DORA Legislation – One Year to Go

By James Rees, MD, Razorthorn Security

A big requirement that all European based organisations (or organisations that want to deal with the EU) must be aware of is the new DORA legislation coming in to effect in January 2025, and with just a year to implement your strategies, it’s worthwhile reviewing how you measure up now so that you have the time to ensure you comply before the deadline.

So let’s look at the basics: what is DORA legislation?

DORA stands for Digital Operational Resilience Act. It is a proposed legislation by the European Commission that aims to establish a set of rules to ensure the digital operational resilience of all entities operating in the financial sector in the European Union. This includes financial institutions, investment firms, insurance and reinsurance companies, and even third party IT service providers.

The primary objective of DORA is to mitigate potential risks and threats that could disrupt the digital operations within the financial sector. It also seeks to provide a coordinated approach across the EU towards ICT risk management, incident reporting, testing, and more.

DORA legislation includes several key requirements, including:

1. ICT Risk Management

Entities are required to implement robust ICT risk management practices which should be proportionate to their size, structure, operational environment and level of ICT related risks.

2. Incident Reporting

Entities will have to report significant ICT related incidents without undue delay to their national competent authority.

3. Digital Operational Resilience Testing

Entities are expected to carry out regular testing of their digital operational resilience.

4. ICT Third Party Risk

If an entity relies on a third party provider for its ICT services, it will need to manage potential risks associated with such relationships effectively.

5. Oversight Framework

For critical third party service providers, DORA proposes an oversight framework led by “Lead Overseers” designated by European Supervisory Authorities (ESAs).The new rules under DORA will replace existing guidelines and requirements on ICT risk management for EU financial entities making it important for these organisations to start preparing now, considering the scope of changes they may need to make in their operations before January 2025 deadline.

Alongside these 5 requirement sets, there are some significant penalties for organisations that have a breach which are as follows:

1. Administrative fines up to 1% of the annual turnover of the previous financial year.

2. In case of repeated breaches, the fines could go up to 2% of the annual turnover.

3. If an entity fails to report a significant incident, they could be fined up to 0.2% of their total annual gross income.

4. For any negligence or intentional non-compliance with DORA legislation, fines can range from €200,000 to €1,000,000 or in case of a company, up to 2% of their total annual turnover.

These penalties highlight the seriousness with which the EU is approaching digital operational resilience within the financial sector. It’s therefore crucial for all entities operating in this sector within the EU – and even those that want to have dealings with it – to ensure they are fully compliant with DORA by January 2025.

Key Focus Points

Now we have the official legislation aspects of what to expect out of the way, we can turn to what this actually means. This is a significant game changer with regards to security. There has been a significant change in the way that governmental institutions across the world view the subject of information security, with many either releasing legislation or in the process of defining legislation to tackle the ever increasing cyber crime problem we are experiencing. And who can blame them, as according to Cybersecurity Ventures, we are looking at $10.5 trillion USD in cyber crime costs for 2025. Even the World Economic Forum has stated in their most recent release that it ranks cybersecurity in the top 10 threats to the world economy.

To combat this, legislation such as DORA is being put in place to enforce stringent security measures and ensure adequate risk management in the financial sector. This legislation will change how organisations approach their digital operations and security, requiring thorough risk assessments, robust incident reporting procedures and regular resilience testing.

Third Party Service Providers

Another significant aspect of the DORA legislation is its focus on third party ICT service providers. This acknowledges the reality that many organisations rely heavily on these services for their digital operations. As a result, any risks associated with these third party providers can have serious implications for the organisation’s overall security. Therefore, efficient management of these relationships and potential risks is crucial under DORA.

Accountability and Transparency

DORA puts a lot of emphasis on accountability and transparency. With hefty penalties for non-compliance or failure to report significant incidents, organisations will be under pressure to ensure they are fully compliant and that any incidents are dealt with promptly and effectively. DORA represents an important step towards improving digital operational resilience within the financial sector across the EU. It challenges entities to implement robust security measures, manage ICT risks effectively and be transparent about any incidents that occur. The deadline may seem far off now but given the scope of changes many organisations will need to make to comply with DORA, it is advisable to start preparing now.

The importance of this cannot be understated as it represents a shift in how governments are tackling  cybersecurity, moving from recommendations to strict legislations with significant penalties for non-compliance. As such, it’s essential that organisations begin preparations now for compliance with DORA – doing so not only helps avoid potential fines but also strengthens their overall digital resilience against an ever-increasing threat landscape.

Final Thoughts

The ONE thing I will also say about DORA is watch out for vendors churning their marketing cranks, churning out endless “compliant with DORA legislation” solutions or services. While it’s true that some vendors may offer valuable tools that can help streamline the compliance process, it’s important to critically evaluate these offerings and not get swept up in the hype. Remember, compliance with DORA doesn’t just involve purchasing a new software or tool – it requires a comprehensive approach that includes changes in processes, culture and overall cybersecurity strategy.

So, do your due diligence. Understand what DORA entails, how it impacts your organisation and what steps you need to take to ensure compliance. Don’t just rely on a vendor’s glossy marketing materials – dig deep to ensure their solutions truly align with your needs and the requirements of DORA.

Read more about our DORA Compliance services.

Read more about our
DORA Compliance Service.