What Does DORA Regulate?
DORA applies to a wide range of financial entities operating in the EU, including banks, insurers, investment firms, and payment institutions, along with critical third-party service providers such as cloud and data providers. Essentially, any organization that provides key infrastructure for financial services will be required to comply with some or all of DORA’s operational resilience standards.
What Does DORA Aim to Achieve?
DORA’s primary goal is to enhance the digital resilience of the EU’s financial sector by ensuring that firms are well-prepared to handle and recover from Information and Communication Technology (ICT) disruptions. The regulation establishes a framework for cybersecurity and operational risk management across financial institutions, focusing on reducing the potential impact of cyber threats and system failures.
What Are DORA’s Security Requirements?
DORA mandates several key cybersecurity and operational resilience requirements for financial entities:
- Risk Management Framework: Firms must implement comprehensive risk management practices to identify, assess, and mitigate ICT risks.
- Third-Party Risk Management: Financial entities must ensure third-party service providers adhere to DORA’s security standards, including implementing particular contractual terms and conducting ongoing monitoring and due diligence.
- Digital Resilience Testing: Firms are required to perform stress tests and regular pentests, in addition to threat-led penetration tests (TLPT) at least every 3 years, based on Regulatory Technical Standards (RTS) for TLPT expected to be adopted by the European Commission in early 2025.
- Incident Reporting: DORA mandates a clear process for reporting major ICT-related incidents to regulators within specified timeframes.
- Information Sharing: The regulation does not require but encourages entities to share cyber threat intelligence to bolster collective cyber security efforts across the financial sector.
How Does a Covered Financial Entity Demonstrate Compliance– and What Happens if it Doesn’t Comply?
Covered entities must ensure they meet DORA’s security standards by implementing appropriate risk management practices, third party oversight, and resilience testing. While fines or criminal sanctions are not included in the DORA regulation, individual EU Member States can institute penalties and criminal sanctions in their national laws. These may include fines of up to 2% of an entity’s total annual worldwide revenues or up to 1 million euros and even steeper penalties of up to 5 million for critical third-party ICT providers. Entities must also submit detailed reports outlining their efforts to manage ICT risks, test their resilience, and respond to cyber incidents.
When Do These Requirements Take Effect?
DORA entered into force on January 16, 2023, and the full compliance deadline was January 17, 2025.
What’s the Likely Impact of These New Requirements?
DORA’s implementation will likely enhance the overall security posture of the EU financial sector by requiring financial entities to adopt stronger risk management frameworks and resilience practices. The regulation will also increase transparency, as firms must disclose to competent authorities information about their cybersecurity measures and third-party relationships. Overall, DORA aims to ensure that financial institutions are better prepared to handle emerging cyber threats, ultimately protecting consumers and the financial system as a whole.
We Might Be Subject to These New Requirements—What Should We Do?
With the January 17, 2025 deadline already passed, financial entities should review their existing cyber security policies and practices to ensure they meet DORA’s requirements.
HackerOne offers a comprehensive suite of security solutions designed to help financial services organizations meet DORA compliance requirements. Our portfolio includes CREST-accredited Pentest as a Service (PTaaS), Code Security Audits, Bug Bounty programs, and Spot Checks. This integrated approach aligns with DORA’s mandates for regular and comprehensive ICT risk assessment and management, as outlined in Articles 24 and 25.
Contact HackerOne to learn more.