• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Red Sift Blog

Red Sift Blog
  • redsift.com
  • Featured
  • Who are we?
  • Get in touch
You are here: Home / DORA / What is the Digital Operational Resilience Act, and why does it matter?

What is the Digital Operational Resilience Act, and why does it matter?

by Red Sift
June 7, 2022March 9, 2023Filed under:
  • DORA

The Digital Operational Resilience Act (DORA) is a game changer for financial organizations, providing a comprehensive rulebook that covers everything financial organizations need to do to become and remain digitally resilient against cyber threats. In this blog, we’ll provide a run-down of everything you need to know about DORA.

What is the Digital Operational Resilience Act?

The Digital Operational Resilience Act ( DORA) is European legislation that requires any financial organization in the European Union (and those that want access to it) to have safeguards in place to mitigate cyber-risks. The legislation requires these businesses to recognize and mitigate any reasonably identifiable circumstances that could lead to an event that could compromise the digital operational security of the firm.  

What is a reasonably identifiable circumstance?

Any common vulnerability, exposure, or well-known cyber threat could give rise to a reasonably identifiable circumstance. Something is a reasonably identifiable circumstance if the source it’s coming from is a trusted, independent expert that puts you on express notice that a common vulnerability, exposure, or significant cyber threat poses a risk to your business. 

What credible agencies should businesses be looking to for guidance on reasonably identifiable circumstances?

  • National Cyber Security Center (NCSC)
  • Federal Bureau of Investigations (FBI) 
  • National Institute of Standards and Technology (NIST)
  • US Department of Defense 
  • US Department of Homeland Security
  • The Global Cyber Alliance (GCA)

Why is digital operational resilience important in the financial services sector?

The interconnected nature of the financial services sector means that when something goes wrong within it, a ripple effect impacts those far and wide. Nowadays one of the most significant threats to the security, stability, and business continuity of the financial sector is the disruption caused by a cyberattack (such as ransomware infections or DDoS). 

Business Email Compromise (BEC) provides the starting point for 90% of targeted cyberattacks such as ransomware attacks, CEO fraud, vendor fraud, and more. So, there’s never been a more crucial time for the financial institutions to strengthen their digital resilience to prevent these. In doing so, they’ll protect business processes, business continuity, and sensitive data, and ultimately comply with DORA. 

When will the Digital Operational Resilience Act be enforced?

DORA is expected to be introduced this year (2022) and be fully enforced by 2024, so businesses need to start preparing now.

Who does the Digital Operational Resilience Act apply to?

There are two groups of businesses DORA applies to. The first is any organization that manages, transfers, holds, insures, invests, creates, protects, or raises money and those that grade investments. 

This includes:

  • Banks
  • Auditors and Audit Firms 
  • Investment Firms
  • Management Firms 
  • Credit Institutions
  • Insurance & Reinsurance Firms
  • Brokers
  • Credit Rating Agencies
  • Crowdfunding Services 
  • Trading Venues
  • Trade Repositories 
  • Crypto-Asset Providers

The second group of businesses DORA applies to is third-party vendors that supply ICT software (but not hardware). 

This includes:

  • ICT Vendors 
  • Provides Digital and Data Services
  • Cloud Computing
  • Software
  • Data Analytics 
  • Data Centers

Does the Digital Operational Resilience Act (DORA) apply to the UK and USA?

DORA has been introduced by the European Parliament and so it applies to the above businesses that are based in the EU. But it also applies to any business that has offices in the EU or wants access to the above businesses or clients in the EU market. For example, if a bank in the United States wants to do business with a bank based in the EU, or access clients in the EU, it must comply with DORA. So, this means that DORA is applicable worldwide.

Is Business Email Compromise (BEC) a reasonably identifiable circumstance?

The Federal Bureau of Investigations (FBI) has been warning of Business Email Compromise in its IC3 Internet Crime Report since 2015. The FBI is a trusted independent expert, with form for getting things right, and no skin in the game. So, businesses can safely accept that BEC is a reasonably identifiable circumstance that they’re required to mitigate. 

“Courts don’t expect you to see around corners, they expect you to read the writing on the wall. ​​Business Email Compromise (BEC) remains the most significant cyber threat by victim loss, and the starting point for the majority of attacks. So, BEC is a threat and it needs to be addressed.” Dr Rois Ni Thuama, PhD 

What are the benefits of the Digital Operational Resilience Act?

Thanks to DORA, businesses will be enabled to make better decisions as DORA highlights what they need to do in one place, and leaves nothing out. What’s more, by complying with the provisions outlined in DORA, businesses will become more resilient to cyberattacks, unscrupulous vendors, and other threats. Other benefits of this European parliament legislation include:

  • More robust supply chains
  • Smoother exit strategies
  • Defensibility in the event of an attack
  • Protection from opportunist criminals

What are the consequences of noncompliance with DORA?

DORA puts the final responsibility to enact the right measures to mitigate cyber threats on board members and directors. It’ll be these people who are held accountable if a business fails to comply. Directors and boards now need to understand and know how to mitigate risks (reasonably identifiable circumstances). If they don’t, they could face:

  • Reputational damage
  • Shareholder litigation
  • Regulatory fines
  • Criminal sanctions

Download the full whitepaper today

We hope this blog was useful in providing a quick run-down on the Digital Operational Resilience Act (DORA. To find out more about DORA and how you can start to prepare, download your free whitepaper today. 

download the whitepaper red sift

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)

Related

Tagged:
  • Digital Operational Resilience Act
  • DORA
  • finance
  • Financial Services

Post navigation

Previous Post Red Sift wins multiple awards at Global InfoSec Awards during RSA Conference 2022
Next Post Apple’s support for BIMI hails a new era for the email ecosystem

Primary Sidebar

Subscribe to our blog and be the first to get updates!

Categories

  • AI
  • BEC
  • BIMI
  • Brand Protection
  • Coronavirus
  • Cybersecurity
  • Deliverability
  • DMARC
  • DORA
  • Email
  • Finance
  • Labs
  • News
  • OnINBOX
  • Partner Program
  • Red Sift Tools
  • Work at Red Sift
  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • October 2016

Copyright © 2023 · Red Sift