The EU’s Digital Operational Resilience Act and Cybersecurity Implications
The stakes are higher in financial services than in many other industries regarding operational resilience in an increasingly digital landscape. By January 17th 2025, the EU’s comprehensive new ICT risk management framework— Digital Operational Resilience Act —mandates that financial entities and their most important third-party services providers implement a series of technical standards to ensure the financial sector’s operational resilience against cyber threats. Here’s an overview of DORA and its key cybersecurity implications.
What is The Digital Operational Resilience Act and Why Is It Being Introduced?
Whether you think of banks, insurance companies, investment firms, or crypto-asset service providers, cyber crime poses high societal and economic risks in the financial sector. In fact, 82 percent of Chief Risk Officers (CROs) at European banks highlight cybersecurity as their company’s biggest risk in 2024.
One compelling motivation for introducing the Digital Operations Resilience Act (DORA) is to reflect the growing cyber risks in financial services. It’s not just that financial entities are prized targets with potentially hefty paydays for profit-hungry hackers. Growing risks also come from geopolitical instability, with state-sponsored hackers potentially targeting the European financial system. And there are of course continued issues with complex supply chain attacks, such as 2023’s MOVEit breach that resulted in the exposure of Deutsche Bank customer data.
DORA’s introduction also marks a shift away from the fragmented regulatory landscape previously shaped by individual EU member states. Formerly, a patchwork of rules at the member state level made digital operational resilience awkward to understand and navigate for financial entities.
So a big part of the impetus behind this regulation is moving towards a unified and comprehensive framework at the EU level with standardized practices that everyone can follow. Regulatory centralization not only addresses the complexities and challenges of digital operational resilience in a harmonized manner, but it also reflects the interconnected and digital nature of today’s financial markets.
Key Cybersecurity Implications of Digital Operational Resilience Act
Here are some of the key cybersecurity implications that financial entities and key third-party providers (such as cloud service providers) need to understand. These implications cover policies, procedures, and operational measures.
Effective Risk Management and Governance
DORA requires a robust framework for ICT risk management and governance. In practice, this means considering cybersecurity in the broader context of organizational objectives. The regulation emphasizes the need for management’s active involvement and accountability in overseeing ICT risk management. So board members and other executives need to both define their ICT risk management strategy and be actively involved with its execution.
The aim here seems pretty clear; this focus on senior management involvement addresses the problem of cybersecurity often being siloed or not fully integrated into the broader business strategy for companies. By elevating cybersecurity to a governance and strategic planning level, DORA aims to bridge the gap between technical cybersecurity measures and business objectives.
Practicing Incident Response
When cyber attacks hit financial companies, there is always a worry that it spreads systemically from affecting one bank or insurance company to crippling the entire system. This creates a need for effective incident response that ensures the timely detection, reporting, and management of cybersecurity incidents.
Under DORA, financial entities need to develop and implement comprehensive incident response plans. Within these plans are clear definitions of what counts as a cybersecurity incident. You must also regularly test and update these plans to ensure their effectiveness in the face of real-world cyber threats. Another aspect is specific timelines for reporting serious incidents, although these timelines have yet to be published by European Supervisory Authorities (ESAs).
The goal here is to foster a proactive approach to cybersecurity. Good incident response reduces the impact of cyber incidents on operations and customers while also helping with the collective stability of the financial sector.
Third-Party Risk Management
DORA’s emphasis on third-party risk management highlights the significant reliance within the financial sector on third-party service providers, including cloud service providers for important ICT functions. The rules call for mapping out third-party dependencies, negotiating contractual arrangements about accessibility, integrity, and security requirements, and not relying on a single provider or small group for any critical ICT function.
Using third-party services is obviously a good thing from the perspective of digital transformation, but it can also introduce extra vulnerabilities and complicate the risk landscape in the financial sector. The rules here clearly intend to reduce the risk of cyber incidents stemming from third parties. In fact, the entire regulation is also mandatory for the suppliers of ICT services to companies in the financial sector.
Digital Operational Resilience Act Testing
DORA mandates regular and rigorous testing of digital operational resilience. This includes vulnerability assessments and simulated attack scenarios that test the effectiveness of defenses (e.g. pen tests). For companies of systemic importance to the financial sector or of sufficient maturity, there’s a need to conduct threat-led penetration testing (TLPT) every three years.
These rules not only help identify vulnerabilities and gaps in cybersecurity defenses but also facilitate continuous improvement and strengthening of digital operational resilience. The need for testing under DORA underscores the importance of a proactive and dynamic approach to cybersecurity that moves beyond just compliance toward achieving genuine operational resilience.
DIESEC Testing Services
DIESEC’s penetration testing service helps companies meet their regulatory obligations and general need for cyber resilience. Our expert team conducts white-box, black-box, and grey-box tests. You can also avail of red teaming exercises to simulate a realistic cyber attack on your company’s defenses.