What You May Not Know About DORA – But Should – Financial Services

European financial services firms have less than 24 months to comply with the European Council’s Digital Operational Resilience Act (“DORA”) once it is formalized later this year. Acting now has great benefits.

If you’re an IT manager for a financial services company in the European Union (“EU”), you’ve undoubtedly had your eye on DORA for almost two years. DORA – the Digital Operational Resilience Act – is expected to come into full effect this fall after a review period that began in September 2020. When the law goes into effect, all financial services firms (“FS”) in the EU will have less than 24 months to strengthen their cybersecurity posture to comply with the new regulations.1

Well, if you’re on the board of a FS or on senior management, you might not have paid as much attention to DORA. And why should you? Isn’t DORA essentially an IT topic? Are your best engineers struggling with compliance and testing?

You could go this way However, given the origins and intentions of the new law, you may be seriously underestimating the significant compliance challenges. Additionally, you may be missing out on a unique strategic compliance opportunity that can benefit your organization. That’s because DORA isn’t just about strengthening cybersecurity, it’s also about building operational resilience across the organization.

Ask any IT manager that last point, and you’ll likely hear a mantra they’ve long been preaching: Cybersecurity and resiliency should be integral elements of business implementation.

A focus on ICT

To better understand this point, let’s take a quick look at DORA’s origins and goals. For years, national governing bodies within the EU have exercised their own discretion when it comes to cybersecurity in financial services. This discretion led to a patchwork of incident reporting processes and policies that added to increasing compliance costs for organizations.2

DORA harmonizes rules and regulations and strives for EU-wide uniformity in order to maintain operations even in the event of serious operational disruptions. In particular, the EU hopes that the new laws will help FS companies better withstand, respond to and recover from threats to information and communication technologies (“ICT”). Given the business imperatives of sustaining ICT, DORA aims to create stability and trust within the financial system.3

DORA will have far-reaching implications. Here we ask and answer questions related to the new regulatory framework that may concern boards and executives.

Q. How is DORA different from the current regulations under which my company operates?

A That depends on the regulations of your governing body. But the most important thing to know about DORA is that it is far more interventionist than any existing guidelines. And it’s far more prescriptive than anything that’s been issued before. It needs to be repeated: the EU is focusing on the central role of ICT in the financial services sector. Therefore, errors and vulnerabilities in digital infrastructures are not only IT problems, but company-wide problems. You need to move from cyber compliance to cyber assurance.

Q. Can’t we just wait a year or so to start compliance?

A You can, but it’s in the best interests of many companies to stay ahead of a new law that’s so severe and has harsh penalties and consequences for non-compliance. Banks and insurance companies are already mobilizing company-wide DORA initiatives this year.4 If you wait and decide to just tinker around the edges of your core platforms, this might be the case appear less disruptive, but you’ll be adding a huge amount of extra infrastructure.

Q: We’re not a financial services company, but we work with one. Does DORA apply to us?

A Almost all financial companies will be subject to DORA. For example, third parties providing ICT-related services to financial service companies, such as e.g. cloud platforms and data analytics services. And the European Council says that “[c]Critical ICT service providers from third countries for financial institutions in the EU must set up a subsidiary within the EU.”5

Q. What might I be missing when implementing DORA?

A As already mentioned, DORA has numerous requirements in all aspects of digital operational security. For example, have you considered how to handle crisis communications if you experience a cyber incident while the law is in effect? Reporting all incidents is mandatory under DORA, and early planning can mitigate reputational risk.6

Q. There are five main pillars associated with DORA (see sidebar). Which should I prioritize first?

A All five are interconnected and should be tackled together. For reasons of space, only the “digital operational resilience test” pillar is presented in this article. Subsequent articles cover the remaining four pillars.

Q. Okay, tell me about digital operational resilience testing.

A The Pillar will require financial organizations to undergo regular testing by independent parties. Lawmakers are still working to clarify the testing methodology and how multiple bodies will recognize the test results. But under the tentative deal, “penetration testing” is based on existing EU initiatives such as TIBER-EU, a framework that “mimics the tactics, techniques and procedures of real attackers based on tailored threat intelligence.”7The tests are tailored to simulate an attack on an entity’s critical functions and its underlying systems.

Q. Now that I know the test column, what is the most important thing I should consider when running a test program?

A That the customer should be the focus. Given that DORA is designed to enhance stability and confidence in financial systems, any digital operational resilience testing program must meet customer expectations.

Editor’s note: This is the first of three articles in which FTI Journal addresses DORA, the European Council act that strengthens regulations related to information and communication technologies (“ICT”) and cyber resilience in financial services companies becomes. Here the journal provides background information on the law and one of its five main pillars: Digital Operational Resilience Testing.

* FTI Consulting organizes DORA’s requirements into five main pillars; other sources may organize them differently


1: FTI Perspectives, “DORA Overview for Permanent TSB (FTI Perspectives”, April 2022, p. 3).

2: FTI Cybersecurity, “The Digital Operational Resilience Act (DORA): Key Questions Business Leaders Should Be Asking,”
FTI adviceDecember 29, 2020, https://fticybersecurity.com/2020-12/the-digital-operational-resilience-act-dora-key-questions-business-leaders-should-be-asking/

3: Council of the EU, “Digital finance, provisional agreement reached on DORA”, 11 May 2022 https://www.consilium.europa.eu/en/press/press-releases/2022/05/11/digital- provisional -financing-agreement-on-dora/

4: Lafarge, Joanna Grove “What companies can expect from DORA” Global risk oversight,”, February 4, 2021, https://www.globalriskregulator.com/Subjects/Reporting-and-Governance/What-firms-can-expect-from-DORA

5: Council of the EU, “Digital finance, provisional agreement reached on DORA”, 11 May 2022 https://www.consilium.europa.eu/en/press/press-releases/2022/05/11/digital- provisional -financing-agreement-on-dora/

6: Moinuddin, Ali, “The Global Drive for Better Financial Sector Operational Resilience”, International bankerJune 7, 2022, https://internationalbanker.com/finance/the-global-drive-for-better-financial-sector-operational-resilience/

7: European Central Bank, “What is TIBER-EU”, https://www.ecb.europa.eu/paym/cyber-resilience/tiber-eu/html/index.en.html#:~:text=TIBER % 2DEU%20is%20the%20European and%20performs%20a%20controlled%20cyber attack.

The content of this article is intended to provide a general guide to the topic. In relation to your specific circumstances, you should seek advice from a specialist.

About Paige McCarthy

Check Also

CB Financial Services (NASDAQ:CBFV) is now covered by StockNews.com

StockNews.com stock researchers undertook coverage of stocks from CB Financial Services (NASDAQ:CBFV – Get Valuation) …