With the DORA Act coming in early 2025, many companies in the financial sector are gathering information about how to comply with these important regulations around IT* resilience.
In particular, working with third-party IT providers is subject to strict DORA compliance rules and an area of concern for many organisations.
In this post, we provide an overview of DORA, what it entails, who is subject to the regulations and how to work responsibly with third-party IT organisations.
Intersys is a ISO 27001-certified security-first managed service provider assisting highly regulated industries. We have a comprehensive knowledge of EU regulations and systems in place to ensure full DORA compliance.
You can find out more about us at the end of the article, including contact details.
*Note we use the term ‘IT’ rather than ‘ICT,’ which is used in some DORA communications. The terms should be considered synonymous.
What is the Dora Act?
Introduced by the European Union (EU), the Digital Operational Resilience ACT (DORA) is a risk-management framework for organisations in the financial sector. It includes technical standards that financial organisations and their third-party IT partners must integrate by 17 January 2025.
DORA compliance is mandatory and all organisations covered by the guidelines must follow the rules. These include ‘financial entities’ such as investment firms, credit institutions, electronic money institutions, crypto asset service providers, insurance and reinsurance providers.
Is DORA applicable in the UK?
DORA is likely to apply to any financial firm in the United Kingdom that works with customers in the EU or undertakes business with financial firms in the EU.
Why has it been introduced?
DORA is designed to create a shared set of rules across the sector to address ICT risk management in the financial services sector and increase digital resilience. To understand that emphasis on shared, a bit of background is necessary.
Prior to DORA, the EU primarily focused on making sure that businesses had adequate capital cover to account for operational risk. While there were guidelines, they were wide in scope and relied on general principles rather than particular standards and actions. Individual states stepped into this gap, providing their own specific rules. The result was a patchwork of recommendations, and many gaps, overlaps and conflicts between various rules.
DORA’s aim is to refine and systemise these mandatories into one universally acknowledged set of rules, to improve compliance and resilience and set a uniform standard.
What are the five pillars of DORA compliance?
DORA compliance includes five areas of technical requirement responsibility, four of which are considered mandatory. The fifth is recommended.
- IT Risk Management
- IT-Related Incident Reporting
- Digital Operational Resilience Testing
- Management of IT Third-Party Risk
- Information and Intelligence Sharing
We’ll look at each in turn, but bear in mind this is not an exhaustive list of criteria. Also, DORA is a developing story at the time of writing and some of the detail is still to be announced.
1. ICT Risk Management
The management body of a financial organisation is accountable for IT risk strategies. It must define, approve, oversee, and take responsibility for IT policies, governance and strategies. This includes implementing and regularly reviewing IT continuity, response and recovery plans. It must also manage third-party service provider policies and monitor related risks, and stay updated on IT risk through ongoing training.
Mandatory duties include:
- Creating and maintaining an IT risk management framework. This must cover policies and procedures to protect IT assets and infrastructure. It must outline a digital operational resilience strategy, including necessary architecture, mechanisms, and testing protocols. It must also be reviewed annually and after significant IT incidents.
- Identifying and documenting all IT-related functions, roles, risks and assets, including those at remote sites. This includes logging dependence on third-party IT providers.
- Continuous monitoring and control of IT system security. Organisations must implement security policies, procedures and protocols to ensure resilience, continuity and data protection.
- Creating mechanisms to detect anomalous activities, such as network issues and cyber incidents. Sufficient resources should be allocated to monitor user activity and IT incidents, especially cyber attacks.
- Establishing a comprehensive IT business continuity policy, including response and recovery plans, which should be tested annually. This includes backup and recovery procedures to ensure minimal disruption and data loss.
- Continuous improvement. Organisations should gather information on vulnerabilities and cyber threats, incorporating lessons learned into their IT risk assessments. Regular reporting to management and continuous staff training on IT security and resilience are required, including relevant third-party service providers.
- Effective communication policies for internal staff and external stakeholders are vital. These policies should differentiate between those directly involved in IT risk management and those who need to be informed.
2. Incident response and reporting
As part of DORA compliance, businesses must introduce systems to monitor, manage, log, classify and report IT-related incidents. Depending on the severity, they may need to report it to regulators and affected clients and partners. For critical incidents, they will need to submit three types of reports: an initial report to notify authorities, a progress report on resolution measures, and a final report analysing the root causes.
3. Digital operational resilience testing
Organisations must regularly test IT systems to check their security and locate any weaknesses. The results, along with plans to fix problems, will be reported to the proper authorities.
Each year, entities must undertake basic tests like vulnerability assessments and scenario-based testing. ‘Critical’ financial entities also need to do threat-led penetration testing (TLPT) every three years; and its critical IT providers must participate in these tests too. Guidelines for TLPTs are expected soon and will likely follow the TIBER-EU framework for ethical hacking.
4. Third-party risk management
This next point reveals the wide scope of the regulations and the need for organisations to find reliable and DORA-compliance-ready IT partners.
DORA covers both financial organisations and their IT providers. Financial firms must actively manage third-party ICT risks. When outsourcing key functions, they must negotiate specific contracts addressing exit strategies, audits, and performance targets for security and accessibility.
Financial organisations cannot work with IT providers who fail to meet these standards – in fact, authorities can suspend or terminate non-compliant contracts. The European Commission may create standard contract clauses to ensure compliance.
Financial institutions must track their third-party IT dependencies and avoid relying too much on a single provider. Critical IT providers will be directly overseen by relevant European Supervisory Authorities. The European Commission is defining criteria for these critical providers, who will have a designated lead overseer. Lead overseers can enforce DORA rules and prevent non-compliant providers from contracting with financial firms.
To give some idea of the scope of contractual arrangements and the responsibilities of third-party IT providers, they will include the following:
- A comprehensive account of all IT services to be provided by a third-party partner
- Location data, including where services will be provided from and where data will be processed, including storage locations.
- Data protection provisions and safeguards
- Data access, recovery and return procedures in the event of insolvency, resolution or discontinuation of the business operations of the IT third-party.
- Comprehensive service level agreements
- No-cost IT support for incidents deemed the responsibility of the IT provider
- Full cooperation with relevant financial authorities
- Minimum notice periods and termination agreements, with conditions in place to avoid significant disruption
- Clear conditions regarding the IT provider’s participation in IT security awareness and resilience training programmes
- Business contingency planning in place and compliant IT security measures
- Willingness to participate in threat-led penetration tests (TLPTs)
- Complying with ongoing monitoring of the IT partner’s performance, including unrestricted rights of access, inspection and audit by the financial entity, or an appointed third party
5. Information sharing
DORA encourages financial organisations to take part in threat intelligence sharing arrangements on a voluntary basis. Information shared must adhere to relevant guidelines — for instance, personal information is still subject to GDPR rules.
Who does DORA apply to?
While there are some exemptions, DORA compliance is applicable to ‘financial entities’, which includes:
- investment firms
- credit institutions
- payment institutions
- account information service providers
- electronic money institutions
- managers of alternative investment funds
- crypto-asset service providers
- central securities depositories
- central counterparties
- trading venues
- trade repositories
- data reporting service providers
- management companies
- insurance and reinsurance undertakings
- insurance intermediaries
- reinsurance intermediaries and ancillary insurance intermediaries
- credit rating agencies
- administrators of critical benchmarks
- crowdfunding service providers
- institutions for occupational retirement provision
- securitisation repositories
- IT third-party service providers
DORA requirements will be enforced according to the size of the organisation, which means smaller entities won’t be held to the same standards as major financial institutions.
What could happen if I don’t follow DORA compliance rules?
Once the standards are finalised by January 2025, each EU member state’s designated regulators, or ‘competent authorities’, will enforce DORA compliance. These authorities can mandate security measures, fix vulnerabilities, and impose penalties, including criminal ones. Penalties vary by state.
‘Critical’ IT providers will be overseen by lead ESAs, who can enforce measures and fines. DORA allows fines of one per cent of the provider’s average daily global turnover, imposed daily for up to six months until compliance is achieved.
You can find out more about DORA and keep up to date with emerging proposals and rules at https://www.digital-operational-resilience-act.com/.
About Intersys
Intersys is an ISO 27001-certified and GDPR-aligned IT and cyber security provider. We assist blue-chip clients in highly regulated industries such as financial services, life sciences, and mining and exploration.
We specialise in the day-to-day work of keeping our clients’ IT running optimally and their data protected. We also provide consultancy from senior IT leaders in IT governance and compliance. This is reflected in our own scrupulous compliance and transparency.
We understand the present requirements of DORA and, as a third-party provider, we can meet your security and performance requirements according to this new EU legislation.
To find out more, arrange to speak to a senior Intersys compliance expert by calling +44 (0)20 3005 4440 or emailing info@intersys.co.uk, including the subject DORA regulations in your enquiry.