By Manuel Sanchez, Information Security and Compliance Specialist, iManage
When the Digital Operational Resilience Act (DORA) was announced in 2020, it immediately started a loud countdown timer in the minds of many financial services providers in the European Union.
Scheduled to go into full force on January 17th, 2025, DORA is aimed at enhancing the resilience of financial entities against information and communication technology (ICT) disruptions.
The legislation impacts a broad swath of organisations within the EU — everyone from banks and insurance companies, to accountancies, payment service providers, and even cryptocurrency exchanges.
This legislation comes with teeth, as well: Non-compliance with DORA can lead to significant penalties, ranging from fines, to operational restrictions, to legal consequences for entities that persistently display noncompliance. This is to say nothing of the reputational damage of noncompliance, which can lead to a loss of trust among clients and partners and potentially even lost business.
Given these high stakes, it’s worth taking a closer look at what exactly DORA entails — and how organizations can ensure compliance.
Wide-spanning requirements for financial entities
Broadly speaking, DORA’s objective is to properly manage ICT risks that could lead to disruptions of financial services offered across borders — disruptions that could, in turn, impact other companies, other sectors, and the larger economy.
To that end, DORA introduces several key requirements for financial entities around: ICT risk management; Incident Reporting; Operational Resilience Testing; Third-Party Risk Management; and Information Sharing.
These are wide-spanning requirements – which means that financial services organisations need to take a mindful approach to the processes and systems they rely on if they want to ensure compliance with the main pillars of DORA.
Start with systems
At a foundational level, organisations should start with a document management system (DMS) to house their documents and emails. This is a simpler way for managing sensitive content in a single repository and limit exposure around ICT risk while enhancing their ability to effectively govern that data.
Beyond document management, organisations should have the ability to control user access through adaptive policies by deploying information barriers at scale to protect sensitive documents, and a threat monitoring system for detecting unusual or malicious behavior across all content in the DMS, including audit reports. Additionally, a records management system enables effective records governance and enforcement of retention policies on those records, including defensible disposition.
Together, these foundational systems fully integrated with the DMS, can go a long way towards establishing a secure, resilient infrastructure that supports DORA compliance.
Standards demonstrate a commitment to compliance
While DORA itself does not specify particular accreditations or certifications that financial services providers or their vendors need to obtain, embracing certain recognised industry standards and certifications demonstrates a commitment to DORA requirements.
For example, ISO/IEC 27001 (Information Security Management Systems)aligns with DORA’s requirements for safeguarding data and ensuring security, helping to address critical aspects of DORA around risk management, asset management, access control, incident management, and compliance.
Additionally,ISO/IEC 22301 (Business Continuity Management Systems) provides a framework for responding to disruptive incidents, including business continuity planning, risk assessment, disaster recovery, and crisis management — all of which support DORA requirements around operational resilience.
Meanwhile, ISO/IEC 27017 (Cloud Security) and ISO/IEC 27018 (Cloud Privacy) provide controls specific to cloud environments, including data privacy, customer data protection, and cloud security incident management, helping to demonstrate robust cloud security practices that address DORA requirements around ICT risk management.
Complying with the core functions ofNIST Cybersecurity Framework (CSF)– which areIdentify, Protect, Detect, Respond, Recover – supports DORA’s requirements for operational resilience and incident response.
SOC 2 (System and Organization Controls) provides the ability to monitor system operations, protect against data breaches, and ensure that processing is timely and authorised — helping to effectively manage ICT risks, per DORA requirements.
Additionally, there are widely adopted best practices (rather than official standards or certifications) that signal a commitment to DORA principles, such as CIS (Center for Internet Security) Controls.Adherence to CIS controls — such as basic cyber hygiene, foundational controls, and organisational controls that can mitigate risks and ensure resilience — can demonstrate adherence to the key security practices outlined in DORA.
While these certifications and standards can significantly contribute to demonstrating compliance with DORA, organisations should understand that DORA compliance is not solely about “ticking boxes” around various standards, certifications, or best practices.
DORA requires a holistic approach to managing ICT risk and operational resilience, which involves integrating these standards into a comprehensive risk management framework, continually assessing and improving processes, and maintaining robust governance and oversight.
The time is now
The deadline for DORA compliance is looming, which means the time is now for European financial services organisations to ensure readiness for this significant piece of legislation. Aside from adapting to a new reality that embraces a default security posture with continuous monitoring and rapid response, it is also worth taking a careful look at the systems they rely on for storing and managing their most sensitive content – as well as the standards, certifications, and best practices those systems embrace. Financial services providers can then adapt and move forward with confidence in this new regulatory environment.
