The 17 January 2025 deadline is fast approaching for businesses to be compliant with a new European regulation called the Digital Operational Resilience Act or DORA for short.
And with a post-Brexit equivalent to DORA just around the corner, getting your operations compliant isn’t only necessary for companies with data that flows through EU member states – a likely similar set of guidelines will soon be law in the UK too.
What is DORA?
DORA is an EU regulation that became law in January 2023, but will first be applied on 17 January 2025. It is designed to build operational resilience into financial institutions and their ICT suppliers in the case of any major disruptions, including IT outages and cyber attacks. The goal, according to EU regulators, is economic stability in the face of such upheaval.
Banks, insurers and investment firms are the primary targets, but the regulation is aimed at their suppliers too. With all the complexities of global data flows, there’s a high chance your technology might touch European soil and therefore require compliance with DORA.
Noncompliant firms face fines by the European Supervisory Authorities of two percent of their global annual turnover. Organisations deemed “critical” can face a maximum fine of €5m (£4.2m). Failing to report digital threats, vulnerabilities or incidents may also lead to fines.
DORA: the five key requirements
There are five key pillars within DORA.
ICT risk management
Organisations will have to develop a risk-management framework that includes building and maintaining resilient IT systems and tools. These systems and tools should be designed to weather any operational storms.
Firms will also have to create mechanisms to find new threats or risks, be they internal or external. Risk assessments must be run continuously and should be backed up with solid business-continuity and disaster-recovery plans should organisations suffer disruption.
IT incident reporting
Businesses will have to log and manage any incidents that do occur. They will then have to classify and describe these incidents before reporting on them to internal and external stakeholders. That includes submitting preliminary, ongoing and final reports to users and clients.
Digital resilience testing
It won’t be enough to wave around a business continuity plan. Organisations will have to show that they are regularly testing their resilience by evaluating weaknesses in their cyber defences and IT estate.
Third-party and IT supply-chain risk
This pillar aims to address the increasing prevalence of supply-side attacks – where criminals break into networks via a third party – and states that firms must look beyond their own walls and monitor the risks of partners in their supply chain, too.
That includes building a contractual paper trail to prove that all third-party providers are up to standard and can provide full visibility over their stack, including the physical locations where data is being processed.
Information sharing
Here, financial services businesses are encouraged to share information about emerging risks, as well as practical advice, with one another to build further resilience through collaboration.
DORA: Why it matters for UK PLC
Any organisation with a EU footprint or that supplies to the EU will need to determine whether they are subject to DORA.
But, even if they’re not, given the fact that cyber threats and digital disruption are not going away, trying to hit the minimum requirements for DORA compliance will set UK firms up better for future.
As with the run-up to the introduction of GDPR, organisations might want to view the upcoming regulatory environment as an opportunity to clean house and get their business continuity, cyber resilience and recovery planning in order.
