Lately, many governments and regulatory organizations have passed laws to ensure digital security for their financial markets. These laws — such as the SEC’s new cybersecurity policies for Wall Street — take into account the growing risks of cyberattacks by instituting new measures for data security and resilience.
One major new law is the European Council’s Digital Operational Resilience Act (DORA), a regulation to ensure that the financial sector in Europe can remain resilient during severe operational disruptions. Passed a few months ago, it will have a major impact on financial entities and on the companies that provide information and communication technologies (ICT) to them.
Not sure how to get started with DORA compliance? Below, we’ll lay out everything you need to know about the EU’s new digital regulation and how it will impact your company.
DORA is a regulation designed to mitigate risks for financial institutions in the European Union. It was created to strengthen operational resilience, with specific requirements for:
Before DORA, risks in the EU financial system were mainly managed by ensuring that firms had enough capital to withstand disruptions. However, this didn’t take into account important aspects of operational resilience. As a PwC analysis puts it, “The [DORA] framework shifts the focus from only guaranteeing firms’ financial soundness to also ensuring they can maintain resilient operations through an incident of severe operational disruption deriving from cyber security and ICT issues.”
Overall, the purpose of DORA is to create a unified regulatory framework for digital operational resilience. It will require all firms to ensure they can withstand, respond to, and recover from a wide range of disruptions and cyberthreats.
DORA will impact the security and resilience measures of financial entities like banks, insurance companies, investment firms, and crypto asset providers. But it also concerns the third parties that provide ICT-related services to those financial entities.
For instance, DORA sets out specific rules on contractual arrangements between financial entities and third-party ICT service providers like cloud storage providers. It also establishes an Oversight Framework for third-party ICT service providers.
Ultimately, if an organization is a direct service provider to a financial institution, then that company will be subject to DORA. It’s expected that DORA will apply to more than 22,000 financial entities and ICT service providers operating within the EU.
DORA was adopted in November 2022 and will officially come into effect in January 2025. Over the next two years, the major European supervisory authorities will develop DORA’s technical standards for all financial institutions, from banking to insurance to asset management.
Because DORA is a regulation and not a directive, it will be binding in its entirety for all EU member states. The national authorities of those member states will perform compliance oversight and enforcement.
DORA itself does not yet stipulate fines, but individual EU member states are free to instate criminal sanctions for breaches of DORA in their national law.
Deloitte warns that, although DORA involves a two-year implementation period, regulators have not yet finalized or announced the technical standards that companies will have to meet. This leaves financial entities and third-party service providers with substantially less time to prepare.
Luckily, there are several steps that companies can take now to prepare for DORA compliance. Most of them involve assessing current IT systems, identifying vulnerabilities, and implementing appropriate data protection measures.
For example, experts recommend that you:
ShardSecure offers an innovative approach to file-level encryption with no performance hit and no need for agents. Our transparent Data Control Platform separates data access from infrastructure owners in on-prem, cloud, and multi-cloud environments. This helps companies remain compliant with a broad range of cross-border data regulations.
ShardSecure also supports operational resilience by providing high availability and integrity for critical data. Our Data Control Platform is able to reconstruct data that’s been lost, deleted, or otherwise compromised in attacks and outages. This helps support crucial business continuity and maintain operational resilience.
To learn more about ShardSecure’s data security and resilience benefits, visit our resources page.
The Digital Operational Resilience Act (DORA) - Regulation (EU) 2022/2554 | DORA
What Is the Digital Operational Resilience Act (DORA)? | Check Point Software
DORA: The Digital Operational Resilience Act | DLA Piper
What Can We Expect From the Digital Operational Resilience Act | Deloitte Netherlands
Ten Keys to Success With DORA Compliance | International Cyber Threat Task Force