What Is the DORA (Digital Operational Resilience Act) Regulation?

DORA (Digital Operational Resilience Act) is a new regulation from the European Union that affects the financial services sector. The DORA regulation relates explicitly to EU financial services, focusing on maintaining cybersecurity resilience. The initial draft of DORA was released on 24 September 2020; on 10 November 2022, the European Parliament ratified DORA.

Fabio Panetta of the European Central Bank (ECB) described the cyberthreat landscape as follows: “Threats are becoming increasingly complex. Recent attacks call for constant vigilance at an operational level and the continuous reassessment of regulatory and oversight frameworks to see whether they need to be updated.” The DORA regulation is designed to harmonize cybersecurity guidelines across the financial sector and consider the changing threat landscape.

The Digital Operational Resilience Act aims to promote cyber resilience in the financial services ecosystem, helping banking, the financial sector, and financial systems to prevent, respond to, and recover from a cybersecurity incident. To achieve this, the DORA regulation offers a framework of rules to create a robust risk management process.

DORA legislation seeks to mitigate the risks arising from the industry’s digital transformation.

DORA legislation seeks to facilitate finance innovation while mitigating the risks arising from the industry’s digital transformation. As part of this balancing act, Article 114 of the Treaty on the Functioning of the European Union (TFEU) forms the legal basis for DORA.

DORA is a legislative measure that applies to all EU financial services firms and associated critical information and communication technology (ICT) third-party and cloud service providers in EU member states. Like the GDPR, which harmonizes data privacy regulation, DORA consolidates and upgrades ICT risk management and cyber risk in financial services.

The Digital Operational Resilience Act requires financial firms to use measures to protect against ICT-related risks. To achieve this, DORA requirements also cover third parties, like cloud providers. Financial sectors impacted by DORA include:

• Credit institutions
• Payment institutions
• Electronic money institutions 
• Investment firms
• Crypto-asset service providers 
• Alternative investment funds
• Insurance managers 
• Critical ICT third-party providers servicing covered entities

The Zero Trust element of Akamai’s platform helps move toward a DORA-compliant environment, providing deep visibility into assets, access controls, and network flows, with granular enforcement of security policy. Akamai’s visibility into your assets, access, and network flows is the foundation stone of your Zero Trust security strategy that extends to the management of ICT third-party risk. And our threat hunting team can help you hunt down the most evasive threats and limit lateral movement in the event of a breach.  

The Akamai global platform ensures an organization can detect and prevent existing and emerging threats, and adapt to the changing security landscape. This is essential in maintaining the requirements to meet the operational resilience required by DORA.

DORA requirements focus on the cyber resilience of ICT systems. The DORA benchmarks include:

• Independent parties must carry out annual resiliency and vulnerability testing. Regular threat-led penetration testing is also an expected requirement.  
• DORA requires protection measures that are risk-based and comprehensive. DORA security measures include: taking a risk-based approach to network and infrastructure management; implementing appropriate and comprehensive policies for vulnerabilities such as patches and updates; using robust authentication mechanisms; and limiting the physical and virtual access to ICT system resources and data.
• Procedures are required that “detect, manage and notify ICT-related incidents and shall put in place early warning indicators as alerts.” 
• Cybersecurity incident reporting is facilitated by having processes to monitor, describe, and report significant ICT-based incidents to DORA authorities. 
• DORA requirements on management and security accountability cover essential cybersecurity management and response for information sharing.

DORA and financial services

The International Monetary Fund (IMF) has called for urgent safeguards to be used in the financial sector after an IMF survey showed the sector was at risk from weak defenses. The Bank of England concurs, finding in the bank’s H2 systemic risk survey that 74% of respondents see cyberattacks as the highest risk to the financial sector.

Frameworks and guidance like DORA are vital in helping financial institutions and their associated suppliers, such as ICT providers, understand how to manage risk. Research from the Verizon 2022 Data Breach Investigations Report (DBIR) recorded the most significant cyberthreats in the financial sector, such as data breaches, DDoS, and ransomware. The report points out that stolen credentials are integral to the success of most cyberattacks in the sector. The Commodity Futures Trading Commission pointed out recently that a 2022 survey of 130 global financial institutions found that 74% had at least one ransomware attack incident the previous year. DORA sets out risk management measures, such as Zero Trust and identity management, that can be used to prevent these types and levels of cyberattacks.

DORA and ICT providers

A key aspect of DORA is third-party risk management. According to the Verizon 2022 DBIR, the financial sector was the second-most popular target for supply chain attacks. DORA compliance sets out to change this and prevent cyberattacks on suppliers and financial institutions. The European Union Agency for Cybersecurity (ENISA) reported increased sophistication and volume of supply chain attacks, with attackers targeting the supply chain to steal data and financial assets. DORA coordinates requirements using existing frameworks such as the European Banking Authority (EBA) Outsourcing Guidelines (see also DORA Article 14).

Any ICT provider deemed “critical” by DORA will come under stringent rules enforced via direct engagement with the EU FS (financial services) authorities.

Zero Trust solutions provide visibility across the extended network of suppliers, including ICT providers. This level of visibility is crucial to applying the cybersecurity policies required by DORA. Enforcement of security measures, such as least privilege and proactive control of sensitive areas and data, prevents data breaches and infection by ransomware.

Akamai provides a comprehensive solution family that covers compliance to DORA requirements to ensure operational resilience in the financial sector. Akamai’s leading security solutions are recognized as best in class by our customers who use Akamai to protect critical assets. Our security portfolio has grown from a collection of point solutions to a comprehensive and powerful Zero Trust platform. Akamai’s world-class solutions provide the controls required to meet DORA’s stringent requirements, including managing the risk of ICT providers to ensure the protection of critical assets. Akamai’s Zero Trust security provides the type of comprehensive coverage needed to cover all types  of IT environments — regardless of asset type, traffic type (north-south, east-west), or legacy devices. Akamai provides deep visibility into your IT environment, critical assets, access requirements, and network flows across your entire infrastructure. Used together, the Akamai family of security solutions will provide the tools to ensure adherence to the DORA legislation.

DORA is built upon previous work from the European Insurance and Occupational Pensions Authority (EIOPA), the European Banking Authority, and the European Securities and Markets Authority (making up the European Supervisory Authorities, or ESAs). DORA is important because of the digital transformation across the entire financial and insurance value chain. The regulatory requirements of DORA are needed to manage these new and emerging risks and to have the right type of measures and safeguards in place to prevent cyberattacks.

Reporting of cybersecurity incidents by covered entities is an important aspect of DORA. Covered entities must have processes in place to monitor, describe, and report significant ICT-based incidents to DORA authorities. 

Also, the reporting rules for critical ICT providers are stringent, and include making an initial notification no later than the end of the business day — or if the significant incident occurred later than two hours before the end of the business day, no later than four hours from the beginning of the next business day. An intermediate report follows, no later than one week after the initial notification; the final report after root cause analysis has been performed is expected no later than one month after the initial report.

There is a 24-month implementation period allowed for DORA compliance; during that period, financial entities and critical third-party service providers must move into go-live adherence to the legislation. The end of this 24-month period is rapidly approaching. To prepare your organization for DORA legislation adherence, covered entities carry out a gap analysis to see if the existing deployed measures meet some or all the requirements.