Request a demo

Exploring DORA: Understanding the Impact of the EU’s Digital Operation Resilience Act

Article
Executive Summary: Navigating DORA Compliance

The Digital Operational Resilience Act (DORA), effective January 2025, mandates a unified framework for ICT risk management across EU financial institutions and their third-party providers. Noncompliance risks steep penalties, including fines of up to 2% of total annual turnover. The DORA has strict and complex requirements for various aspects of ICT risk management, ranging from reporting and incident management to resilience testing and third-party risk management. The 1Exiger platform is a keystone in any DORA compliance strategy with advanced tools for identifying and monitoring for ICT systems vulnerabilities and managing all dimensions of ICT third-party risks.

Introduction

On 17 January 2025, the Digital Operation Resilience Act (DORA) will be enacted, impacting financial services firms in the EU and their technology suppliers.

The regulation, which serves as a unified framework for managing information and communication technology (ICT) risks within the financial sector, requires financial institutions and their critical third-party technology service providers to comply by the January 2025 deadline. Failure to do so will result in significant fines – especially for third-party providers.

Financial entities and their respective technology suppliers cannot afford to overlook the wide-reaching ramifications of DORA. In this article, we explore what DORA entails – its scope, main components, and the penalty for noncompliance – and how businesses can ensure DORA’s requirements are met.

What is DORA and Who Does It Impact?

The Digital Operational Resilience Act started with formal adoption by the Council of the European Union and the European Parliament in November 2022. DORA regulations will go into effect on 17 January 2025 – financial entities and third-party ICT service providers will have until then to comply with DORA before enforcement begins.

DORA has two main objectives:

  1. To comprehensively address ICT risk management in the financial services sector.
  2. To harmonize ICT risk management regulations that already exist in individual EU member states.

In essence, DORA seeks to replace fragmented national regulations on ICT risk management with a single, comprehensive framework. Before DORA, ICT and security risk management guidelines did not apply to all financial entities equally – most ended up relying on general principles rather than specific technical standards.

By harmonizing risk management rules across the EU, DORA can address the gaps, redundancies, and discrepancies that could arise between disparate regulations across the EU and its many states. In theory, the shared set of rules can make it easier for financial entities to comply with and improve the EU’s financial system’s resilience.

Who Does it Impact?

DORA applies to financial entities operating within the EU and third-party ICT providers that do business with them. The Act classifies 21 categories of financial services under its scope, encompassing a wide range of financial entities and service providers.

These include credit institutions, investment firms, crypto-asset service providers, management companies, credit rating agencies, and crowdfunding service providers.

What About Third-Party Providers?

Under DORA, “critical” third-party ICT providers doing business with EU financial institutions must comply with its requirements. This includes providers that are not headquartered in the EU – location-agnostic providers, including cloud service providers, data center providers, and data analytics providers, all fall under the Act.

The new technical requirements will be written into contracts between financial entities and third-party ICT providers. Overall, DORA will put ICT providers under greater oversight and scrutiny from the financial services sector and EU financial authorities.

DORA Compliance and Penalties

Financial institutions must adapt their ICT systems and processes to meet DORA’s standards by the January 2025 deadline. They are required to review and potentially amend contracts with technology service providers to ensure compliance with DORA while also updating internal policies and procedures to meet DORA’s standards.

This means increased scrutiny and oversight for third-party ICT providers and more emphasis on ICT management, encryption controls, vulnerability management, and incident reporting.

Third-party technology providers in the EU or abroad must align their services and contractual terms with DORA to support their clients’ compliance needs. This means increased due diligence on existing operational and technical frameworks. Providers may also need to anticipate additional client demands, such as comprehensive incident response plans.

The penalty for noncompliance

Entities that fail to comply with DORA will face significant fines. Firms that violate DORA’s requirements can be fined up to 2% of their total annual worldwide turnover, while individuals face a maximum fine of 1,000,000 Euros.

Third-party providers designated as “critical” by the European Supervisory Authorities (ESAs) face even higher fines for noncompliance. Firms can be fined up to 5,000,000 Euros, while individuals are looking at maximum penalties of up to 500,00 Euros. Financial entities that fail to report a major ICT-related incident or threat can also be fined.

What Are DORA’s Primary Requirements?

DORA considers any third-party ICT providers that offer important functions to financial entities whose services may impact a financial entity’s business stability and continuity as “critical.”

The technical requirements for financial entities and ICT providers are established across five main pillars. Here’s what they are and how to meet them.

Requirements:

DORA requires that financial entities develop a comprehensive ICT risk management framework that identifies, assesses, and mitigates ICT risks. The framework should be integrated into the broader risk management system and governance policies. Some key aspects to note:

  • The ICT risk management framework shall include, at the very least, strategies, policies, procedures, ICT protocols, and tools deemed necessary to sufficiently protect all information and ICT assets. These include computer software, hardware, servers, and relevant physical components and infrastructures such as data centers.
  • DORA also requires that the management body of the financial entity define, approve, oversee, and be held responsible for the implementation of the ICT risk management framework.
  • The management body bears the ultimate responsibility for managing ICT risk and must set “clear roles and responsibilities” for all ICT-related functions and establish appropriate governance arrangements.
  • Covered entities must, among other critical steps, conduct continuous risk assessments on their ICT systems, document and classify cyber threats, and document their steps to mitigate identified risks.
  • Part of the risk assessment includes business impact analyses to assess how specific scenarios and severe disruptions might affect the businesses. These analyses must then be used to set levels of risk tolerance and shape the design of their ICT infrastructure.
  • Financial entities also need to establish business continuity and disaster recovery plans for multiple risk scenarios, including natural disasters and cyberattacks. Data backup, recovery measures, and system restoration processes must be included as well, along with plans for communicating with affected clients and the authorities.


How to Meet Them:

  • Conduct a Gap Analysis: Financial entities must evaluate current ICT frameworks to identify compliance gaps with DORA’s requirements.
  • Develop and Implement Frameworks: Establish a documented ICT risk management framework that outlines roles, responsibilities, and processes for ongoing risk assessment and mitigation.
  • Provide Regular Updates: Continuously update governance policies to reflect changes in the ICT landscape and emerging threats. 

DORA also requires the covered entities to establish ICT incident management and reporting systems for monitoring, managing, recording, classifying, and reporting ICT-related incidents.

The ICT-related incident management requires covered entities to have the following:

  • Early warning indicators.
  • Procedures to identify, track, log, categorize, and classify ICT-related incidents according to their priority and severity.
  • Assign roles and responsibilities that need to be activated in the event of an ICT-related incident, based on types and scenarios.
  • Determine plans for communicating the incident to staff, external stakeholders, and the media, as well as notifications to clients, how to handle complaints, and how information is passed to counterparts.
  • Ensure that at least major ICT incidents are reported to relevant senior management and the management body, explaining the impact, response, and additional control to be established.
  • Establish response procedures to mitigate impact and ensure services become operational and secure in a timely manner.

How to Meet Them:

  • Establish Reporting Procedures: Implement standardized procedures for detecting, managing, and reporting ICT incidents.
  • Use Standardized Formats: Develop templates for incident reports to ensure consistency and compliance with regulatory standards.
  • Timely Reporting: Ensure significant incidents are reported to national competent authorities within prescribed timelines.

Requirements:

Covered entities must regularly test their ICT systems to evaluate the strength of the protection systems in place and to identify vulnerabilities. The results of these tests, along with plans for addressing any discovered weaknesses, must be reported and validated by relevant authorities.

When conducting the digital operational resilience testing program, financial entities need to follow a “risk-based approach,” which considers the evolving landscape of ICT risk and other specific financial security risks. They also need to establish procedures and policies to prioritize, classify, and remedy all issues discovered during the testing.

Other key things to note:

  • Financial entities need to carry out appropriate tests on all ICT systems and applications supporting critical functions at least yearly.
  • The tests include vulnerability assessments and scans, open-source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, scenario-based tests, and penetration testing.
  • Financial entities deemed critical for the financial system will also need to undergo threat-led penetration testing (TLPT) every three years. Critical ICT providers for that entity also need to participate in these penetration tests.

How to Meet Them:

  • Annual Testing: Conduct annual resilience and vulnerability tests on all critical ICT systems.
  • Threat-Led Penetration Testing (TLPT): If applicable, perform TLPT every three years based on the firm’s risk profile.
  • Document Results: Maintain records of testing outcomes and remediation efforts to demonstrate compliance.

Requirements:

While not mandatory, DORA encourages entities to participate in sharing threat intelligence among other covered entities, such as indicators of compromise, tactics, techniques, procedures, and cybersecurity alerts.

This is with the aim of enhancing the overall digital operational resilience of the sector, along with raising awareness of cyber threats, limiting the spread of these threats, and improving threat detection.

The information sharing must take place within trusted communities of financial entities. The information shared this way must still be protected under relevant guidelines such as the GDPR.

How to Meet Them:

  • Participate in Information Sharing Networks: Engage in voluntary threat intelligence sharing initiatives while ensuring compliance with data protection regulations like GDPR.
  • Develop Incident Learning Processes: Create processes to analyze incidents and share insights with peers to improve collective resilience.

Requirements:

DORA not only applies to financial entities but also to third-party ICT providers servicing the financial sector. Financial entities are required to manage ICT third-party risks as an integral component within their risk management framework. This includes multiple steps:

 

  • Financial entities must adopt and regularly review a strategy on ICT third-party risk, which must include a policy on the use of ICT services supporting critical or important functions provided by the third-party provider.
  • Financial entities are also required to maintain and update a register of information to all contractual arrangements on the use of ICT services provided by the third-party provider, on top of reporting (at least yearly) to authorities on new arrangements.
  • When outsourcing critical functions, financial entities must negotiate specific contractual arrangements, such as full-service level descriptions, notice periods and reporting obligations, requirements to implement and test contingency plans and security measures, exit strategies, and more.
  • Third-party providers that cannot meet these requirements cannot be allowed to contract. The authorities are also empowered to suspend or terminate contacts that don’t comply.
  • Third-party providers deemed critical will be subject to oversight from relevant ESAs. Lead overseers will enforce DORA requirements on critical providers and forbid them from entering contracts that fail to comply.

How to Meet Them:  

  • Due Diligence and Monitoring: Conduct thorough due diligence on third-party providers and continuously monitor their compliance with DORA standards. 
  • Contractual Obligations: Include DORA compliance clauses in contracts with third-party providers, specifying technical standards, audits, and exit strategies. 
  • Oversight Frameworks: For critical providers, ensure they are subject to oversight by European Supervisory Authorities (ESAs) and comply with additional regulatory requirements. 

How Exiger helps meet these requirements

Financial services operating in the EU will have their hands full ensuring compliance with DORA, especially among third-party ICT service providers. Don’t risk noncompliance – leverage 1Exiger Workflows to facilitate the onboarding, vetting, and monitoring of your ICT third parties.

What 1Exiger can do to help meet DORA requirements:

  1. Collect Essential Information 
    1Exiger’s configurable digital questionnaires make information collection easy and quick. With it, users can:  
  • Track a subject’s progress and refresh profiles with a click of a button.  
  • Risk rank various third parties according to results found in due diligence. 
  • Automate the workflow to collect necessary information whenever you bring on a new ICT third party.  
  • Collect all the information for applicable required security standards that will be verified during the due diligence process at a later period to ensure responses and refresh profiles with a click of a button.  
How this helps

Under Article 28 of DORA, as part of their ICT risk management framework, financial entities need to maintain and update a register of information pertaining to all contractual agreements on the use of ICT services provided by third-party service providers.

These contractual arrangements need to be appropriately documented, and entities need to distinguish between providers that cover critical ICT services and those that don’t.

  1. Automated, Conditional Workflows based on Identified Risks, Questionnaire Responses, and the Nature of the Relationship

    Using layered and configurable scoring, 1Exiger Workflows measures risk against your company’s tolerances and can be adjusted over time as your program evolves.1Exiger can have conditional workflows for types of risk for different vendors mapped to the nature, scale, complexity, and importance of the ICT-related dependencies.

    It manages the sending and collection of information via questionnaires and can then initiate conditional workflows based on the answers of to those questionnaires.

    This way, you can ensure that ICT third parties undergo the exact right amount of due diligence and monitoring based on the nature of their relationship with your organization. The answers to these questionnaires are then ingested into 1Exiger and incorporated into our real-time due diligence.

    1Exiger ensures that every ICT vendor has the correct amount of due diligence mapped to the nature of their work and relationship and provides an easy-to-audit log to demonstrate that the correct due diligence was performed.

    Onboarding can have workflows and steps to verify that proper contractual provisions are in place.

Why this is important

DORA requires financial entities to manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework. They are fully responsible for the compliance of the third-party service provider and, as such, can only enter contractual arrangements if the provider complies with the appropriate information security standards.

It’s also down to the financial entity to terminate the contract under circumstances where the ICT third-party provider significantly breaches applicable laws, regulations, and contractual terms. Additionally, if the financial entity identifies third-party risks that can alter the provider’s performance (such as material changes) and discovers weaknesses in the provider’s overall ICT risk management, it will also need to terminate the contract.

Ensuring that ICT third parties are under the exact amount of due diligence and monitoring will be crucial to ensure DORA compliance.

These contractual arrangements need to be appropriately documented, and entities need to distinguish between providers that cover critical ICT services and those that don’t.

  1. 1Exiger provides real-time profiles of entities within the platform, giving you a first look at a subject’s risk report across all seven dimensions of risk, including:
    • Cybersecurity Risk
    • Environmental, Social, and Governance (ESG) Risk
    • Product Risk
    • Reputational, Criminal, and Regulatory (RCR) Risk
    • Foreign Ownership, Control, & Influence (FOCI) Risk
    • Financial Risk
    • Operational Risk

    Escalate your matter to a more fulsome scope of due diligence or consult Exiger’s team of global research analysts—both are just a click away.

  1. Perform Ongoing Monitoring

    Risk is not a point-in-time event. Monitor your business partners and quickly understand if/when new and noteworthy risk events come to light. Build and execute automated workflows to isolate and remediate new risks as they emerge.

    Monitoring third-party relationships can involve automated workflows to perform additional diligence, such as through additional questionnaires or reviews from other stakeholders.

    You can build in refresh events that recur at regular intervals. Many of our customers set their refreshes for every 6 months or 1 year to surface any new risk and address it accordingly.

Why this is important

Article 17 requires entities to establish systems for monitoring, managing, logging, classifying, and reporting ICT-related incidents. Additionally, as mentioned, financial entities will need to terminate contracts with ICT service providers discovered to have material changes that affect performance or security.  

  1. Onboarding and Exit Strategy

    When a third-party relationship needs to be offboarded, 1Exiger has offboarding workflows and can have specific steps mapped to the given exit strategy that has been developed for an organization.

    Exiger workflows are tailored to the organization so that if a cyber event occurs, additional due diligence and investigation workflows could be initiated to uncover the true nature of the event. If deemed applicable, Exiger workflows can automate the offboarding process that is mapped to the organization’s DORA-compliant exit strategy.

Why this is important

DORA requires financial entities to have exit strategies for ICT services supporting critical or important functions. The exit strategies need to consider risks that may emerge at the level of ICT third-party service providers, such as a possible failure, deterioration of quality in service, business disruptions caused by the ICT service, or material risks in the continuous deployment of the ICT service.

At the same time, exit plans need to be comprehensive, documented, and sufficiently tested and reviewed periodically. Financial entities also need to have appropriate contingency measures to ensure business continuity in the event of a disruption.

Conclusion

DORA requires compliance teams to overcome the challenge of effectively managing the risk of a company’s global third-party network of ICT providers whose partnership is critical to continue driving growth. As regulation and data continue to grow in volume and complexity, compliance teams need scalable solutions to evolve with the needs of their program.

1Exiger puts security and compliance teams in control to propel your business forward safely and cost-effectively. 1Exiger delivers automated, AI-native third-party risk management with intuitive workflows, a comprehensive risk model, thorough due diligence, and ongoing monitoring to meet DORA requirements and make informed business decisions.

More Resources:

Table of Contents

Learn more

Find out how Exiger can help you meet DORA requirements.

insights

Perspectives

SEE ALL
Weaponization of Periodic Table Article - Perspectives
Article
Weaponization of the Periodic Table Crimps U.S. Critical Minerals Supply Chains
Federal Supply Chain Efforts - Perspectives
Article
Federal Supply Chain Efforts: What’s Happened? What Comes Next?
Gartner graphic of supply chain visibility journey
White Paper
How Regulatory Complexity Is Driving Procurement’s Future
Critical Manufacturing Threat - Perspectives
Client Alert
China and Russia Actions Threaten Critical U.S. Manufacturing Sectors
Evolving Threats and Regulations in Software Supply Chain Security
Article
Evolving Threats and Regulations in Software Supply Chain Security
UFLPA Best Practices - Perspectives
Article
Expert Insights and Best Practices for UFLPA Compliance
Critical minerals webinar
Webinar
On Alert: Latest China Ban Crimps U.S. Critical Mineral Supply Chains 
UFLPA
Webinar
Navigating UFLPA Enforcement: Latest Strategies and Best Practices
Gartner Report - Perspectives
White Paper
Make a Winning Case for Supplier Risk Technology
China Drone Client Alert - Perspectives
Client Alert
China Restricts Supply of Components to Top U.S. Drone Maker
Digital Product Passport - Perspectives
Article
Exiger’s Technology Aids Compliance with Digital Product Passport (DPP) Law
QA with Brandon Daniels - Perspectives
Article
Q&A with Insight Partners' Arjun Mehta and Exiger's Brandon Daniels: AI’s Impact on Supply Chain Risk Management
Industries
Solutions
Products
Company
contact us
join the team
Logo - Exiger AI-powered supply chain risk management
© 2024
Privacy and Legal Center

Demo The
Exiger Platform