What Is DORA, and Why Does It Matter for Your Company?

Lately, many governments and regulatory organizations have passed laws to ensure digital security for their financial markets. These laws — such as the SEC’s new cybersecurity policies for Wall Street — take into account the growing risks of cyberattacks by instituting new measures for data security and resilience.

One major new law is the European Council’s Digital Operational Resilience Act (DORA), a regulation to ensure that the financial sector in Europe can remain resilient during severe operational disruptions. Passed a few months ago, it will have a major impact on financial entities and on the companies that provide information and communication technologies (ICT) to them.

Not sure how to get started with DORA compliance? Below, we’ll lay out everything you need to know about the EU’s new digital regulation and how it will impact your company.

What is the Digital Operational Resilience Act (DORA)?

DORA is a regulation designed to mitigate risks for financial institutions in the European Union. It was created to strengthen operational resilience, with specific requirements for:

Risk detection and management
Industry-wide intelligence sharing
Supply chain management
Fast incident reporting
Retrospective analysis
And more

Before DORA, risks in the EU financial system were mainly managed by ensuring that firms had enough capital to withstand disruptions. However, this didn’t take into account important aspects of operational resilience. As a PwC analysis puts it, “The [DORA] framework shifts the focus from only guaranteeing firms’ financial soundness to also ensuring they can maintain resilient operations through an incident of severe operational disruption deriving from cyber security and ICT issues.”

Overall, the purpose of DORA is to create a unified regulatory framework for digital operational resilience. It will require all firms to ensure they can withstand, respond to, and recover from a wide range of disruptions and cyberthreats.

Who does DORA apply to?

DORA will impact the security and resilience measures of financial entities like banks, insurance companies, investment firms, and crypto asset providers. But it also concerns the third parties that provide ICT-related services to those financial entities.

For instance, DORA sets out specific rules on contractual arrangements between financial entities and third-party ICT service providers like cloud storage providers. It also establishes an Oversight Framework for third-party ICT service providers.

Ultimately, if an organization is a direct service provider to a financial institution, then that company will be subject to DORA. It’s expected that DORA will apply to more than 22,000 financial entities and ICT service providers operating within the EU.

What are the consequences of noncompliance with DORA?

DORA was adopted in November 2022 and will officially come into effect in January 2025. Over the next two years, the major European supervisory authorities will develop DORA’s technical standards for all financial institutions, from banking to insurance to asset management.

Because DORA is a regulation and not a directive, it will be binding in its entirety for all EU member states. The national authorities of those member states will perform compliance oversight and enforcement.

DORA itself does not yet stipulate fines, but individual EU member states are free to instate criminal sanctions for breaches of DORA in their national law.

What should companies do to prepare for DORA?

Deloitte warns that, although DORA involves a two-year implementation period, regulators have not yet finalized or announced the technical standards that companies will have to meet. This leaves financial entities and third-party service providers with substantially less time to prepare.

Luckily, there are several steps that companies can take now to prepare for DORA compliance. Most of them involve assessing current IT systems, identifying vulnerabilities, and implementing appropriate data protection measures.

For example, experts recommend that you:

Assess and manage risk. Take into account the scale, complexity, and importance of the contractual arrangements you have with third-party ICT service providers. This will help you prepare risk management policies in keeping with DORA requirements.
Plan for attacks. Establish a robust incident response plan to minimize the impact of cyberattacks and other disruptions. Deloitte recommends testing whether your system has the capability to detect near-miss incidents as well.
Manage third-party risks. Improve your documentation of TPP contracts and connections, and review third party vulnerabilities closely to help inform your strategy. It’s important to understand which service providers are critical to your core business processes and why.
Regularly review your policies. Make sure your digital operational resilience strategy remains current and in compliance by conducting regular audits.

Improved data protection with ShardSecure

ShardSecure offers an innovative approach to file-level encryption with no performance hit and no need for agents. Our transparent Data Control Platform separates data access from infrastructure owners in on-prem, cloud, and multi-cloud environments. This helps companies remain compliant with a broad range of cross-border data regulations.

ShardSecure also supports operational resilience by providing high availability and integrity for critical data. Our Data Control Platform is able to reconstruct data that’s been lost, deleted, or otherwise compromised in attacks and outages. This helps support crucial business continuity and maintain operational resilience.

To learn more about ShardSecure’s data security and resilience benefits, visit our resources page.