Blog
/
Risk & Strategy
Dale Waterman  Image
Dale Waterman
Solution Designer, Diligent

Promoting secure information sharing and managing ICT risks: Key requirements for the DORA compliance deadline

January 17, 2025
0 min read
Two professionals discussing the Digital Operational Resilience Act (DORA)

The EU’s Digital Operational Resilience Act (DORA) seeks to achieve a high common level of digital operational resilience for financial entities and their ICT third-party providers. It is effective as of January 17th 2025. The financial sector's growing reliance on tech companies and their technology make it increasingly vulnerable to cyber-attacks and incidents that could have a systemic impact. When not managed properly, information and communication technology (ICT) risks can cause significant disruptions to financial services, impacting consumers, investors, the wider financial services ecosystem, and even the broader economy.

To help address these challenges, the EU introduced DORA. DORA aims to strengthen the IT security of financial entities such as banks, insurance companies, and investment firms, as well as their ICT third-party service providers. 

Cyber Risk Virtual Summit

Join us on February 5th and gain actionable insights into the critical requirements of NIS2, Cyber Resilience Act and DORA and their impact on operational resilience.

Register here

What is the Digital Operational Resilience Act (DORA)?

DORA is a comprehensive regulatory framework proposed by the European Commission. It seeks to establish a standardised approach to operational resilience across the EU. The Act creates requirements that will harmonise how financial entities will report cybersecurity incidents, test and demonstrate their digital operational resilience, and enhance risk management in relation to the increasing use of ICT third-parties risk by financial entities.

What are the 5 pillars of DORA regulation?

DORA introduces strict requirements for organisations to manage and mitigate risks related to their digital operations. These requirements are organised into several key components:

1. ICT risk management

Applicable financial entities must create and use a strong and effective ICT risk management framework, to be reviewed at least annually or following a major ICT-related incident. The ICT risk management framework must comprise “strategies, policies, procedures, ICT protocols and tools that are necessary to duly and adequately protect all information assets and ICT assets.” This means that financial entities are required to establish an internal governance and control framework for ICT risk management and to implement ongoing monitoring of their ICT risks.

The management body has the ultimate responsibility for managing the financial entity’s ICT risk. They are tasked with defining, approving, overseeing and implementing all arrangements related to the ICT risk management framework. This requires members of the management body to develop the knowledge and skills needed to understand and assess ICT risk and its impact on the operations of the financial entity. 

2. Managing ICT third-party risks

DORA introduces the requirement for financial entities to manage ICT third-party risk as an integral part of ICT risk within their ICT risk management framework, particularly for those supporting critical or important functions. They must also maintain a register of information with all contractual arrangements about the use of ICT services provided by ICT third-party service providers.

The management body must regularly review the risks identified in respect to contractual arrangements on the use of ICT services supporting critical or important functions.

3. Reporting of ICT-related incidents

Financial entities are obligated to detect, classify and promptly report any major ICT-related incidents. The European Supervisory Authorities (ESAs), which include the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA), have established Regulatory Technical Standards (RTS) to specify the criteria for classifying ICT-related incidents.

The RTS help financial entities to manage and report ICT-related incidents effectively by setting out the criteria for classifying significant cyber threats and outline the details of those incidents that need to be reported.

4. Testing of digital operational resilience

DORA mandates regular testing of digital operational resilience. The ESAs have also established draft RTS which provide detailed guidelines on threat-led penetration testing (TLPT) to enhance digital operational resilience.

The RTS align with the TIBER-EU framework, which is a European framework for threat intelligence-based ethical red teaming. This supports a consistent approach to TLPT across the EU’s financial sector. The RTS include identification criteria, testing process requirements, scope, methodology and remediation guidelines.

The draft RTS includes a proportionality principle in the criteria to identify financial entities who are required to perform TLPT. Only those that carry a certain degree of systemic importance and are mature enough from an ICT perspective are required to perform a TLPT.

5. Information sharing

DORA encourages information sharing among financial entities to foster a collaborative approach to managing digital operational risks. Organisations can collectively improve their resilience and response capabilities by sharing insights and best practices. The regulation encourages financial entities to share cyber threat information and intelligence. This is a key part of improving resilience, minimising the impact of cyber disruption, and informing incident response.

Navigate NIS2 with confidence

Simplify NIS2 compliance and transform regulatory challenges into growth opportunities with our NIS2 IT Compliance Toolkit.

Book a demo

7 DORA GRC Considerations for the ICT supply chain

Navigating the requirements and expectations of DORA effectively requires a strategic mindset. The Act imposes significant GRC obligations on financial entities and designated critical third-party ICT providers. These obligations are likely to have a cascading impact on the entire ICT supply chain. With DORA applicable from January 2025, it is now prudent for any technology business supplying the financial sector to review its GRC program and identify areas where action is needed if they have not done so already:

1. Complexity

DORA covers many areas, including risk management, third-party risk, incident reporting, testing, and sharing information. Each component requires careful consideration and implementation to ensure compliance. Most of the larger financial entities in the EU would have started early and allocated sufficient time and resources to thoroughly understanding the intricacies of DORA and developing a comprehensive compliance strategy. However, those who have not done so yet, including ICT third-party providers, should complete this exercise. 

2. Adapting governance structures

Adapting governance structures involves reviewing and potentially revising existing policies, procedures, and decision-making frameworks to meet DORA's requirements. This may include establishing clear lines of responsibility and accountability for operational resilience, defining roles and responsibilities, and implementing robust reporting systems to ensure ongoing compliance. Integrating DORA compliance into existing governance frameworks, such as risk management and business continuity, is crucial for a holistic approach to operational resilience.

3. Identifying connections with current and upcoming regulations:

DORA intersects with other existing and upcoming regulations (Cyber Resilience Act, NIST, NIS2, GDPR, MiFID II, PSD3, PSR, Digital Services Act, Digital Markets Act), creating a complex regulatory landscape. Understanding these interconnections is essential to avoid redundancy and ensure a cohesive compliance strategy.

Simplify DORA compliance

Delivering DORA compliance requires a robust GRC approach. Diligent One provides unified GRC to meet current and future regulatory needs.

Book a demo

4. Promoting information sharing on cyber threats

One of the primary challenges in information sharing is striking the right balance between sharing enough information to be useful to others while protecting sensitive data. Financial entities must ensure that any shared information is appropriately anonymised and aggregated to prevent the identification of specific individuals or organisations. This will protect privacy and confidentiality.

5. Reviewing relationships with ICT service providers

DORA mandates that financial entities manage risks associated with their ICT service providers. This includes conducting due diligence, updating contractual agreements, and establishing ongoing monitoring mechanisms, which can be resource-intensive when done manually. Providers must ensure they have robust and compliant contractual agreements in place with any subcontractors, especially those based in third countries, to manage the risks effectively. Contracts with ICT service providers must include specific provisions related to risk management, incident reporting, and resilience testing.

6. Testing and cultivating resilience

Ongoing compliance with DORA requires regular testing to maintain resilience capabilities. Additionally, developing a culture of operational resilience is essential to ensure it is ingrained in the organisation's values, mindset, and daily operations.

7. Establish customer communication channels

Create a positive and proactive communications approach to DORA with in-scope clients. Ensure that both emergency and business-as-usual channels are in place and that individuals in key roles of responsibility know who to contact in the event of incidents.

The role of technology in DORA compliance

DORA comes into force from 17 January 2025. Its impact will extend far beyond the immediate in-scope organisations in the financial sector and critical ICT third-party providers. Any ICT provider with customers in the financial sector should act now to ensure their GRC environment can support the greater scrutiny that is on the horizon.

By proactively adapting to DORA's regulations, organisations can foster transparency, sustainability, and responsible innovation. Long-term, compliance not only mitigates risks but also presents opportunities for growth and competitive advantage.

The right technology can help streamline processes and provide a head-start on DORA compliance initiatives. Learn how the Diligent One Platform can help you manage regulatory compliance by scheduling a demo today.

security

Your Data Matters

At our core, transparency is key. We prioritize your privacy by providing clear information about your rights and facilitating their exercise. You're in control, with the option to manage your preferences and the extent of information shared with us and our partners.

© 2025 Diligent Corporation. All rights reserved.