What is the Digital Operational Resilience Act, and why does it matter?

The Digital Operational Resilience Act (DORA) is a game changer for financial organizations, providing a comprehensive rulebook that covers everything financial organizations need to do to become and remain digitally resilient against cyber threats. In this blog, we’ll provide a run-down of everything you need to know about DORA.

What is the Digital Operational Resilience Act?

The Digital Operational Resilience Act ( DORA) is European legislation that requires any financial organization in the European Union (and those that want access to it) to have safeguards in place to mitigate cyber-risks. The legislation requires these businesses to recognize and mitigate any reasonably identifiable circumstances that could lead to an event that could compromise the digital operational security of the firm.  

What is a reasonably identifiable circumstance?

Any common vulnerability, exposure, or well-known cyber threat could give rise to a reasonably identifiable circumstance. Something is a reasonably identifiable circumstance if the source it’s coming from is a trusted, independent expert that puts you on express notice that a common vulnerability, exposure, or significant cyber threat poses a risk to your business. 

What credible agencies should businesses be looking to for guidance on reasonably identifiable circumstances?

Why is digital operational resilience important in the financial services sector?

The interconnected nature of the financial services sector means that when something goes wrong within it, a ripple effect impacts those far and wide. Nowadays one of the most significant threats to the security, stability, and business continuity of the financial sector is the disruption caused by a cyberattack (such as ransomware infections or DDoS). 

Business Email Compromise (BEC) provides the starting point for 90% of targeted cyberattacks such as ransomware attacks, CEO fraud, vendor fraud, and more. So, there’s never been a more crucial time for the financial institutions to strengthen their digital resilience to prevent these. In doing so, they’ll protect business processes, business continuity, and sensitive data, and ultimately comply with DORA. 

When will the Digital Operational Resilience Act be enforced?

DORA is expected to be introduced this year (2022) and be fully enforced by 2024, so businesses need to start preparing now.

Who does the Digital Operational Resilience Act apply to?

There are two groups of businesses DORA applies to. The first is any organization that manages, transfers, holds, insures, invests, creates, protects, or raises money and those that grade investments. 

This includes:

  • Banks
  • Auditors and Audit Firms 
  • Investment Firms
  • Management Firms 
  • Credit Institutions
  • Insurance & Reinsurance Firms
  • Brokers
  • Credit Rating Agencies
  • Crowdfunding Services 
  • Trading Venues
  • Trade Repositories 
  • Crypto-Asset Providers

The second group of businesses DORA applies to is third-party vendors that supply ICT software (but not hardware). 

This includes:

  • ICT Vendors 
  • Provides Digital and Data Services
  • Cloud Computing
  • Software
  • Data Analytics 
  • Data Centers

Does the Digital Operational Resilience Act (DORA) apply to the UK and USA?

DORA has been introduced by the European Parliament and so it applies to the above businesses that are based in the EU. But it also applies to any business that has offices in the EU or wants access to the above businesses or clients in the EU market. For example, if a bank in the United States wants to do business with a bank based in the EU, or access clients in the EU, it must comply with DORA. So, this means that DORA is applicable worldwide.

Is Business Email Compromise (BEC) a reasonably identifiable circumstance?

The Federal Bureau of Investigations (FBI) has been warning of Business Email Compromise in its IC3 Internet Crime Report since 2015. The FBI is a trusted independent expert, with form for getting things right, and no skin in the game. So, businesses can safely accept that BEC is a reasonably identifiable circumstance that they’re required to mitigate. 

“Courts don’t expect you to see around corners, they expect you to read the writing on the wall. ​​Business Email Compromise (BEC) remains the most significant cyber threat by victim loss, and the starting point for the majority of attacks. So, BEC is a threat and it needs to be addressed.” Dr Rois Ni Thuama, PhD 

What are the benefits of the Digital Operational Resilience Act?

Thanks to DORA, businesses will be enabled to make better decisions as DORA highlights what they need to do in one place, and leaves nothing out. What’s more, by complying with the provisions outlined in DORA, businesses will become more resilient to cyberattacks, unscrupulous vendors, and other threats. Other benefits of this European parliament legislation include:

  • More robust supply chains
  • Smoother exit strategies
  • Defensibility in the event of an attack
  • Protection from opportunist criminals

What are the consequences of noncompliance with DORA?

DORA puts the final responsibility to enact the right measures to mitigate cyber threats on board members and directors. It’ll be these people who are held accountable if a business fails to comply. Directors and boards now need to understand and know how to mitigate risks (reasonably identifiable circumstances). If they don’t, they could face:

  • Reputational damage
  • Shareholder litigation
  • Regulatory fines
  • Criminal sanctions

Download the full whitepaper today

We hope this blog was useful in providing a quick run-down on the Digital Operational Resilience Act (DORA. To find out more about DORA and how you can start to prepare, download your free whitepaper today

download the whitepaper red sift

PUBLISHED BY

Red Sift

7 Jun. 2022

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
DMARC

Beyond DMARC: How Red Sift OnDMARC supports comprehensive DNS hygiene

Red Sift

Registrable domains and DNS play a crucial role in establishing online identity and trust, but their importance is often taken for granted. During new service setups, record updates are often overlooked, accumulating outdated entries. As infrastructure teams become increasingly overstretched,  services may be incorrectly shut down without proper cleanup, leaving behind a sprawl of…

Read more
DKIM

First look at DKIM2: The next generation of DKIM

Red Sift

In 2011, the original DomainKeys Identified Mail (DKIM1) standard was published. It outlined a method allowing a domain to sign emails, enabling recipients to verify that the email originated from an entity holding a private key that matches the public key published in the domain’s DNS records. Now in 2024, DKIM is ready for…

Read more
Security

Securing our world: For a safer internet

Jack Lilley

October is Cybersecurity Awareness Month, a time for industries to unite in promoting digital security within today’s complex landscape. Bad actors are leveraging increasingly sophisticated methods—such as email phishing and Business Email Compromise (BEC)—to exploit vulnerabilities, impersonate legitimate contacts, and access sensitive information. CISA Director Jen Easterly advises us to “always think before you…

Read more
Cybersecurity

Boosting email security amid recent Coinbase phishing attempts

Jack Lilley

In recent weeks, there have been reports of sophisticated phishing attacks disguised as official communication from the cryptocurrency platform, Coinbase. These phishing emails closely mimic Coinbase’s branding and language to build recipient trust and prompt clicks on malicious links. The subject lines of these emails generally follow a format: the sender’s address starts with…

Read more