Dora

Creating a bulletproof financial sector

Diverto

Are you ready for DORA?

DORA – the Regulation on digital operational resilience for the financial sector is a lex specialis of the NIS2 Directive and is directly applicable to the member countries of the European Union.

Everything you need to know about this Regulation, which will enter into force in 2025, has been put together in a one document. Download it now to stay informed and ensure timely compliance.

DOWNLOAD

What is DORA?

DORA (Digital Operational Resilience Act) is a European Union regulation aimed at improving the digital operational resilience of the financial sector. It was introduced to establish common standards and rules for information and communication technologies (ICT), risk management, and incident reporting. It will apply as of January 17, 2025.

DORA will apply in:

Who is liable for DORA?

All financial institutions in EU and their ICT service providers, depending on the number of employees, annual turnover and balance sheet.

  • credit institutions
  • payment institutions
  • account information service providers
  • electronic money institutions
  • investment firms
  • crypto-asset service providers
  • central securities depositories
  • central counterparties
  • trading venues
  • trade repositories
  • managers of alternative investment funds
  • management companies
  • data reporting service providers
  • insurance and reinsurance undertakings
  • insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
  • institutions for occupational retirement provision
  • credit rating agencies
  • administrators of critical benchmarks
  • crowdfunding service providers
  • securitization repositories
  • ICT third-party service providers

Why is DORA important?

The financial sector has become dependent on information technologies, exponentially increasing the risks associated with technology and information and cybersecurity. Strengthening the digital resilience of the financial sector to incidents related to ICT is its fundamental goal.

DORA brings us:

Improving resilience to cyber threats.

DORA establishes strict standards for managing cybersecurity, requiring financial institutions to implement robust measures for detection, prevention, and response to cyber attacks. This helps reduce the risk of financial losses, business disruptions, and reputational damage due to cyber incidents.

Increasing trust and market stability.

By implementing the operational resilience measures outlined in DORA, financial institutions contribute to the overall stability and integrity of the financial market. This increases the confidence of consumers and investors in the digital infrastructure and services, which is crucial for maintaining the health of the financial sector.

The impact of DORA on liable entities is reflected in the need for a detailed assessment of:

existing ICT and security processes

investments in enhancing technological infrastructure

staff capabilities for managing and reporting on cyber risks

Additionally, the regulation encourages cooperation within the sector and with regulatory bodies, which helps organizations adapt to the dynamic cyber environment.

 

DORA administrative penalties and remedial measures

Competent authorities are responsible to determine the type and level of administrative penalties or remedial measures.

Parameters to be considered are:

 

  • the materiality, gravity and the duration of the breach,
  • the degree of responsibility of the natural or legal person,
  • the financial strength of the responsible natural or legal person,
  • the importance of profits gained, or losses avoided by the responsible natural or legal person,
  • the losses for third parties caused by the breach,
  • the level of cooperation of the responsible natural or legal person with the competent authority,
  • previous breaches by the responsible natural or legal person.

Specific penalties will be defined within the Croatia’s Transposition Act.

Penalties for third parties, ICT service providers

On the other hand, DORA clearly defines monetary penalties for ICT third-party service providers. For a critical ICT third-party service provider, the monetary penalty can amount up to 1% of the average daily global turnover in the previous fiscal year. The penalty is imposed on a daily basis for a maximum period of six months until compliance is ensured.

 

How to comply with DORA-om?

5 pillars for compliance with DORA:

  1. ICT Risk Management
  2. Resilience Testing
  3. ICT Incident Management
  4. Third-party Risk Management
  5. Information Exchange

 

If you have implemented international standards such as ISO/IEC 27001 you are already at a certain advantage.

The requirements are similar to those of the NIS2 Directive due to the areas they cover, but they are nonetheless stronger given the higher maturity level of the financial sector.

DORA sets robust rules for achieving digital operational resilience for liable entities, which is why a strong emphasis is placed on digital operational resilience testing by using advanced methods such as Threat Lead Penetration Testing (TLPT) at clearly defined intervals.

Also, considering it has not been regulated at this level before, one of the areas expecting significant changes is third-party risk management.

 

Compliant and secure with Diverto’s approach to DORA

The beginning of your journey towards compliance with DORA depends on the current maturity level of your information and cybersecurity management system.

We implement measures to achieve compliance through three groups of activities:

  • Governance
  • Resilience testing
  • Monitoring and continuous defense

 

Given that managing information and cybersecurity is an ongoing process, it is necessary to periodically verify the initial compliance assessment and determine further steps for enhancing the implemented controls.

Find out how each stage of this Diverto approach helps you align with DORA and, ultimately, establish a high level of security for your business.

DIVERTO APPROACH

Suggested-approach_DORA

Limited time for robust DORA-e requirements

DORA is directly applicable to the member countries of the European Union and will fully apply from January 17, 2025.

It prescribes administrative penalties and remedial measures for financial institutions, as well as monetary penalties for critical ICT third-party service provider.

Everything you need to know about DORA has been put together in one document. Download it now to stay informed and ensure timely compliance.

DOWNLOAD