From Consent to Compliance: Exploring DORA’s Pillars and Implications

DORA compliance

Businesses around the world face a growing threat from cyber-attacks. A wide range of industries, from banking to energy to transportation, are affected daily by cyber incidents. ICT risks grow and continue to endanger the security of the EU financial system.  

A new regulation called DORA (Digital Operational Resilience Act) intends to improve the information and communication technology (ICT) security of financial enterprises in the European Union (EU). In response to the implementation, EU organizations must optimize their ICT risk management, including those of third parties.  

This article aims to provide an overview of the Digital Operational Resilience Act, its five key requirements, what it means for the financial sector and how to achieve DORA compliance.  

Understanding DORA  

What is DORA, and why may it concern you?  

DORA (Digital Operational Resilience Act) is the new EU regulation that became law on 16 January 2023. It aims to protect the financial stability of the EU and its consumers, ensuring they have the needed digital security. Its goal is to prevent the growth of cyber-attacks within the financial sector and ensure that financial enterprises can secure their data, protect themselves from potential threats and respond to them effectively in such ICT-related events. DORA has established a regulatory framework of guidelines for digital operational resilience and boosting IT security in financial institutions.  

The DORA requires companies to conduct in-depth risk assessments and identify potential threats that could compromise their digital systems. Additionally, it directs companies to disclose any occurrences so that they can be tracked, controlled, and avoided from occurring again. The law intends to improve financial firms’ information and communication technology (ICT) security in the European Union (EU).  

On November 28, 2022, DORA was successfully and formally adopted by the Council and on December 27, 2022, the final text of the Digital Operational Resilience Act was published in the Official Journal of the EU. It is expected for DORA to enter into force on January 16, 2023, and the act will apply from January 17, 2025.  

The five key pillars of the DORA regulation are the following:  

1. Risk management:   

DORA has specific guidelines for successful risk management, and it aims to minimize cyber threats within the financial industry before they even strike by conducting practical risk assessments. It involves companies creating and applying a strong and reliable framework and following it to be prepared for potential attacks.  

2. ICT incident reporting  

Impacted companies should adopt EU reporting rules and report any incident or threat that has occurred. Reporting helps audit and control the incidents and learn how to improve the company’s incident response plan and recover faster from incidents in the future.  

3. Resilience testing  

Every three years, financial institutions should go through a threat-led penetration test, and once a year, they should complete a planned risk-based test. To get accurate results, DORA regulators will run them.  

4. Information and threat intelligence sharing  

Sharing is caring. An essential component of the DORA Act is helping other financial organizations within the community and providing unlimited support by sharing relatable information that could help protect the environment from potential cyber threats.  

5. ICT third-party risk  

Third-party risk management is a crucial component of any ICT risk management framework for businesses in the financial sector. It is necessary to conduct annual assessments to ensure organizations follow the law.  

Who does DORA impact?  

DORA is a prime concern of all financial institutions within the EU, including banks, credit institutions, insurance companies, payment processors, investment firms, and many more. ICT third-party service providers need to implement the law as well. The regulation impacts even financial institutions outside the EU that provide services in the EU.  

Organizations should determine whether they must abide by the regulation and take the necessary steps. If you are still deciding whether you are included in the institution list, contact us for more information.  

What does history tell us?  

Who remembers the implementation of GDPR on May 25, 2018? The General Data Protection Regulation (GDPR) is a European Union (EU) law regulation that governs the protection of personal data and the privacy rights of individuals within the EU.   

At this time, businesses faced various challenges due to the significant changes in data protection requirements. However, many organizations tried to comply with the regulation by implementing necessary measures such as appointing data protection officers, conducting privacy impact assessments, and revising their data processing practices.   

Unfortunately, some companies experienced penalties for non-compliance. After implementing GDPR, companies like Google, British Airways, and Marriott International received hefty fines.  

The largest and more recent one so far is fine for Meta in May 2023, for €1.2 billion ($1.3 billion) by an Irish regulator over U.S. data transfers.  

It’s important to note that fines can be adjusted during enforcement. GDPR allows authorities to impose penalties of up to 4% of a company’s annual global turnover or €20 million, whichever is higher.  

Consider this 

Relevant financial regulators will supervise financial institutions and organizations that provide services to financial institutions. They must follow specific terms to comply with DORA’s requirements, like reporting data breaches within a particular detection timeframe.  

The DORA law demands enterprises establish, adapt, and evidence risk-based policies to maintain resilience by tracking their KPIs for their security metrics program.  

If you only utilize one digital service provider, DORA advises switching to numerous providers to maintain organization-wide security. It is best to use a variety of security vendors rather than relying just on one that might go out of business due to a cyberattack.  

Connect to AMATAS Virtual Data Protection Officer to achieve full DORA compliance 

New data compliance laws can significantly impact vendor management and third-party relationships. It requires proactive and timely information dissemination to key stakeholders. It is essential to involve your organization’s legal and compliance teams, executive leadership, IT and security teams, vendors and third parties, employees and staff, data protection authorities, and customers/data subjects. By keeping these stakeholders informed, you can ensure a comprehensive understanding of data compliance requirements, implement necessary measures to protect personal data, mitigate risks, and foster a culture of data privacy within your organization.  

We suggest consulting with a Data Protection Officer (DPO) firsthand to ensure compliance with data protection laws, mitigating risks, and fostering a privacy-focused environment. A DPO can identify and manage your company’s risks and enhance employee training and awareness. By engaging with a DPO, you can navigate the complexities of data protection, safeguard sensitive information, and build customer trust.  

Let us know how we can assist you with DORA or help protect your organization, whether you need an innovative security monitoring tool or need to find your organization’s security vulnerabilities. Don’t hesitate to contact us at office@amatas.com  

Learn more about data protection and the role of a Virtual DPO. Follow us on LinkedIn for more expert insights, company updates , and more.

Related Articles

Scroll to Top