I've been hearing about the DORA with increased intensity for 2-3 years.
But I was taken by surprise when I learnt It became fully applicable last week, on the 17th of January 2025.
This article aims to provide background information and key highlights on what the DORA. In another article, I'll go through each requirement and how ServiceNow can help get in compliance.
What is DORA, and where does it come from?
DORA stands for the "Digital Operational Resilience Act."
It is a European Union regulation, meaning it has the force of law. It is not a best-practice framework like ITIL.
Work on DORA started as a European Commission proposal in 2020, it was agreed upon by the European Parliament in 2022, and entered into force in January 2023, leaving 2 year period for organizations to adjust. The regulation became fully applicable on January 17, 2025.
As with many regulations of this kind, it can be vague and does not detail exactly how principles must be applied. That’s why European Supervisory Authorities (ESAs) have the responsibility to develop technical standards, guidelines, and practical recommendations for organisations to get in compliance.
There are many more European institutions involved in the design and enforcement of DORA, but explaining them all here would likely take a full article.
Why is DORA a thing? Why was it needed in the first place?
Several forces and challenges drove European institutions to introduce DORA:
Growing Cybersecurity Threats
- Cyberattacks such as ransomware, phishing, and DDoS attacks have increasingly targeted the financial sector. High-profile breaches have exposed critical vulnerabilities, such as: 2016 Tesco Bank Cyberattack: Hackers fraudulently transferred £2.26 million from 9,000 customer accounts, forcing Tesco Bank to halt online transactions for all customers during the incident. 2019 European Central Bank Breach: Hackers planted malware on a server hosting the ECB’s website, stealing personal details of newsletter subscribers.
Increasing Reliance on Digital Services
- The financial sector has become overwhelmingly dependent on digital services for critical operations like payments, customer service, and trading.
- Fragmentation and interdependent technologies increase operational complexity to maintain services and the risk of domino effect due to a single point of failure. 2013 RBS Group IT Failure: An update failure in the CA-7 batch processing software disrupted critical processes such as payments and salary deposits at RBS, NatWest, and Ulster Bank. Customers were unable to access accounts for days.
COVID-19 Pandemic’s Impact
- The pandemic accelerated digital transformation and highlighted new points of failure, such as increased risks of data leakage.
Dependence on Third-Party Providers
- Financial institutions increasingly outsource IT services to third-party vendors, especially cloud providers. This market is dominated by a small number of major players (e.g., AWS, Microsoft Azure, Google Cloud) and a significant disruption to one provider could cascade across the whole industry.
- “It’s not me; it’s my supplier” is not an acceptable excuse for financial institutions under DORA.
Need for Harmonized Standards
- Regulatory frameworks in the financial sector were fragmented across industries and EU countries. DORA consolidates and harmonizes these frameworks.
- Other countries have similar regulations: US (Gramm-Leach-Bliley Act, FFIEC Guidelines, SEC Regulations, NIST Framework) UK (Operational Resilience Framework, 2021) The European Union needed to have its own framework, standardised for all countries.
Who does DORA protect?
- Consumers: Protects against service outages and data breaches. If digital payment services fail, many consumers could face difficulties accessing basic needs like food and utilities.
- Financial Entities: Shields financial institutions from disruptions, cyberattacks, and reputational damage.
- The Economy: Reduces systemic risks and safeguards trust in the financial system.
- IT Providers: Clarifies regulatory expectations and reduces risks arising from vague or inconsistent requirements.
Who is DORA applicable to?
DORA aims to ensure the operational resilience of the entire financial ecosystem. This includes:
The Obvious Players
- Banks and Credit Institutions: BNP Paribas, Deutsche Bank, ING, etc.
- Payment Service Providers: PayPal, Wise, Revolut, etc.
- Investment Firms: BlackRock, Vanguard, etc.
- Insurance and Reinsurance: AXA, Allianz, Generali, etc.
- Stock Exchanges and Trading Platforms: Euronext, eToro, etc.
- Payment Systems: SWIFT, Visa, Mastercard, etc.
- Financial Data Providers: Bloomberg, Morningstar, etc.
- Credit Rating Agencies: Moody's, Fitch, etc.
The Less Obvious Players
- Crypto-Asset Providers: Binance, Coinbase, Kraken, etc.
- Crowdfunding Platforms: Kickstarter, Indiegogo, etc.
- Third-Party ICT Providers: AWS, Microsoft Azure, Google Cloud, etc.
My company is not based in Europe. Does DORA affect us?
Even non-European companies may need to comply with DORA if:
- They have legal entities or operations in Europe.
- They conduct transactions with European financial institutions.
Even if DORA applies ONLY to your European operations, it may be challenging to disentangle which part of your global enterprise services and infra support services in Europe from the rest of the world. It can be less of a headache to apply DORA principles across the board than finding out where exactly it should apply.
Additionally, any foreign technology providers with European customers should expect increased scrutiny from their clients because of DORA.
What are the key requirements of DORA?
At a high level, DORA requires:
- Establishing a robust framework to identify and manage IT risks (enterprise wide risk assessment and management process and tooling, risk committees)
- Reporting significant IT incidents affecting financial services to authorities within 24 hours (auto incident detection, incident classification, escalation workflow, templates to report to authorities)
- Regularly testing IT and business continuity plans (quarterly DR simulations, conducting PenTests, train staff on crisis response)
- Sharing intelligence on cyber threats (sharing in platforms like FS-ISAC)
- Monitoring and managing risks related to critical third-party IT providers (during onboarding, state contractual obligations regarding cybersecurity, assess vendor risks, and continuously monitor compliance).
- Establishing clear governance and accountability structures (appoint a CISO, update internal policies to align with DORA)
- Reporting to authorities and maintaining actionable plans for addressing non-compliance (annual DORA compliance audits, report remediation efforts to authorities).
- Training and awareness programs ( cybersecurity training for all employees, phishing attack simulation).
There is a proportionality principle, so the requirements of DORA scale up with the size and complexity of your organisation.
What happens if my company doesn’t comply?
Non-compliance can result in:
- Operational Risks: Systemic disruptions and reputational damage.
- Regulatory Penalties: Fines imposed by National Competent Authorities (NCAs). Sanctions such as operational restrictions or heightened supervision. License revocation in cases of repeated non-compliance.
- Legal Liability: Potential lawsuits from clients.
- Public Disclosure: Regulators may publish violations, harming the company’s reputation.
DORA does not specify fixed penalty amounts but gives NCAs discretion. A consensus seems to form around fines of up to 2% of total worldwide turnover for severe breaches.
Which authority will I deal with?
DORA designates National Competent Authorities (NCAs) to enforce compliance in each country. In France, for example:
- ACPR (Autorité de Contr?le Prudentiel et de Résolution) supervise banks, insurers, and payment institutions.
- AMF (Autorité des Marchés Financiers) oversees investment firms and securities markets.
Am I late?
DORA officially entered into force on January 16, 2023, with a two-year transition period to prepare. It became fully applicable on January 17, 2025, and institutions must now comply. From this point, organisations may be subject to penalties for repeated non-compliance.
Does DORA relate to GDPR?
While DORA and GDPR address different domains (operational resilience / data privacy), they share similarities:
- Both require incident reporting within 72 hours.
- Both mandate risk management and mitigation practices.
- Both extend requirements to third-party vendors.
- Both enforce organisational measures to ensure IT systems’ security.
Where can I get more info?
Next Steps
In my next article, I’ll outline how ServiceNow can be a pillar of your DORA compliance, based on my research and customer feedbacks.
Digital and Business Transformation
1 个月Good read!