Understanding the Digital Operational Resilience Act (DORA) (2024)

I live in Sweden, where10% or fewer of purchasesare made with cash. Few carry cash regularly, and it can often be difficult to find places that accept it. This means that if I lose my phone or internet connection, simple tasks like paying for my coffee are exceedingly difficult. And I am in no way unique in this aspect; at least half of Europeans prefer this type of transaction. Here, we even have our passports on our mobile phones! Our collective reliance on digital infrastructure in day-to-day life cannot be understated, and is only going to expand further.

With our growing digital footprint, the financial sector faces unprecedented challenges and opportunities. The increased reliance on digital technologies has brought about great advancements in financial services, but it has also exposed institutions to an ever growing number of cyber threats and operational risks. Recognizing the critical role digital infrastructure has on the everyday lives of EU Citizens, the European Union has introduced the Digital Operational Resilience Act (DORA). This regulatory initiative aims to ensure that financial entities can withstand, respond to, and recover from a wide array of operational disruptions, thereby safeguarding the stability and integrity of the financial system. In this blog post, we will examine the key aspects of DORA, including who is affected, the core requirements for organizations, and practical steps for achieving compliance by thedeadline of 17 January 2025.

Who is Affected by DORA?

DORA applies to all financial institutions in the European Union, including in its scope = traditional financial organizations, non-traditional financial entities and supporting service and infrastructure providers.The affected organizations include:

  1. Banks and Credit Institutions: Traditional and digital banks.
  2. Investment Firms: Companies involved in trading, investment management, and advisory services.
  3. Insurance and Reinsurance Firms: Entities providing various insurance products and services.
  4. Payment Service Providers: Companies facilitating digital payments, including e-money institutions.
  5. Crypto-Asset Service Providers: Firms dealing with cryptocurrencies and digital assets.
  6. Market Infrastructures: Entities like stock exchanges and clearing houses.
  7. Critical third-party information services: Including credit rating services and data analytics providers.
  8. Third-party ICT Service Providers: Companies providing critical technology services to financial institutions, such as cloud computing and data analytics.

While the above is not an exhaustive list, it is notable that DORA also applies to some third party service providers which are critical to the operations of the entities in scope. While these organizations are not traditionally subject to financial regulations, it highlights the interconnected nature of modern financial infrastructure.

Key Requirements for Organizations

DORA sets out comprehensive requirements to ensure financial entities can withstand, respond to, and recover from operational disruptions, separated into five basic pillars. The key requirements include:

  1. ICT Risk Management: Establishing robust internal processes to identify, assess, and manage risks associated with information and communication technology.
  2. Incident Reporting: Implementing procedures for timely and efficient reporting of significant ICT-related incidents to competent authorities.
  3. Digital Resilience Testing: Regular testing of the ICT systems to assess their resilience against potential threats and vulnerabilities.
  4. Information Sharing: Encouraging the exchange of cyber threat information and intelligence among financial institutions to bolster collective defense mechanisms.
  5. Third-party Risk Management: Ensuring that third-party service providers comply with DORA’s standards, including contractual agreements that mandate adherence to these requirements.

Where Should Organizations Start?

For financial institutions embarking on their journey to comply with DORA, the following steps are crucial:

  1. Conduct a Gap Analysis: Assess current ICT risk management practices against DORA’s requirements to identify gaps and areas needing improvement.
  2. Develop a Compliance Roadmap: Create a strategic plan outlining the necessary steps, timelines, and resources required to achieve compliance.
  3. Enhance Incident Reporting Mechanisms: Implement or upgrade systems to ensure timely and accurate reporting of ICT-related incidents.
  4. Strengthen Third-party Relationships: Work closely with your third-party ICT service providers to ensure they can help you to meet DORA’s compliance standards.
  5. Invest in Training and Awareness: Include Resiliency and what to do in the event of an emergency into your user training.
  6. Engage in Continuous Testing: Regularly test ICT systems to identify vulnerabilities and ensure resilience against potential cyber threats and outages.

How can Zscaler Help?

Zscaler’s Zero Trust Exchange can help organizations on the path to DORA compliance by providing a solid, defensible architecture based upon Zero Trust principles to defend your users and data against cyber threats. Enabling organizations to securely connect users, both internal and third party, to the applications they need, without overprovisioning. Additionally Zscaler provides a complete set ofresilience capabilities, to ensure business continuity during network or cloud disruptions.

What’s next?

As the January 2025 deadline approaches, financial institutions across the EU must prepare for the stringent requirements of DORA. Leveraging Zscaler's advanced solutions can help ensure compliance, enhance resilience, and protect against ICT-related risks. By adopting a proactive approach to digital operational resilience, financial entities can navigate the complexities of DORA and safeguard their operations in an increasingly digital world. Zscaler is committed to helping its customers through this process. Reach out to your local Zscaler representative and ask to meet with a member of the CISO team to understand how we can help.

Understanding the Digital Operational Resilience Act (DORA) (1)

Get the latest Zscaler blog updates in your inbox

Understanding the Digital Operational Resilience Act (DORA) (2)

By submitting the form, you are agreeing to our privacy policy.


Understanding the Digital Operational Resilience Act (DORA) (2024)

FAQs

Understanding the Digital Operational Resilience Act (DORA)? ›

DORA is designed to strengthen “cyber resilience” for regulated financial entities. This term encompasses an organization's ability to uphold operational integrity and business continuity amidst disruptions, such as data breaches and cyber attacks.

What is the Digital Operational Resilience Act for dummies? ›

The Digital Operational Resilience Act's core principles ensure that financial institutions understand their entire IT landscape, including their third-party service suppliers, and can identify potential vulnerabilities and risks and implement robust automated strategies to protect their systems, data, and customers ...

What is the Dora summary? ›

DORA establishes technical standards that financial entities and their critical third-party technology service providers must implement in their ICT systems by 17 January 2025. Learn how to apply data governance and privacy at scale with organization-wide standards and data lineage capabilities.

What is the Digital Operational Resilience Act? ›

DORA creates a regulatory framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats. These requirements are hom*ogenous across all EU member states.

What are the 5 pillars of Dora regulation? ›

Built around five key pillars aimed at bolstering the ICT risk management frameworks of financial entities, DORA's architecture includes:
  • ICT risk management. ...
  • Cyber incident reporting and response. ...
  • Operational resilience testing. ...
  • Third-party risk management. ...
  • Information sharing.
May 16, 2024

What are the 4 pillars of digital resilience? ›

One way to think about resilience is through the lens of four interconnected pillars: data privacy, compliance, cybersecurity, and enterprise risk management.

What are the four 4 key applications of digital resilience? ›

Digital resilience is developed through four connected elements: understanding when you are at risk, knowing what to do to seek help, learning from experiences, and having appropriate support to recover.

What are the key points of Dora? ›

DORA: Six Key Action Points for Firms
  • Conduct a Gap Analysis. ...
  • Develop an ICT Risk Management Framework. ...
  • Manage ICT Risk Incident. ...
  • Implement ICT Testing Programmes. ...
  • Third-Party ICT Services. ...
  • Information Sharing.
Apr 4, 2024

What Dora teaches us? ›

Dora the Explorer taught children how to share, count, read and be accepting of others. Her lessons will last a lifetime for the children who grew up watching her because she allowed them to be part of her world and never talked down to them. She was a consistent companion for exploring and learning new things.

What are the life lessons of Dora? ›

5 Life Lessons – From Dora The Explorer
  • 5 Life Lessons – From Dora The Explorer. Now through the years, Dora has taught us some really important lessons. ...
  • That Learning Can Be Fun And Adventurous. Learning does not have to be boring. ...
  • That Life Is Better With Friends. ...
  • To Be Confident. ...
  • That Life Will Have Obstacles. ...
  • Spanish!
Jul 26, 2019

What are the Dora requirements? ›

DORA benchmarks include: Independent parties must carry out annual resiliency and vulnerability testing. Regular threat-led penetration testing is also a requirement. DORA requires protection measures that are risk-based and comprehensive.

What are the 5 pillars of operational resilience? ›

The five pillars of operational resilience – Risk Identification and Management, Business Continuity Planning, IT Resilience, Crisis Management and Response, and Adaptive Governance and Culture – form the backbone of a robust resilience strategy.

What are the 3 components of operational resilience? ›

Operational resilience is an outcome that benefits from the effective management of operational risk. 3 Activities such as risk identification and assessment, risk mitigation (including the implementation of controls) and ongoing monitoring work together to minimise operational disruptions and their effects.

What is the aim of Dora? ›

It aims at strengthening the IT security of financial entities such as banks, insurance companies and investment firms and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption.

Who does the Dora apply to? ›

Who does the DORA Regulation apply to? The DORA Regulation applies to the EU's financial sector and suppliers of ICT services to that sector – wherever those suppliers are based.

How to prepare for Dora? ›

The 5 required steps for DORA compliance
  1. 1) ICT risk management. DORA lays out frameworks and guidelines for risk management in the financial sector. ...
  2. 2) Incident reporting. ...
  3. 3) Supply chain risk management. ...
  4. 4) Resilience testing. ...
  5. 5) Information sharing.

What is the key definition of operational resilience? ›

Definitions. Operational risk. “Operational risk” is the risk of loss resulting from people, inadequate processes and systems, or external events. Operational resilience. “Operational resilience” is the ability to deliver operations, especially critical operations, through disruption.

What is operational resilience regulation summary? ›

The FCA and PRA define operational resilience as the ability of financial services firms and the finance services sector to: prevent, adapt, respond to, recover, and learn from operational disruptions.

Top Articles
Latest Posts
Article information

Author: Nathanael Baumbach

Last Updated:

Views: 6366

Rating: 4.4 / 5 (55 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Nathanael Baumbach

Birthday: 1998-12-02

Address: Apt. 829 751 Glover View, West Orlando, IN 22436

Phone: +901025288581

Job: Internal IT Coordinator

Hobby: Gunsmithing, Motor sports, Flying, Skiing, Hooping, Lego building, Ice skating

Introduction: My name is Nathanael Baumbach, I am a fantastic, nice, victorious, brave, healthy, cute, glorious person who loves writing and wants to share my knowledge and understanding with you.