Background
The DORA regulation means additional work for companies in the financial industry, but it is also an important opportunity. It’s a chance to increase their cyber resilience, respond effectively to incidents and achieve a consistently high level of security.
More and more incidents and sophisticated attacks make it necessary to establish effective protection and counter cyber threats more effectively.
You can find out more about the background to DORA here.
What is DORA?
The Digital Operational Resilience Act (DORA) is an EU regulation designed to strengthen digital resilience in financial companies and their infrastructures. DORA lays down uniform rules to ensure that the organizations are armed against cyber attacks and other IT-related risks.
The regulation bundles and harmonizes rules from other EU regulations and directives. It stipulates that comprehensive adoption of IT and risk management systems is required. It came into force on January 17, 2025.
What does DORA require?
The Digital Operational Resilience Act is intended to strengthen the digital resilience of the entire European financial sector.
Its main contents are as follows::
- Risk Management: To identify, manage and monitor IT risks, financial companies need to implement robust systems and processes.
- Reporting obligations: Companies must document and report IT disruptions and cyber attacks.
- Third-party provider management: Strict rules apply for dealing with critical third-party providers of IT services, such as a critical ICT (information and communications technology) third party. Here, companies must establish information sharing arrangements and ICT third party risks must be evaluated.
- Regular IT tests: To identify potential vulnerabilities, companies must regularly test their digital systems for weaknesses.
- Uniform framework: There is harmonization of requirements within the EU to avoid fragmentation.
Who is affected by DORA?
As a European regulation, DORA primarily affects financial companies. It also includes:
- Banks
- Insurance companies
- Investment companies
- European securities and markets authority
- European supervisory authorities
- Payment service providers
- Providers of critical ICT services
In addition, it includes supervisory authorities and regulatory bodies, such as the european insurance and occupational pensions authority. Even smaller financial players that may be indirectly affected by cyber risks and their service providers must comply with DORA standards.
The regulation affects a broad target group and focuses on the overall interdependencies within the financial sector. IT disruptions affecting one particular player could have an impact on the entire sector. For this reason, all parties involved must be resilient to cyber risks.
What is the impact of DORA?
Broadly speaking, there are two possibilities: Either companies and organizations see DORA as a challenge or as an opportunity.
DORA as a Challenge
The regulation poses challenges, as it generally takes a long time to comply. With two years between its entry into force on January 17, 2023 and its application on January 17, 2025, this should be completed by now. Nevertheless, problems may arise. Financial companies must consistently ensure a high level of maturity in terms of cyber security and operational resilience.
DORA leads to new requirements such as penetration tests (simulated hacker attacks) and other stricter security measures. In addition, companies and their service providers must precisely clarify and monitor mutual dependencies: For example, companies are responsible for ensuring that third-party providers and ICT third party service providers are resilient, particularly in the case of critical business processes. This only works if they work closely with IT service providers.
In short, in order to do justice to DORA in the long term, companies have to invest a great deal of effort – and keep a close eye on the security of the systems they use.
DORA as an Opportunity
On the positive side, DORA will keep companies safer. After all, resilience is not only important, it is a key competitive advantage.
In other words, it never hurts to protect yourself comprehensively - especially when the threat level is constantly increasing.
Critical attacks that not only threaten sensitive data but can also cause significant economic damage happen all too quickly.
Companies that already meet other regulatory requirements are generally better positioned to easily implement DORA than those who are not.
The following opportunities exist:
- Improving resilience and security: By implementing the DORA regulation, companies effectively increase their cyber security and resilience against attacks. They experience a lower risk of IT outages, cyber attacks and other incidents. They keep themselves safe in the event of ICT related incidents too.
- Harmonization and economies of scale: The EU-wide uniform framework enables companies operating across borders to optimize and standardize their processes. They benefit from fewer administrative hurdles and economies of scale.
- Competitive advantages: A high level of digital resilience acts as a quality feature and trust factor for customers, partners or investors. Those who can cope well with possible attacks and outages stand out from the competition.
- Holistic control: Third-party provider management enables companies to better understand their dependencies and take appropriate measures at an early stage to minimize any risks arising from external service providers.
- Innovation incentives: As affected companies sometimes have to invest in new technologies and processes, they are given the opportunity to build an efficient and future-proof IT infrastructure.
Best Practices for Enhancing Cybersecurity
The Digital Operational Resilience Act is forcing affected companies to increase their own IT security. However, it also makes a lot of sense to invest in cyber security independently of a regulation . Doing so arms you against attacks and incidents. It also provides stability, a stronger competitive position and increased trust.
It is therefore worthwhile – even for companies outside of the financial sector – to comprehensively review their IT security, embrace digital operational resilience testing and make the associated investments.
The following best practices can help.
Best practice #1: Implement structured cyber defense
In an emergency, IT, security and management teams need to communicate with each other in a secure and structured manner. Predefined and proven processes save time and avoid errors. An adequate cyber defense solution not only provides everyone involved with a quick overview and automates workflows, but also promises absolutely secure encryption and extended compliance functions.
Best practice #2: Rely on suitable IT services
Commissioning external provision of IT services increases the scope for companies and therefore also their ability to react flexibly to security incidents. Good scalability, easy access to specialist knowledge, a lower workload and professional IT management are just some of the benefits. This is particularly important when working with a critical ICT third party.
Best Practice #3: Provide IT asset management
IT asset management describes the systematic management of IT assets – such as computers, software, networks and important information. By managing this centrally, information silos and risks can be avoided.
Best Practice #4: Create an incident response plan
With a sophisticated emergency plan, it is possible to respond quickly and appropriately to security incidents. Preparing for possible threats is crucial for a high level of cybersecurity. An Incident Response Plan (IPR) typically includes roles, responsibilities, escalation paths, communication protocols and technical steps to deal with security incidents.
Best Practice #5: Analyze and monitor threats
The best defense is to prevent a threat from emerging in the first place. It is therefore advisable to monitor networks for unauthorized activities and implement appropriate systems. Those who use threat intelligence to collect, analyze and disseminate data on threats can react quickly and neutralize them before they become acute.
Best Practice #6: Secure IoT devices
The Internet of Things (IoT) has become very important – and continues to expand. However, it also entails a number of security risks. To protect yourself as much as possible, standard passwords should not be used for the relevant devices and the software should be updated regularly. It is also advisable to deactivate unnecessary functions and services.
Best Practice #7: Work with ethical hackers
No one can thwart a successful hacker attack as well as hackers themselves. Using ethical hackers on your own systems is the best way to ensure the best possible level of security.
Essentially, there are two possible outcomes:
- Ethical hackers do not find relevant vulnerabilities, which is an optimal reassurance that a system is secure.
- Relevant vulnerabilities come to light so that the organizations concerned can eliminate them before an emergency occurs.
More practices
In addition, there are lots of other steps that can be taken by businesses seeking to keep their people, processes and tools safe, including:
- Multi-factor authentication
- Regular software updates
- Regular review of access rights
- Regular backups of critical data
- Secure handling of emails
The Right Software Can Help
When it comes to cyber security, it’s all about having the right software, in two ways:
- The software used must be secure and legally compliant.
- Special security solutions are needed – especially in the DORA sector and for critical infrastructure (KRITIS) – in order to provide comprehensive protection and to be able to react quickly and appropriately to possible incidents.
The right software support gives organizations peace of mind, effectively helps them comply with all regulations and proves invaluable when actual incidents occur.
How software solutions increase protection
Security and compliance are among the core requirements for software solutions. However, adequate protection is not a given. Compliance with the General Data Protection Regulation (GDPR), using secure servers in Europe, enabling comprehensive authentication and applying advanced security methods form a good standard.
Systems should also be audit-ready with uneditable documentation about mitigation activities. This can act as a means of having all action steps and communication published in the official journal. Systems should also be equipped with automated backups.
Overall, a strongly protected cloud solution without compliance risks, for example, can quickly put organizations on the right path. Those who rely on a professionally managed and comprehensively monitored solutions usually increase protection much more efficiently than through internal security measures. This creates a good basis for complying with regulations such as DORA and significantly minimizes the risk of attacks and incidents.
Why special cyber defense solutions are so important
There is no shortage of cyber risks or security vulnerabilities. Organizations need to be prepared for the worst, regardless of how secure their IT systems and security measures already are. The threat level is increasing and the DORA regulation clearly shows that a robust cyber defense solution is highly recommended.
This is not only about handling security incidents as effectively as possible and being able to communicate in a structured manner between the teams involved, but also about pushing security to the highest possible level – right up to meeting military standards.
Conclusion: See DORA as an opportunity
Regulations such as DORA cost organizations a lot of time, money and nerves. It is not always easy to comply with them in every respect. Regulations often do not have a positive connotation and many people doubt their usefulness.
Now, however, DORA brings together existing regulations and thus reduces the “regulatory madness” to which many organizations are exposed. In addition, the financial sector – including the areas that interact with it – has high security standards already. DORA is simply a good impetus for meeting these. In other words, the regulation is a challenge, but even more so an opportunity to implement steps that can be invaluable for practical reasons, given the high threat level.
In today’s business world, security and compliance depend heavily on the software solutions used. So making the right choices in this area, implementing comprehensive protection features and keeping everything up to date provides an excellent basis for consistently complying with regulations such as DORA.
