The deadline for the Digital Operational Resilience Act (DORA) is fast approaching.
If you’ve clicked on this blog, you likely have some lingering questions about DORA and what it means for your organisation.
Don’t worry—you’re not alone. A lot of companies are still familiarising themselves with DORA’s requirements.
We’re here to clear up all of your questions with this comprehensive DORA guide. We’ll cover what it is, who it applies to, its timeline, how to prepare, and more.
What is DORA?
The Digital Operational Resilience Act (DORA), formally known as Regulation (EU) 2022/2554, was created to address a significant weakness in EU financial regulation.
Before DORA was created, financial institutions managed financial risks by setting aside funds to cover any losses they might suffer.
But there were many flaws in this approach. For one thing, this method didn’t cover all the ways operations could be disrupted—especially when it came to ICT-related issues like cyberattacks or IT failures.
DORA was created to fill this gap by mandating that organisations follow strict rules to protect against technology-related issues and threats. These measures include: protection, detection, containment, recovery, and repair.
What are the 5 pillars of DORA regulation?
Under DORA, businesses in the financial sector are required to comply with the following 5 key pillars:
- ICT risk management: Create and follow a comprehensive plan for managing all information and communication technology (ICT) risks.
- Incident reporting: Put systems in place to monitor, find, describe, report, analyse, and log significant incidents.
- Digital operational resilience testing: Regularly rest ICT systems to make sure they’re well-equipped to handle current and emerging cyber threats. Organisations must also update their practices based on the test results.
- Third-party risk management: Manage and monitor the risks associated with third-party ICT service providers like cloud service providers.
- Information and intelligence sharing: Share insights about ICT risks and incidents to increase collaboration and build resiliency against ICT threats in the financial sector.
Who does DORA apply to?
DORA applies to all companies in the financial sector that rely on technology to operate. These include banks, investment firms, insurance companies, credit institutions, payment service providers, and many more.
Under DORA rules, each organisation’s leadership is required to manage technology risks responsibly. This includes setting up proper risk management frameworks and overseeing their implementation. Leadership will also be responsible for keeping their ear to the ground about emerging ICT risks.
When will DORA be implemented?
DORA was entered into force on January 16, 2023, and will apply as of January 17, 2025. This two-year transition period was offered to give organisations and their third-party providers time to get everything in order for the new regulations.
By January 17, 2025, all financial institutions within the EU will need to be in full compliance with DORA. This means all the necessary measures to ensure operational resilience have been implemented.
How is DORA enforced?
The European Supervisory Authorities (ESAs) have the power to impose fines for noncompliance with DORA. Firms that violate DORA’s requirements can face penalties of up to 2% of their total annual worldwide turnover. Individuals who fail to comply with DORA face a fine of up to €1 million.
How to prepare for DORA
Still unsure what measures you need to take to be in compliance with DORA? Take the following steps:
#1 Establish an ICT risk management framework
Firstly, you need to create a complete ICT risk management framework. This will include:
- Pinpointing critical assets and the risks associated with them
- Putting protections like firewalls and encryption in place
- Monitoring threats in real time
- Updating your plan regularly to stay ahead of new risks
#2 Set up incident reporting processes
DORA mandates that organisations have clear procedures in place for reporting ICT-related incidents. These procedures include:
- Having clear definitions for different incident types
- Setting up communication channels for reporting incidents
- Creating incident response protocols
- Training employees on how to handle incidents
- Refining procedures based on feedback
#3 Test ICT systems
Under DORA, you’ll need to carry out regular tests (e.g., penetrations test, simulated cyber attacks) to find and fix any vulnerabilities in your defences.
DORA also requires that you regularly review your protocols to make sure you’re able to spot any emerging threats.
#4 Set up a third-party risk management system
DORA sets out regulations on how to manage the risks connected to third-party service providers. This covers companies that provide essential services like data management, cloud storage, and IT assistance.
To comply, you’ll need to carry out careful inspections of third-party vendors to make sure they can handle all risks before hiring them.
In particular, as SaaS applications become more widely used in financial institutions, it’s vital to securely back them up to prevent data loss and stay compliant with DORA.
#5 Establish a clear governance structure
DORA requires a clear governance structure to manage ICT risks. This structure needs to outline specific roles and responsibilities so everyone in the organisation understands the part they play in keeping operations resilient.
How does DORA affect data backups?
The backup, restoration, and recovery requirements for financial entities are outlined in Article 12 (Section 3) of DORA.
To be in compliance with the Article, EU businesses will need to be able to prove that they can:
- Restore backups to a different location, both physically (in terms of hardware or location) and logically (how the systems are set up or organised) from the original system.
- Protect backup data from unauthorised access and store it in such a way as to prevent any changes or corruption (immutable).
This means that to meet DORA regulations, all financial entities must ensure their backup, restoration, and recovery procedures meet the requirements outlined in the act.
A third-party backup is often considered the best way to achieve this, as it offers an independent and separate location for data storage.
BackupLABS—Helping you stay compliant with DORA data backup requirements
BackupLABS is here to help you prepare for January 17th. Before the deadline rolls around, we’ll make sure you’re in compliance with all regulations set out by DORA in regard to data protection.
We safely and securely back up data for popular SaaS applications like Jira, GitHub, Trello, Notion and GitLab. Rest assured, your data is safe, compliant, and always accessible when you choose BackupLABS.
Get started with BackupLABS today by signing up for a free 14-day trial.