What Is DORA (Digital Operational Resilience Act)?

DORA is a regulation from the EU that affects the financial services sector. DORA relates explicitly to EU financial services, focusing on maintaining cybersecurity resilience.

DORA entered into force on January 16, 2023 and applies from January 17, 2025.

Fabio Panetta of the European Union (EU) described the cyberthreat landscape as follows: “Threats are becoming increasingly complex. Recent attacks call for constant vigilance at an operational level and the continuous reassessment of regulatory and oversight frameworks to see whether they need to be updated.” DORA regulation is designed to harmonize cybersecurity guidelines across the financial sector and consider the changing threat landscape.

Like the GDPR, which harmonizes data privacy regulation, DORA consolidates and upgrades ICT risk management and cyber risk management in financial services.

DORA aims to mitigate the risks arising from the industry’s digital transformation and to promote cyber resilience in the financial services ecosystem, helping banking, the financial sector, and financial systems to prevent, respond to, and recover from a cybersecurity incident. To achieve this, DORA lays down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities. The requirements include ICT risk management, reporting of major ICT-related incidents, digital operational resilience testing, information sharing and measures and requirements related to the use of ICT third-party services.

DORA is a legislative measure that applies to financial organizations operating financial activities in the EU under the 21 categories in scope. Organizations operating in the financial sectors impacted by DORA include, among others:

• Credit institutions
• Payment institutions
• Electronic money institutions 
• Investment firms
• Crypto-asset service providers 
• Alternative investment funds
• Insurance managers 
• ICT third-party service providers

The Zero Trust element of Akamai’s platform provides deep visibility into assets, access controls, and network flows, with granular enforcement of security policy. Akamai’s visibility into your assets, access, and network flows is the foundation stone of your Zero Trust security strategy that extends to the management of ICT third-party risk. And our threat hunting team can help you hunt down the most evasive threats and limit lateral movement in the event of a breach.

The Akamai global platform can help an organization detect and prevent existing and emerging threats, and adapt to the changing security landscape.

DORA requirements focus on the cyber resilience of ICT systems. DORA benchmarks include:

• Independent parties must carry out annual resiliency and vulnerability testing. Regular threat-led penetration testing is also a requirement.
• DORA requires protection measures that are risk-based and comprehensive. DORA security measures include: taking a risk-based approach to network and infrastructure management; implementing appropriate and comprehensive policies for vulnerabilities such as patches and updates; using robust authentication mechanisms; and limiting the physical and virtual access to ICT system resources and data.
• Procedures are required that “detect, manage and notify ICT-related incidents and shall put in place early warning indicators as alerts.”
• Cybersecurity incident reporting is facilitated by having processes to monitor, describe, and report significant ICT-based incidents to DORA authorities.
• DORA requirements on management and security accountability cover essential cybersecurity management and response for information sharing.

DORA and financial services

The International Monetary Fund (IMF) has called for urgent safeguards to be used in the financial sector after an IMF survey showed the sector was at risk from weak defenses. The Bank of England concurs, finding in the bank’s H2 systemic risk survey that 74% of respondents see cyberattacks as the highest risk to the financial sector.

Frameworks and guidance like DORA are vital in helping financial institutions and their associated suppliers, such as ICT providers, understand how to manage risk. Research from the Verizon 2022 Data Breach Investigations Report (DBIR) recorded the most significant cyberthreats in the financial sector, such as data breaches, DDoS, and ransomware. The report points out that stolen credentials are integral to the success of most cyberattacks in the sector. The Commodity Futures Trading Commission pointed out recently that a 2022 survey of 130 global financial institutions found that 74% had at least one ransomware attack incident the previous year.

DORA and ICT providers

A key aspect of DORA is third-party risk management. According to the Verizon 2022 DBIR, the financial sector was the second-most popular target for supply chain attacks. DORA compliance sets out to change this and prevent cyberattacks on suppliers and financial institutions. The European Union Agency for Cybersecurity (ENISA) reported increased sophistication and volume of supply chain attacks, with attackers targeting the supply chain to steal data and financial assets. DORA coordinates requirements using existing frameworks such as the European Banking Authority (EBA) Outsourcing Guidelines.

Any ICT provider designated “critical” by a European Supervisory Authority will be subject to an oversight framework with stringent rules under the direct supervision of an appointed Lead Overseer.

Zero Trust solutions provide visibility across the extended network of suppliers, including ICT providers. Enforcement of security measures, such as least privilege and proactive control of sensitive areas and data, prevents data breaches and infection by ransomware.

Akamai provides a comprehensive solution family that covers certain requirements that may help achieve operational resilience in the financial sector. Akamai’s leading security solutions are recognized as best in class by our customers who use Akamai to protect critical assets. Our security portfolio has grown from a collection of point solutions to a comprehensive and powerful Zero Trust platform. Akamai’s world-class solutions provide the controls required to help meet stringent requirements, including managing the risk of ICT providers and protection of critical assets. Akamai’s Zero Trust security offers the type of comprehensive coverage needed to cover all types  of IT environments — regardless of asset type, traffic type (north-south, east-west), or legacy devices. Akamai provides deep visibility into your IT environment, critical assets, access requirements, and network flows across your entire infrastructure.

DORA is built upon previous work from the European Insurance and Occupational Pensions Authority (EIOPA), the European Banking Authority, and the European Securities and Markets Authority (making up the European Supervisory Authorities, or ESAs). DORA is important because of the digital transformation across the entire financial and insurance value chain. The regulatory requirements of DORA are needed to manage these new and emerging risks and to have the right type of measures and safeguards in place to prevent cyberattacks.

Reporting of cybersecurity incidents by covered entities is an important aspect of DORA. Covered entities must have processes in place to monitor, describe, and report significant ICT-based incidents to DORA authorities.

Also, the reporting rules for critical ICT providers are stringent, and include making an initial notification to the authorities followed by an intermediate report on how the incident resolution is progressing and a final report after root cause analysis has been performed. Guidelines regarding incident classification, mandatory reporting incidents, and reporting deadlines are currently being developed by ESAs.

DORA will apply from January 17, 2025, therefore, during this period, financial entities and critical third-party ICT service providers must move into go-live adherence to the legislation. To prepare your organization for DORA legislation adherence, covered entities should carry out a gap analysis to see if the existing deployed measures meet some or all applicable requirements.