MHA Consulting Blog | Roadmap to Resiliency

Exploring DORA: The EU’s Excellent New Digital Resilience Standard

Written by Michael Herrera | Oct 17, 2024 3:17:46 PM

The European Union’s tough new regulation covering the financial industry—the Digital Operational Resilience Act (DORA)—takes effect in January 2025. Although DORA’s focus is on strengthening the IT security of finance-related firms doing business in the EU, the act offers a framework that can help businesses everywhere, in every industry, enhance their resilience and bolster their digital security.

[Related on MHA Consulting: FFIEC: An Introduction to BCM’s Gold Standard]

 

Introducing DORA

You have to hand it to the EU when it comes to privacy and continuity regulations. They don’t mess around. 

In 2018, the union’s General Data Privacy Regulation (GDPR) came into effect, advancing strict requirements for business about protecting their customers’ privacy that have been diligently enforced in the years since. 

Now comes DORA, the Digital Operational Resilience Act, which was passed in 2023 and comes into force on Jan. 17. 

DORA is an excellent regulation that will bring significant gains in resilience for the firms required to follow it as well as for the society that depends on them. It also offers potential guidance and inspiration to companies anywhere, in any industry, on how to improve their cybersecurity and strengthen their operational resilience.

Let’s take a look at DORA’s purpose, contents, and likely benefits, then we’ll consider how it can help business elevate their security and operational practices, regardless of where they are located or what industry they are in.

 

Bolstering the Resilience of European Financial Institutions 

DORA’s aim, according to the EU, is to strengthen “the IT security of financial entities such as banks, insurance companies and investment firms and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption.” 

DORA was implemented in response to the growing reliance of the financial industry on technology and tech providers, which has made the sector increasingly vulnerable to cyberattacks. As the EU notes, if information and communications technology (ICT) risks are not properly managed, disruptions in cross-border financial services can occur, potentially affecting other industries and the broader economy. This underscores the need for robust digital operational resilience in the financial sector.

In Europe as in the U.S., financial organizations are well ahead of most other kinds of companies when it comes to resilience planning. However, it is still common for financial firms to have gaps in their preparedness. DORA will go a long way toward compelling such firms to close those gaps, at least for those with a European presence.

 

DORA’s Five Core Components

The five core components of DORA represent a comprehensive approach to securing the financial industry’s digital resilience. Each is essential to protecting against modern cyber threats and ensuring business continuity in an increasingly interconnected and risk-prone environment. The components are:

Risk Management

DORA emphasizes creating a robust framework to manage all types of ICT risks—both current and emerging. This approach moves away from the old mindset of sporadically assessing risk and instead treats risk management as an ongoing, dynamic process. It's about addressing risks that are "living and breathing" at all times.

Incident Reporting

By establishing a standardized framework for monitoring and reporting incidents, DORA will promote a more consistent and effective response across the financial sector. This standardization, which is similar to the improvements in information sharing among security services implemented after 9/11, will ensure that all financial institutions are aligned in how they report and address incidents.

Testing

While testing, especially penetration testing, can be uncomfortable due to the vulnerabilities it may expose, it’s critical for identifying weaknesses. DORA mandates regular testing and will monitor compliance closely. Organizations that fail to comply with these requirements will face serious sanctions.

Third-Party Resilience

Managing the risks posed by third-party vendors is one of the toughest areas for organizations. With multiple providers offering varying levels of compliance and capability, companies must evaluate which vendors pose the greatest risks. DORA will also affect vendors selling to DORA-regulated firms, and the focus may expand to fourth-party risk in the future. This kind of vetting is difficult but essential, as a vendor’s failure can significantly impact the company.

Business Continuity

Even with robust testing, incident reporting, and third-party risk management, unexpected events can still occur. That’s why having strong business continuity (BC) policies and plans is vital. In the face of unforeseen disruptions, companies need to be able to respond, recover, and resume operations effectively.

Together, these components form a robust framework that will not only strengthen financial institutions but also set a new standard for operational resilience across industries. Adapting to these requirements will be crucial for long-term success and security in the digital age.

 

How DORA Can Benefit Your Organization

While DORA is primarily designed for financial institutions in the EU, its principles offer valuable lessons for businesses worldwide, regardless of industry or location. By adopting a framework that emphasizes continuous risk management, rigorous testing, and third-party resilience, companies can elevate their cybersecurity posture. Holding themselves to such high standards may be challenging, but it sets organizations up for long-term success by ensuring they are better prepared to handle ever-evolving digital threats.

Adhering to strict regulations like DORA can feel burdensome, but the benefits outweigh the discomfort. Companies that commit to high standards not only protect themselves from costly cyber incidents but also build trust with customers, partners, and stakeholders. The resilience and operational continuity they achieve become significant competitive advantages.

 

Preparing for a More Resilient Future

DORA represents a significant step forward in cybersecurity and operational resilience, not only for financial firms in the EU but for organizations everywhere. Its focus on continuous risk management, standardized incident reporting, and third-party oversight provides a roadmap for companies seeking to enhance their digital security and long-term stability.

As businesses increasingly rely on technology, adopting high standards like DORA can be challenging, but the rewards are clear. Companies that prioritize resilience will protect themselves from emerging threats, strengthen their operational integrity, and position themselves as leaders in their industries.

 



Further Reading