruptions and cyberattacks.
  • Standardizing Risk Management: The act promotes uniformity in the way financial entities manage ICT risks, ensuring consistent and effective risk management practices across the EU.
  • Enhancing Incident Reporting: DORA establishes clear guidelines for incident reporting, requiring financial institutions to promptly report significant ICT-related incidents to relevant authorities.
  • Ensuring Business Continuity: The legislation mandates comprehensive business continuity plans and disaster recovery strategies, ensuring that financial institutions can maintain critical functions during and after a disruption.
  • Regulating ICT Third-Party Providers: DORA imposes stringent requirements on third-party ICT service providers, ensuring that they adhere to high standards of security and resilience.

Scope and Applicability

DORA applies to a broad range of entities related to the EU financial sector. By encompassing a broad range of entities and focusing on critical aspects of ICT resilience, DORA aims to create a robust and secure financial ecosystem that can effectively manage and mitigate digital operational risks.

DORA holds all of the below to the same standards so there are no discrepancies: 

  • Traditional Financial Institutions
    Banks, insurance companies, investment firms
  • Payment Services Providers
    Entities offering payment services and solutions, including credit rating and data analytics providers, crypto-asset service providers, and crowdfunding platforms
  • Third-Party ICT Service Providers
    Vendors and partners providing ICT services to EU financial institutions, such as cloud services providers and data centers, must also comply – even if they’re not located in the EU

    By adhering to DORA’s requirements, US-based providers can maintain their relationships with EU clients, enhance their security posture, and gain a competitive edge in the global market

The Importance of DORA for Businesses

High-profile incidents, including large-scale data breaches and service outages, have underscored the vulnerability of financial systems. DORA emphasizes the need for financial institutions to fortify their digital infrastructure against cyberattacks, system failures, and technological disruptions. It mandates comprehensive risk management and establishing incident response protocols, and helps foster a culture of operational resilience based on preparedness and continuous improvement. 

Protecting Customer Data Under DORA

Customer data is a critical asset for financial institutions, and its protection is paramount to maintaining trust and regulatory compliance. DORA significantly contributes to safeguarding customer data and helps organizations ensure they can maintain trust and compliance through several key provisions:

  • Strengthening Data Security Measures: DORA mandates that financial institutions implement stringent security controls to protect customer data from breaches and unauthorized access. This includes encryption, access controls, and regular security audits.
  • Ensuring Data Integrity and Availability: DORA requires financial entities to ensure the integrity and availability of customer data, meaning that data must be accurate, reliable, and accessible even during disruptions. This helps maintain trust and continuity of services.
  • Enhancing Transparency and Reporting: Financial institutions must promptly report significant ICT incidents that affect customer data to regulatory authorities. This transparency ensures that customers are informed about data breaches and that institutions are held accountable for their data protection practices.
Source: Unsplash

Essential Requirements of the Digital Operational Resilience Act

ICT-related Incident Reporting

Follow these practices to comply with DORA’s reporting requirements.

Immediate Notification

Establish protocols to ensure ICT-related incidents are reported to relevant authorities and stakeholders promptly, typically within 72 hours. Create a clear chain of communication. Consider using incident management systems and automated alerting tools.

Detailed Documentation

Maintain detailed logs and reports of all incidents. Include the time of occurrence, affected systems, and steps you took to mitigate the impact. This helps in post-incident analysis and improves future responses. Make sure you create predefined escalation procedures and reporting templates, and securely store incident logs.

Follow-Up Reports

Regularly update stakeholders on the status of the incident resolution process. Include steps you are taking, current status, and expected time for resolution. Use progress-tracking software and communication platforms for updates.

Developing Operational Continuity Strategies

Create business continuity plans that outline procedures for maintaining critical business functions during and after a disruption. Test the plans through regular drills and update them based on lessons learned.

Is your business prepared for unexpected disruptions?

Don’t wait for a disaster to strike—discover why backup is essential for maintaining business continuity

Learn more

Managing ICT Third-Party Risks

Financial institutions have the burden – or responsibility – for managing third-party risks. Follow these guidelines to ensure your organization does so effectively.

Due Diligence

Evaluate the security practices of potential third-party providers before engaging their services. This includes reviewing their security policies, conducting on-site assessments, and checking compliance with relevant standards.

Contractual Agreements

Draft contracts that specify security requirements, compliance obligations, and incident response protocols. These contracts should also include clauses for audits and assessments. 

Regular Audits

Perform regular security audits and assessments of third-party providers. This includes reviewing their security controls, testing their resilience, and verifying their compliance with contractual obligations.

Steps to Achieve Compliance with the Digital Operational Resilience Act

Conducting a Comprehensive Risk Assessment

Risk assessment is the process of identifying potential threats and vulnerabilities that could impact ICT systems and operations. Organizations need to assess each identified risk based on criteria such as likelihood of occurrence and potential impact on operations. This often involves a risk matrix to categorize risks into high, medium, and low priority.

Use risk assessment frameworks (like FAIR or NIST) and conduct quantitative and qualitative analyses.

Source: Image created by OpenAI’s DALL-E, July 17, 2024

Developing an Effective Resilience Strategy

Risk identification isn’t a one-and-done task. You need to conduct regular risk assessments, vulnerability scans, and threat modeling exercises to pinpoint new and evolving areas of potential risk. For example, use automated tools to scan the network for vulnerabilities or review historical incident data to identify patterns. Take advantage of threat intelligence feeds. 

Be sure to share threat intelligence with other organizations to gain knowledge that you can build into your resilience strategy and enhance overall resilience. Establish formal and informal networks for sharing information about threats, vulnerabilities, and incidents. Join and actively participate in national or international information sharing and analysis centers (ISACs) or other similar organizations. 

Any strategy should also include employee training so everyone who interacts with your systems can recognize and report suspicious activities.

Implementing Robust Data Loss Prevention Measures

Risk Mitigation

This includes deploying security controls, creating incident response plans, and continuously monitoring systems to detect and respond to threats. For instance, organizations should install firewalls, intrusion detection systems, and data loss protection and data loss prevention (dlp) solutions. Implement multi-factor authentication and ensure regular software updates. 

Conduct Penetration Testing

Simulate cyberattacks to identify vulnerabilities in the system before actual attackers can exploit them. You can engage ethical hackers or use automated tools to test the robustness of ICT systems. Many organizations use penetration testing tools, red teaming exercises, and third-party security assessments.

Perform Disaster Recovery Drills

Regularly simulate disaster scenarios, such as data breaches or system failures, to test the effectiveness of disaster recovery plans. This includes restoring backups, switching to redundant systems, and verifying data integrity.

Use disaster recovery planning tools, simulation software, and backup and restore systems like GRAX. Make sure that any backup system you use enables you to continually and automatically store sensitive financial and customer data in your own cloud.  

GRAX’s Bring Your Own Cloud (BYOC) data protection model is one way to accomplish this. It gives you control of your data because it never touches a system that you don’t own. With GRAX, all your historical Salesforce data automatically replicates directly into your own AWS, Azure, or GCP cloud. It’s never stored in GRAX’s infrastructure.

Take back control of your data

Watch our demo and see how GRAX can help.

Watch now

Protecting Data Under the Digital Operational Resilience Act

Ensuring data protection under DORA requires a multi-layer approach. 

Strategies for Safeguarding Customer Data

Any approach for securing customer data should include regularly updating software and systems to patch vulnerabilities. Encryption for both data at rest and in motion is also crucial. Additionally, employee training programs on data protection best practices play a vital role in maintaining security.   

Differences Between Data at Rest and Data in Motion

Data at rest refers to information stored on devices or networks, such as databases and hard drives. Beyond encryption, protecting data at rest also typically requires using secure storage solutions. In contrast, data in motion is information actively being transmitted across networks, like emails or data transfers. Protecting data in motion requires secure transmission protocols, such as TLS/SSL, to prevent interception and ensure confidentiality during transfer.

Methods for Preventing Unauthorized Access

Preventing unauthorized access is a critical aspect of data protection under DORA. Many organizations use multi-factor authentication (MFA). This requires users to provide multiple forms of verification before accessing sensitive data. Other must-have methods include regularly auditing and monitoring access logs to help detect and respond to suspicious activities promptly, and using role-based access control (RBAC) to ensure employees only have access to the information necessary for their job functions. Intrusion detection systems (IDS) can help identify and mitigate potential threats in real time.

Source: Unsplash

DORA vs. GDPR: Key Differences and Similarities 

DORA and the General Data Protection Regulation (GDPR) are critical, complementary pieces of EU legislation that enhance the security and privacy of data and digital operations. While both emphasize the importance of risk management and timely incident reporting, there are several areas where they differ.  

The below table compares the scope and applicability of DORA and GDPR, and regulatory objectives of DORA vs. GDPR, and the compliance requirement for DORA and GDPR.

DORAGDPR
FocusDigital operational resilience of financial entitiesData protection and privacy
ObjectivesEnsure financial institutions can withstand, respond to, and recover from ICT-related (information and communications technology) disruptions, including cyberattacks and system failuresProtect personal data of EU citizens, ensure privacy rights, and regulate how organizations process, store, and transfer personal data
ScopeApplies specifically to EU financial institutions and third-party ICT service providers who support them, regardless of location Applies to any organization, regardless of location, that processes the personal data of EU citizens
Third-Party Risk ManagementRequires financial institutions to manage and monitor the risks associated with third-party ICT service providersOrganizations must ensure that third-party processors comply with data protection requirements

Final Tips for Preparing for the Digital Operational Resilience Act (DORA)

DORA will have major consequences for the digital health of financial entities. By preparing for and complying with DORA’s requirements, EU financial institutions and third-party supporters around the world can better protect themselves – and their customers and partners – from ICT-related disruptions. 

Make sure your organization follows best practices for ensuring operational resilience. Focus on creating a comprehensive incident response plan, training staff on DORA compliance, and regularly reviewing and updating resilience measures. 

Implement effective monitoring and reporting mechanisms, and evaluate your existing tools for data loss protection to make sure they help you meet DORA requirements. Leveraging solutions like GRAX can further strengthen your resiliency and business continuity, ensuring your data remains secure and readily accessible. 

Are you ready for DORA?

Speak with our experts today to see how you can better prepare for these new requirements.

Get started

See all
GRAX

Join the best
with GRAX Enterprise.

Be among the smartest companies in the world.