DORA Act – How to Prepare Your Company for the New Regulations?

What is the DORA Act, and why is it important for businesses?

DORA, or the Digital Operational Resilience Act, is a regulation on digital operational resilience designed to establish a framework for effective risk management, ICT operational capabilities, cybersecurity, and oversight of third-party service providers. The act aims to ensure the stability and integrity of the EU financial system while considering the entire value chain.

DORA will require businesses to enhance digital security, improve ICT risk management and vendor relationships, ensure operational continuity, and adapt to future challenges and threats arising from the rapidly evolving digital landscape.

Who does DORA apply to?

The DORA Act applies to a wide range of entities, including banks, investment firms, insurers, payment service providers, and market infrastructure operators.

Notably, DORA expands its scope to include other financial sector stakeholders who were previously not subject to such extensive ICT security regulations. This includes crypto-asset service providers, intermediaries managing alternative investment funds, cloud service providers, and external ICT service providers.

Key DORA Dates

• January 16, 2023 – DORA was officially adopted as an EU regulation.
• July 17, 2024 – The final requirements of the DORA regulation must be confirmed.
• January 17, 2025 – All affected entities must be fully compliant with DORA.

Key Requirements of the DORA Act – What You Need to Know?

DORA introduces the following requirements:

• ICT Risk Management – For financial entities, this includes configuring and maintaining resilient ICT systems, identifying, classifying, and documenting critical functions and resources, monitoring ICT risks, and implementing protective measures. Companies must quickly detect unusual activities, implement business continuity strategies, and establish recovery plans, which must be tested annually. Additionally, mechanisms for learning from both internal and external ICT incidents must be in place.
• ICT Incident Reporting – Financial entities must develop processes for recording and classifying ICT incidents, identifying serious incidents in line with the criteria and regulations of European Supervisory Authorities (EBA, EIOPA, ESMA). They are required to submit preliminary, mid-term, and final reports on ICT incidents, standardizing incident reporting processes using templates developed by the European Supervisory Authorities.
• Digital Operational Resilience Testing – For all entities, this includes conducting annual ICT tests on tools and systems used, identifying, mitigating, and promptly eliminating weaknesses, as well as implementing corrective measures. Advanced penetration testing (TLPT) for ICT services affecting critical functions must be conducted periodically, with external ICT service providers fully cooperating in the testing process.
• ICT Risk Management for External Service Providers – Financial entities must monitor risks associated with relying on external ICT service providers, report a full register of activities outsourced to external parties (including intra-group services and changes in outsourcing critical services). It also involves managing IT concentration risks and risks arising from sub-outsourcing, aligning key service elements and relationships with external ICT service providers for full monitoring, and ensuring that agreements with external ICT service providers include details on monitoring and availability. Additionally, entities must consider recommendations from European Supervisory Authorities regarding the mitigation of ICT risks associated with service providers who do not comply with specified recommendations.
• Information Sharing – Financial entities must establish agreements for exchanging information on cyber threats. Supervisory authorities will provide financial entities with anonymized data on cyber threats. Entities must implement mechanisms to review and act based on this information.

What are the consequences of non-compliance with the DORA Act?

Non-compliance with the DORA Act can have serious consequences for financial institutions and other entities covered by the regulation.

Financial Penalties – These include fines imposed by European Supervisory Authorities (EBA, EIOPA, ESMA), which have the authority to impose financial penalties if non-compliance with the regulations is found. In addition to fines, other forms of financial sanctions may also be imposed, which could significantly burden the entity’s budget.

Administrative Penalties – These include orders to immediately implement corrective actions to address identified non-compliance, issued by the relevant authorities. In extreme cases, where the violation poses a serious threat to financial stability, supervisory authorities may suspend the entity’s operations until DORA requirements are met.

Reputational Consequences – Non-compliance with DORA can lead to a loss of trust from clients, investors, and business partners, which will have a long-term impact on the entity’s reputation.

Operational Consequences – Failure to comply with DORA may lead to significant operational disruptions, especially in the case of cyberattacks for which entities are not adequately prepared. Additionally, entities that must quickly adjust to DORA regulations will incur much higher operational costs due to the implementation of corrective measures.

Legal Consequences – In the case of severe violations, entities may be subject to legal proceedings, which could lead to further penalties and legal obligations. Board members and other individuals responsible for compliance may also be held legally accountable for violations of DORA regulations.

How to prepare a company for the implementation of the DORA regulations?

Implementing the DORA regulations requires careful planning and strategy. To ensure compliance with the new regulations, companies must overcome several challenges, such as interpreting the provisions, integrating systems, managing risks, and training personnel.

Here are some actions that can help companies prepare for the implementation of DORA regulations:

• Interpretation of Regulations – Understanding the scope and technical details of DORA is the most important step. Companies should conduct seminars and training sessions to familiarize employees with DORA regulations, collaborate with legal experts specializing in financial and technological regulations, and set up internal teams responsible for analyzing and implementing the provisions.
• System Integration – Integrating DORA requirements into the existing IT infrastructure can be complex. Companies should conduct an IT audit to assess current systems and identify compliance gaps with DORA. They should implement technological solutions to modernize IT systems to meet DORA requirements without disrupting ongoing operations and regularly test new systems to ensure they are compliant with the regulations.
• Financial Implications – The cost of ensuring compliance can be significant, especially for smaller companies. Therefore, businesses should prepare a budget that includes the costs of system modernization and ongoing monitoring expenses and consider opportunities for grants or financial support to help with DORA compliance.
• Third-Party Risk Management – Ensuring compliance among ICT service providers requires rigorous assessment. Entrepreneurs should regularly evaluate their ICT service providers for compliance with DORA and make necessary changes to contracts with suppliers to ensure adherence to the regulations.
• Regular Testing and Reporting – In line with DORA requirements, companies must establish solid testing and incident reporting processes. This includes scheduling regular penetration tests and ICT system resilience assessments, as well as implementing systems for monitoring and reporting incidents in accordance with DORA.
• Adaptation to Cybersecurity Threats – Companies need to dynamically adjust their security measures to address evolving threats. This involves using tools for real-time threat monitoring and regularly updating security strategies in response to new risks.

How will DORA affect external service providers?

External providers offering ICT services to financial institutions will be subject to increased regulatory oversight and scrutiny under DORA. They must ensure their services comply with DORA standards, as financial institutions are responsible for ensuring that their external providers adhere to the regulations.

Failure to comply with the regulations will result in the termination of collaboration with financial institutions. Expectations regarding stronger security protocols, authentication, and incident response will increase.

Existing contracts may require amendments to include DORA compliance clauses. Financial institutions will need to verify their providers’ compliance, which may involve audits and certifications.

Proactively meeting DORA requirements may open up new business opportunities for providers, as financial institutions will be seeking secure and DORA-compliant ICT services.

DORA in the V-Desk System

Among V-Desk users, there are financial institutions that need to be ready for the new obligations arising from the DORA regulation. Thanks to ongoing discussions with partners such as SGB Bank, VELO Bank, Warta, and Uniqa, the V-Desk system is well-prepared for its implementation.

Simply contact our experts who will assist in organizing all the information related to the DORA Act. It’s important not to delay initiating contact, as the new requirement comes into effect on January 17, 2025. And six months is really not much time.