FIs operating within the EU will need to implement IT risk management frameworks and strengthen their operational resilience to ensure compliance with DORA 2022 before the 17 January 2025 deadline.
Shutterstock.com/Thapana_Studio
The EU Digital Operational Resilience Act 2022 (DORA 2022) will apply as of 17 January 2025, introducing enhanced cybersecurity and IT-risk management requirements for financial institutions (FIs) and some IT-related service providers. Under DORA 2022, in-scope companies will be required to have in place robust IT risk management frameworks to ensure their operational resilience in case of “severe operational disruption.”
DORA 2022 is designed to harmonise IT security standards across the EU and strengthen the financial sector’s resilience as FIs become increasingly dependent on technology and tech providers to deliver their services. Without appropriate safeguards, FIs are vulnerable to cyber-attacks or disruptive incidents. 2024 saw some of the costliest events to disrupt the global financial system: Hurricane Helene in October which reduced operational financial service sites to as low as 10% in some US states, and the global CrowdStrike IT outage which resulted in more than US$5 billion in direct losses among Fortune 500 companies alone.
DORA 2022 carries robust penalties for companies that fail to meet its standards, with fines of up to 2% of FI’s global annual turnover and up to €1 million (US$1.026 million) for individuals. EU Member States may also choose to impose criminal penalties under DORA 2022, drastically increasing the personal liability of Chief Information Security Officers.
Provisions and scope
DORA 2022 applies to 20 different types of companies within the EU’s financial sector, including:
- banks,
- insurance companies,
- investment companies,
- crypto-asset service providers, and
- crowdfunding platforms.
The regulations are extraterritorial in scope, meaning they apply to virtually all financial services operating within the EU, regardless of where companies are based. Non-EU third-party IT-service provides will also be subject to DORA 2022 if they enter into contractual arrangements with EU FIs.
DORA 2022 requires the European Supervisory Authorities (ESA) to designate on an annual basis critical third-party IT service providers (CTPPs) operating within the EU’s financial services sector. CTPPs are not directly regulated under DORA 2022 but will be subject to direct oversight by the ESAs. Designated CTTPs are required to nominate a representative to coordinate and ensure adequate communication with the ESAs. Designation of CTPPs will be based on criteria including the “systemic impact on the stability, continuity or quality of the provision of financial services” in the event that the third-party IT service provider experienced “a large scale operational failure to provide its services.”
DORA 2022 introduces numerous compliance obligations for in-scope companies structured around five key pillars:
- IT risk management,
- IT-related incident management,
- digital operational resilience testing,
- IT third-party risk management, and
- information sharing arrangements.
IT risk management
Article 6 of DORA 2022 requires FIs to establish and maintain “comprehensive and well-documented IT risk management frameworks,” which should enable them to prevent, detect, mitigate and recover from IT incidents effectively, as well as carry out diligent ongoing monitoring. To ensure compliance with this provision, in-scope companies will need to employ modern IT infrastructure, establish governance structures for IT risk oversight and introduce IT security awareness and digital operational resilience training for their staff.
IT-related incident management
Chapter III of DORA 2022 sets out FIs’ obligation to document and implement IT-related incident management processes that should:
- include methods for spotting early warning indicators;
- establish detailed business continuity policies and disaster recovery plans;
- assign responsibility for managing different IT-related incidents; and
- establish procedures to identify, track, log, categorise and classify IT-related incidents.
Under Article 19, FIs are required to notify the relevant competent authority (CA) as soon as possible, but no later than four hours after classifying an IT incident as major, and within 24 hours of awareness. Companies must then submit intermediate reports within 72 hours of the initial notification, providing updated details of the incident’s status. A final report is required within one month of the intermediate report, explaining the cause of the incident, resolution steps and an impact assessment.
Digital operational resilience testing
Under Article 24 of DORA 2022, FIs need to carry out regular testing to ensure the resilience of their IT frameworks, including mandatory scenario-based tests, penetration tests, and disaster recovery drills. This testing should enable FIs to identify any weaknesses and gaps in their digital operational resilience so they can promptly implement corrective measures.
Third-party risk management
As per Article 28 of DORA 2022, third-party risk management must form part of FIs’ comprehensive IT risk management frameworks. Companies need to maintain a register of their outsourced IT activities and actively monitor the potential risks emanating from these providers.
Article 30 of DORA 2022 also imposes contractual requirements for managing third-party risk. FIs must ensure their contracts with IT service providers include provisions for:
- monitoring resilience,
- incident reporting,
- exit strategies, and
- maintaining oversight even when services are outsourced.
DORA 2022 states that FIs ”may only enter contractual arrangements with IT third-party service providers that comply with appropriate information security standards.”
Information sharing
Under Article 45 of DORA 2022, FIs are encouraged to forge arrangements amongst themselves for exchanging intelligence about potential cyber threats, early warning indicators and techniques to enhance operational resilience. FIs need to notify CAs about their participation in any such information-sharing arrangements.
Penalties
The three ESAs are primarily responsible for overseeing DORA: the European Banking Authority, European Securities and Markets Authority and European Insurance and Occupational Pension Authority. In their role as primary supervisors, the ESAs may request information, conduct on and off-site investigations, impose penalties and issue recommendations to ensure compliance among in-scope companies.
For violations of DORA 2022, FIs could face fines of up to 2% of their global annual turnover, while individuals could be fined up to €1 million (US$1.026 million). Meanwhile, designated critical IT service providers could be fined up to €5 million, or for individuals, a maximum of €500,000 (US$512,878). Member States may also impose criminal penalties for breaches of DORA 2022, although these are not specified within the regulations.
Compliance checklist
Conduct a gap analysis
A gap analysis can be used to help in-scope companies assess the effectiveness of their existing IT risk management framework and identify areas where current practices fall short of DORA 2022’s requirements.
This should involve collecting data on current IT risk management procedures, analysing the new requirements and identifying where changes are needed. Companies then need to determine what investment or organisational changes are required to ensure compliance, for example, introducing staff training or enhancing IT security and management systems.
Develop a comprehensive IT risk management framework
Under DORA 2022, IT risk management frameworks require measures including, but not limited to:
- designating a member of senior management who is responsible for overseeing IT risk and responding to incidents;
- adopting the necessary IT strategies, policies, procedures and tools to adequately protect the company’s IT assets; and
- identifying mechanisms to promptly detect anomalous activities that could lead to or indicate an IT-related incident.
Ensuring that the board of directors or other members of senior management are actively engaged with matters of cybersecurity can help companies to establish a “trickle down” cybersecurity culture. It is important for legal and privacy teams to work closely with the Chief Information Security Officer ensure the company is compliant with its cybersecurity obligations under DORA 2022 and that adequate technical measures are in place.
Prepare for ongoing monitoring
In-scope companies will need to allocate adequate time and resources to ensure ongoing monitoring of their DORA 2022 compliance efforts. Article 6.5 of the regulations stipulates that FIs must review their IT risk management frameworks at least once a year, or periodically in the case of microenterprises, as well as upon the occurrence of any major IT-related incidents.
Establish incident reporting procedures
Under DORA 2022, in-scope companies are given short timeframes within which to report IT-related incidents: no more than four hours after classifying an IT incident as major, and within 24 hours of awareness.
To ensure compliance with this obligation, companies should designate a senior staff member who is responsible for engaging with the relevant CAs and reporting incidents. The designated individual must also be aware of the requirement to complete a final report within one month of the intermediate report following an IT-related incident.
An IT-related incident report should include:
- the source of the incident and when it occurred;
- how and when the incident was detected;
- the likely consequences of the incident; and
- the mitigation and recovery measures taken to reduce disruption and severity of any lasting impacts.
Other staff members should also be trained to quickly identify and classify IT-related incidents and escalate them internally.
Plan for resilience testing
Under DORA 2022, in-scope companies are required to conduct yearly operational resilience testing that should include a range of assessments, tests, methodologies, practices and tools carried out by an independent party either internally or externally.
Testing could take several forms, including disaster recovery tests, simulations, and discussions of lessons learned. For example, FIs could conduct a lessons learned exercise to identify potential weaknesses and improve their ability to effectively respond and recover from future disruptions.
FIs will need to dedicate sufficient resources for this testing, fully document their processes and ensure that conflicts of interest are avoided throughout the design and execution of the tests, so that accuracy and transparency are prioritised.
Review contracts with third-party providers
DORA 2022 imposes robust obligations on FIs to appropriately manage their third-party IT risk. To ensure compliance, companies will need to audit their existing suppliers and maintain a register of the IT activities they outsource on an ongoing basis. They should identify any risks associated with each service provider and adopt risk-based mitigation strategies where necessary.
FIs will also need to review and update their contracts with IT services providers, ensuring provisions are included for resilience monitoring, incident reporting, and termination clauses to protect continuity of service.
Companies may wish to develop procurement documents and carry out training to ensure staff responsible for IT procurement are aware of DORA 2022’s requirements and the standards providers must meet to provide compliant services to the company.
FIS entities must have their registers of IT third-party providers’ contractual arrangements available for competent authorities early in 2025, as the latter will have to report them to the ESAs by 30 April 2025.