The EU’s DORA resilience regulation has financial industry CISOs waiting for answers

Just over seven months later, the Digital Operational Resilience Act (DORA) comes into force in the EU, for which not every organization is prepared.

The regulation, which will apply from January 17, 2025, covers the financial sector, but its scope goes beyond traditional players such as banks, investment firms and insurance companies, and also covers cryptocurrency providers, data reporting providers and cloud service providers – entities that may not be accustomed to dealing with comprehensive regulations such as DORA.

“It is a very comprehensive regulation, also complemented by a number of regulatory technical and enforcement standards,” says Pernilla Rönn, cybersecurity manager at Stockholm-based technology consultancy HiQ.

The EU’s Cybersecurity Directive NIS2 will be implemented in October this year, covering more sectors than the previous version of the Network and Information Security Directive (NIS), as well as more stringent risk management and reporting requirements. However, for the financial sector, DORA contains stricter rules that apply to NIS2.

Short reporting requirements, high penalties

Organizations that do not comply with DORA requirements may be subject to GDPR-class sanctions with financial penalties that may amount to, for example, 2% of the organization’s total annual global turnover or three times the profit earned as a result of the financial entity’s violation of the regulations.

When it comes to incident reporting requirements, they are also more stringent than GDPR. There, incidents must be reported within 72 hours, with entities covered by DORA required to report incidents classified as serious within four hours and no later than 24 hours of discovery.

“This is something that mainly worries smaller players who are struggling to solve this problem. Do they need to be staffed 24/7? Larger players, accustomed to strict regulations, do better,” says Rönn.

And although the preparation period for DORA is coming to an end, the EU has not yet defined all the technical regulations. They are released in batches, the last one was supposed to be released in July.

Questions remain

Much about the impact, scope and details of DORA remains unclear. This week, the Polish Financial Supervision Authority, which will become the supervisory authority, organized a forum for questions about what will apply in the future, but there are questions that the authority still cannot answer.

“There are so many things that are not ready, that the Polish Financial Supervision Authority is not able to answer,” says Rönn, including “issues such as how incident reporting should be recorded, whether there will be templates. Everyone has to do the same thing and you have to wait to see what the methods will look like.

Greater safety is of the utmost importance

So what should CISOs whose organizations will be subject to DORA do as they wait for answers?

“Anyone can think about what their golden egg is, what their most important assets are and start from there. Determine which contracts support this and which suppliers you depend on,” says Rönn.

The regulation includes some new concepts, such as critical or important function, which is causing confusion in some organizations as to what a function is and how to determine what is critical or important. However, instead of getting stuck in complicated formulations and trying to interpret them, it is important to take actions to increase the security of your systems, emphasizes Rönn.

“You can’t ignore any requirements, you have to adapt the business. And remember that the regulation aims to strengthen the resilience of each individual entity,” he says.

Be able to justify decisions

As with GDPR, DORA compliance is about being able to justify why you chose certain measures and how you reasoned.

Although there are uncertainties about the new and demanding regulation, Rönn believes that it is a step forward towards cybersecurity.

“But the stage is different,” he says. “Banks have been regulated, but not other financial entities in the same way. Now they are trying to find common regulation and strengthen the entire sector. And although it is complex and difficult to interpret, the spirit (of the directive) is good.”

Rönn says a particularly positive aspect of DORA is that it also covers third-party providers, because sometimes attacks work this way.

“It is also positive that the new regulation has many requirements for testing and test-based learning that are not covered in other regulations,” he says.