Ensure your organization’s readiness for the Digital Operational Resilience Act (DORA). Learn about compliance, data protection strategies, and best practices as well as what the EU’s new DORA Act means for IT Security.
The European Union is widely recognized as a global leader for data protection and privacy. Many countries, including the US, look to EU models such as General Data Protection Regulation (GDPR), when crafting their own laws for handling sensitive information, keeping data secure, and preventing data loss. Now, there is another significant regulation that businesses around the world need to understand.
In January 2025, the EU will begin enforcing a new regulation called the Digital Operational Resilience Act (DORA). Its aim is to ensure EU financial systems remain stable and secure in the face of digital threats.
What is the Digital Operational Resilience Act (DORA)?
In 2023, the EU introduced the Digital Operational Resilience Act. DORA’s purpose is to mitigate threats by establishing standardized practices for managing digital operational resilience. It mandates that financial entities establish robust frameworks to withstand, respond to, and recover from Information Communication Technologies (ICT) related disruptions. DORA encompasses a wide array of requirements, including risk management, incident reporting, resilience testing, and intelligence sharing.
Key Objectives of the Digital Operational Resilience Act
The primary objectives of the Digital Operational Resilience Act are:
- Strengthening Digital Resilience: DORA aims to bolster the ICT systems and networks of financial institutions, making them more resilient to operational disruptions and cyberattacks.
- Standardizing Risk Management: The act promotes uniformity in the way financial entities manage ICT risks, ensuring consistent and effective risk management practices across the EU.
- Enhancing Incident Reporting: DORA establishes clear guidelines for incident reporting, requiring financial institutions to promptly report significant ICT-related incidents to relevant authorities.
- Ensuring Business Continuity: The legislation mandates comprehensive business continuity plans and disaster recovery strategies, ensuring that financial institutions can maintain critical functions during and after a disruption.
- Regulating ICT Third-Party Providers: DORA imposes stringent requirements on third-party ICT service providers, ensuring that they adhere to high standards of security and resilience.
Scope and Applicability
DORA applies to a broad range of entities related to the EU financial sector. By encompassing a broad range of entities and focusing on critical aspects of ICT resilience, DORA aims to create a robust and secure financial ecosystem that can effectively manage and mitigate digital operational risks.
DORA holds all of the below to the same standards so there are no discrepancies:
- Traditional Financial Institutions
Banks, insurance companies, investment firms - Payment Services Providers
Entities offering payment services and solutions, including credit rating and data analytics providers, crypto-asset service providers, and crowdfunding platforms - Third-Party ICT Service Providers
Vendors and partners providing ICT services to EU financial institutions, such as cloud services providers and data centers, must also comply – even if they’re not located in the EU
By adhering to DORA’s requirements, US-based providers can maintain their relationships with EU clients, enhance their security posture, and gain a competitive edge in the global market
The Importance of DORA for Businesses
High-profile incidents, including large-scale data breaches and service outages, have underscored the vulnerability of financial systems. DORA emphasizes the need for financial institutions to fortify their digital infrastructure against cyberattacks, system failures, and technological disruptions. It mandates comprehensive risk management and establishing incident response protocols, and helps foster a culture of operational resilience based on preparedness and continuous improvement.
Protecting Customer Data Under DORA
Customer data is a critical asset for financial institutions, and its protection is paramount to maintaining trust and regulatory compliance. DORA significantly contributes to safeguarding customer data and helps organizations ensure they can maintain trust and compliance through several key provisions:
- Strengthening Data Security Measures: DORA mandates that financial institutions implement stringent security controls to protect customer data from breaches and unauthorized access. This includes encryption, access controls, and regular security audits.
- Ensuring Data Integrity and Availability: DORA requires financial entities to ensure the integrity and availability of customer data, meaning that data must be accurate, reliable, and accessible even during disruptions. This helps maintain trust and continuity of services.
- Enhancing Transparency and Reporting: Financial institutions must promptly report significant ICT incidents that affect customer data to regulatory authorities. This transparency ensures that customers are informed about data breaches and that institutions are held accountable for their data protection practices.
Essential Requirements of the Digital Operational Resilience Act
ICT-related Incident Reporting
Follow these practices to comply with DORA’s reporting requirements.
Immediate Notification
Establish protocols to ensure ICT-related incidents are reported to relevant authorities and stakeholders promptly, typically within 72 hours. Create a clear chain of communication. Consider using incident management systems and automated alerting tools.
Detailed Documentation
Maintain detailed logs and reports of all incidents. Include the time of occurrence, affected systems, and steps you took to mitigate the impact. This helps in post-incident analysis and improves future responses. Make sure you create predefined escalation procedures and reporting templates, and securely store incident logs.
Follow-Up Reports
Regularly update stakeholders on the status of the incident resolution process. Include steps you are taking, current status, and expected time for resolution. Use progress-tracking software and communication platforms for updates.
Developing Operational Continuity Strategies
Create business continuity plans that outline procedures for maintaining critical business functions during and after a disruption. Test the plans through regular drills and update them based on lessons learned.
Is your business prepared for unexpected disruptions?
Don’t wait for a disaster to strike—discover why backup is essential for maintaining business continuity
Managing ICT Third-Party Risks
Financial institutions have the burden – or responsibility – for managing third-party risks. Follow these guidelines to ensure your organization does so effectively.
Due Diligence
Evaluate the security practices of potential third-party providers before engaging their services. This includes reviewing their security policies, conducting on-site assessments, and checking compliance with relevant standards.
Contractual Agreements
Draft contracts that specify security requirements, compliance obligations, and incident response protocols. These contracts should also include clauses for audits and assessments.
Regular Audits
Perform regular security audits and assessments of third-party providers. This includes reviewing their security controls, testing their resilience, and verifying their compliance with contractual obligations.
Steps to Achieve Compliance with the Digital Operational Resilience Act
Conducting a Comprehensive Risk Assessment
Risk assessment is the process of identifying potential threats and vulnerabilities that could impact ICT systems and operations. Organizations need to assess each identified risk based on criteria such as likelihood of occurrence and potential impact on operations. This often involves a risk matrix to categorize risks into high, medium, and low priority.
Use risk assessment frameworks (like FAIR or NIST) and conduct quantitative and qualitative analyses.
Developing an Effective Resilience Strategy
Risk identification isn’t a one-and-done task. You need to conduct regular risk assessments, vulnerability scans, and threat modeling exercises to pinpoint new and evolving areas of potential risk. For example, use automated tools to scan the network for vulnerabilities or review historical incident data to identify patterns. Take advantage of threat intelligence feeds.
Be sure to share threat intelligence with other organizations to gain knowledge that you can build into your resilience strategy and enhance overall resilience. Establish formal and informal networks for sharing information about threats, vulnerabilities, and incidents. Join and actively participate in national or international information sharing and analysis centers (ISACs) or other similar organizations.
Any strategy should also include employee training so everyone who interacts with your systems can recognize and report suspicious activities.
Implementing Robust Data Loss Prevention Measures
Risk Mitigation
This includes deploying security controls, creating incident response plans, and continuously monitoring systems to detect and respond to threats. For instance, organizations should install firewalls, intrusion detection systems, and data loss protection and data loss prevention (dlp) solutions. Implement multi-factor authentication and ensure regular software updates.
Conduct Penetration Testing
Simulate cyberattacks to identify vulnerabilities in the system before actual attackers can exploit them. You can engage ethical hackers or use automated tools to test the robustness of ICT systems. Many organizations use penetration testing tools, red teaming exercises, and third-party security assessments.
Perform Disaster Recovery Drills
Regularly simulate disaster scenarios, such as data breaches or system failures, to test the effectiveness of disaster recovery plans. This includes restoring backups, switching to redundant systems, and verifying data integrity.
Use disaster recovery planning tools, simulation software, and backup and restore systems like GRAX. Make sure that any backup system you use enables you to continually and automatically store sensitive financial and customer data in your own cloud.
GRAX’s Bring Your Own Cloud (BYOC) data protection model is one way to accomplish this. It gives you control of your data because it never touches a system that you don’t own. With GRAX, all your historical Salesforce data automatically replicates directly into your own AWS, Azure, or GCP cloud. It’s never stored in GRAX’s infrastructure.
Take back control of your data
Watch our demo and see how GRAX can help.
Protecting Data Under the Digital Operational Resilience Act
Ensuring data protection under DORA requires a multi-layer approach.
Strategies for Safeguarding Customer Data
Any approach for securing customer data should include regularly updating software and systems to patch vulnerabilities. Encryption for both data at rest and in motion is also crucial. Additionally, employee training programs on data protection best practices play a vital role in maintaining security.
Differences Between Data at Rest and Data in Motion
Data at rest refers to information stored on devices or networks, such as databases and hard drives. Beyond encryption, protecting data at rest also typically requires using secure storage solutions. In contrast, data in motion is information actively being transmitted across networks, like emails or data transfers. Protecting data in motion requires secure transmission protocols, such as TLS/SSL, to prevent interception and ensure confidentiality during transfer.
Methods for Preventing Unauthorized Access
Preventing unauthorized access is a critical aspect of data protection under DORA. Many organizations use multi-factor authentication (MFA). This requires users to provide multiple forms of verification before accessing sensitive data. Other must-have methods include regularly auditing and monitoring access logs to help detect and respond to suspicious activities promptly, and using role-based access control (RBAC) to ensure employees only have access to the information necessary for their job functions. Intrusion detection systems (IDS) can help identify and mitigate potential threats in real time.
DORA vs. GDPR: Key Differences and Similarities
DORA and the General Data Protection Regulation (GDPR) are critical, complementary pieces of EU legislation that enhance the security and privacy of data and digital operations. While both emphasize the importance of risk management and timely incident reporting, there are several areas where they differ.
The below table compares the scope and applicability of DORA and GDPR, and regulatory objectives of DORA vs. GDPR, and the compliance requirement for DORA and GDPR.
DORA | GDPR | |
Focus | Digital operational resilience of financial entities | Data protection and privacy |
Objectives | Ensure financial institutions can withstand, respond to, and recover from ICT-related (information and communications technology) disruptions, including cyberattacks and system failures | Protect personal data of EU citizens, ensure privacy rights, and regulate how organizations process, store, and transfer personal data |
Scope | Applies specifically to EU financial institutions and third-party ICT service providers who support them, regardless of location | Applies to any organization, regardless of location, that processes the personal data of EU citizens |
Third-Party Risk Management | Requires financial institutions to manage and monitor the risks associated with third-party ICT service providers | Organizations must ensure that third-party processors comply with data protection requirements |
Final Tips for Preparing for the Digital Operational Resilience Act (DORA)
DORA will have major consequences for the digital health of financial entities. By preparing for and complying with DORA’s requirements, EU financial institutions and third-party supporters around the world can better protect themselves – and their customers and partners – from ICT-related disruptions.
Make sure your organization follows best practices for ensuring operational resilience. Focus on creating a comprehensive incident response plan, training staff on DORA compliance, and regularly reviewing and updating resilience measures.
Implement effective monitoring and reporting mechanisms, and evaluate your existing tools for data loss protection to make sure they help you meet DORA requirements. Leveraging solutions like GRAX can further strengthen your resiliency and business continuity, ensuring your data remains secure and readily accessible.
Are you ready for DORA?
Speak with our experts today to see how you can better prepare for these new requirements.