Executive Summary: With the DORA compliance deadline approaching, it’s crucial for affected sectors to understand and prepare for the new operational resilience requirements to ensure adherence to regulatory standards.
This article:
- Introduces the European Union’s Digital Operational Resilience Act (DORA) and its implications.
- Identifies sectors affected by the upcoming compliance requirements.
- Emphasizes the importance of timely preparation to meet regulatory standards.
Introduction
The European Union’s (EU) Digital Operational Resilience Act (DORA) deadline approaches, with just one week to go before the DORA applies to all financial entities and their ICT service providers on January 17 2025.
Sectors affected by the DORA include but are not limited to:
- Banks
- Auditors and Audit Firms
- Investment Firms
- Management Companies
- Credit Institutions
- Insurance & Reinsurance Firms
- Brokers
- Credit Rating Agencies
- Crowdfunding Platforms
- Trading Venues
- Trade Repositories
- Crypto-Asset Service Providers
Understanding and ensuring compliance with the upcoming legislation need not be daunting, however it is important to remember that while businesses located within the EU are directly affected by the act, its scope extends beyond the EU’s borders. Any organisation outside the EU that engages with businesses operating within the EU must also comply. For instance, a US-based investment firm seeking to serve clients in the EU or maintain offices within the region would be required to adhere to DORA regulations.
Don’t get caught out!
Penalties can reach up to 2% of a company’s total annual global turnover, or 1% of an entity’s average daily turnover.Individuals and entities could face fines up to €1.000.000. The exact penalty amount will depend on the severity and nature of the DORA violation. The European Supervisory Authorities (ESAs) are responsible for compliance and penalties.
A reminder of the requirements
DORA introduces several essential requirements that businesses must adhere to from 17 January 2025. These measures are designed to protect organizations from cybersecurity threats and incidents deemed “reasonably identifiable circumstances”.
Key obligations include:
- ICT risk management: Organisations must establish comprehensive frameworks to identify, assess, and mitigate information and communication technology (ICT) risks. This encompasses regular risk assessments, implementing protective measures, and maintaining robust continuity plans.
- Incident reporting: Businesses are required to develop clear processes for detecting, managing, and reporting significant ICT-related incidents. Timely notification to relevant authorities is crucial to limit impacts and prevent similar incidents in the future.
- Digital operational resilience testing: Regular testing of ICT systems is mandatory to evaluate readiness for potential disruptions. This includes conducting vulnerability assessments, penetration testing, and scenario-based exercises to ensure systems can withstand adverse events.
- ICT third-party risk management: Policies must be in place to address risks associated with third-party IT service providers. These include conducting due diligence, defining security obligations in contracts, and continuously monitoring third-party performance.
- Information sharing: Businesses are encouraged to participate in collaborative information-sharing arrangements with other financial entities. Sharing threat intelligence, best practices, and lessons learned enhances collective resilience across the sector.
- Provider oversight: Establishing a framework to oversee critical third-party ICT providers, ensuring they comply with security and operational resilience standards.
For a deep dive on DORA, visit our comprehensive DORA guide.
What happens if I fail to comply?
Adhering to DORA is mandatory for businesses involved in the EU financial sector, whether operating within the region or serving it from abroad. The regulation assigns clear accountability to an organisation’s board and executive leadership to establish effective measures that address cyber risks and ensure operational resilience.
Neglecting to manage risks, especially those considered reasonably foreseeable, can lead to significant repercussions, including:
Does Red Sift offer support?
Reasonable, proactive measures to prepare for DORA should include securing your email systems, and implementing robust Domain-based Message Authentication, Reporting and Conformance (DMARC) is a key step toward compliance.
Red Sift OnDMARC equips organisations with the tools to gain full control of outbound email communications and a clear view of their digital assets. Its user-friendly, cloud-based platform simplifies the management of DMARC, DomainKeys Idenfitied Mail (DKIM), and Sender Policy Framework (SPF) records, eliminating the complexities of DNS navigation.
OnDMARC supports compliance with DORA’s requirements by:
- Establishing a proactive email security framework: OnDMARC supports your journey toward achieving a DMARC policy of p=reject, blocking unauthorized emails and protecting against business email compromise (BEC) and phishing attacks.
- Enhanced oversight: With comprehensive visibility into outbound email activity, OnDMARC enables quick identification and resolution of potential issues.
- Detecting suspicious activity: Powered by machine learning, OnDMARC’s forensic reporting delivers detailed insights into sending sources, allowing organizations to quickly identify and address anomalies.
Discover how OnDMARC can strengthen your email security and support your readiness for DORA. Sign up today to learn more!
