Seven Things You Need to Know About DORA
The European Union (EU) is deeply concerned about IT risks and cybersecurity in financial sector organizations. They respond with the Digital Operational Resilience Act (DORA) to the increasing digitization within the financial sector and the growing threats from (cyber)criminal organizations and hostile powers.
Furthermore, critical chain dependencies are becoming more worrisome: you can manage your IT risks well as a financial organization, but what about your suppliers and other chain partners? As of January 17, 2025, financial institutions and their service providers are obliged to comply with DORA. In this blog, you will learn what you absolutely need to know about DORA.
1. Why is DORA needed?
DORA aims to harmonize cybersecurity across all European institutions and create a basic framework for the entire sector. In the Netherlands, the level is generally higher than average, but security doesn't stop at national borders.
2. Is DORA mandatory?
Yes, DORA is mandatory for all financial institutions within the EU. It is European legislation that is directly adopted by EU member states.
3. What if I do nothing about DORA?
Doing nothing about DORA is not a realistic option, as it can have serious consequences for your business operations. Additionally, DNB (Dutch Central Bank) incorporates DORA into its supervision and existing good practices. Sanctions will align with the existing supervisory instruments of DNB. Therefore, it's better for an organization to determine for itself that it complies with DORA.
4. What does DORA require?
DORA comprises six themes, namely:
- IT governance
- IT risk management
- IT incident management
- Digital resilience testing
- Third-party risk management
- Information sharing
A few topics within these themes can have a direct impact:
- Understanding the entire outsourcing chain: DORA has many requirements in the area of third-party risk management, many of which are tightening existing regulations. The organization must not only map its third parties but also assess the risks that collaboration partners of the third party bring. Therefore, every financial institution must map the entire outsourcing chain.
- Incident reporting: Under DORA, ICT incidents must be reported to a central regulator; in the Netherlands, this is DNB. Reporting ICT incidents is not new for financial institutions in the Netherlands, but it is a new development in Europe under DORA. Any incident affecting the service of the financial institution must be reported, which broadens the scope beyond the current DNB requirement.
- Third-party notification: According to DORA, any new agreement with a third party must be reported to DNB. Additionally, organizations must maintain a register of all third parties with whom agreements have been made.
- Requirements for digital resilience testing: DORA imposes various requirements regarding digital resilience testing. Financial institutions must have a testing program that includes tests by hackers, physical security tests, and digital vulnerability scans. The results of these tests must be reportable to the regulator.
5. What are DORA's new standards?
The themes addressed by DORA will not be new for many Dutch institutions. However, these topics are elaborated on more in-depth than in standard frameworks such as ISO 27001. As a result, all organizations within the financial sector must verify whether the depth of their controls is demonstrably sufficient to comply with DORA.
6. What should I, as a board member, do with DORA?
DORA requires the involvement of board members more than is currently laid down in legislation. The board must be closely involved in themes such as business continuity, risk management, and third-party management. Simply informing the board via memo is no longer sufficient according to DORA.
7. What will supervision of DORA look like?
The practical aspects of supervision are not yet entirely clear. What is known is that DNB will be the regulator, and they will incorporate DORA into existing good practices. DNB has the authority to impose sanctions in the event of non-compliance with DORA.
DORA, in the regulations, does not make substantive distinctions between a pension fund, insurer, or bank. The most significant changes introduced by DORA are described in 'What DORA Requires.' The impact of these changes varies from one organization to another, depending on factors like the extent of outsourcing and the control over chain parties.