What is the Digital Operational Resilience Act, and why does it matter?

The Digital Operational Resilience Act (DORA) is a game changer for financial organizations, providing a comprehensive rulebook that covers everything financial organizations need to do to become and remain digitally resilient against cyber threats. In this blog, we’ll provide a run-down of everything you need to know about DORA.

What is the Digital Operational Resilience Act?

The Digital Operational Resilience Act ( DORA) is European legislation that requires any financial organization in the European Union (and those that want access to it) to have safeguards in place to mitigate cyber-risks. The legislation requires these businesses to recognize and mitigate any reasonably identifiable circumstances that could lead to an event that could compromise the digital operational security of the firm.  

What is a reasonably identifiable circumstance?

Any common vulnerability, exposure, or well-known cyber threat could give rise to a reasonably identifiable circumstance. Something is a reasonably identifiable circumstance if the source it’s coming from is a trusted, independent expert that puts you on express notice that a common vulnerability, exposure, or significant cyber threat poses a risk to your business. 

What credible agencies should businesses be looking to for guidance on reasonably identifiable circumstances?

Why is digital operational resilience important in the financial services sector?

The interconnected nature of the financial services sector means that when something goes wrong within it, a ripple effect impacts those far and wide. Nowadays one of the most significant threats to the security, stability, and business continuity of the financial sector is the disruption caused by a cyberattack (such as ransomware infections or DDoS). 

Business Email Compromise (BEC) provides the starting point for 90% of targeted cyberattacks such as ransomware attacks, CEO fraud, vendor fraud, and more. So, there’s never been a more crucial time for the financial institutions to strengthen their digital resilience to prevent these. In doing so, they’ll protect business processes, business continuity, and sensitive data, and ultimately comply with DORA. 

When will the Digital Operational Resilience Act be enforced?

DORA is expected to be introduced this year (2022) and be fully enforced by 2024, so businesses need to start preparing now.

Who does the Digital Operational Resilience Act apply to?

There are two groups of businesses DORA applies to. The first is any organization that manages, transfers, holds, insures, invests, creates, protects, or raises money and those that grade investments. 

This includes:

  • Banks
  • Auditors and Audit Firms 
  • Investment Firms
  • Management Firms 
  • Credit Institutions
  • Insurance & Reinsurance Firms
  • Brokers
  • Credit Rating Agencies
  • Crowdfunding Services 
  • Trading Venues
  • Trade Repositories 
  • Crypto-Asset Providers

The second group of businesses DORA applies to is third-party vendors that supply ICT software (but not hardware). 

This includes:

  • ICT Vendors 
  • Provides Digital and Data Services
  • Cloud Computing
  • Software
  • Data Analytics 
  • Data Centers

Does the Digital Operational Resilience Act (DORA) apply to the UK and USA?

DORA has been introduced by the European Parliament and so it applies to the above businesses that are based in the EU. But it also applies to any business that has offices in the EU or wants access to the above businesses or clients in the EU market. For example, if a bank in the United States wants to do business with a bank based in the EU, or access clients in the EU, it must comply with DORA. So, this means that DORA is applicable worldwide.

Is Business Email Compromise (BEC) a reasonably identifiable circumstance?

The Federal Bureau of Investigations (FBI) has been warning of Business Email Compromise in its IC3 Internet Crime Report since 2015. The FBI is a trusted independent expert, with form for getting things right, and no skin in the game. So, businesses can safely accept that BEC is a reasonably identifiable circumstance that they’re required to mitigate. 

“Courts don’t expect you to see around corners, they expect you to read the writing on the wall. ​​Business Email Compromise (BEC) remains the most significant cyber threat by victim loss, and the starting point for the majority of attacks. So, BEC is a threat and it needs to be addressed.” Dr Rois Ni Thuama, PhD 

What are the benefits of the Digital Operational Resilience Act?

Thanks to DORA, businesses will be enabled to make better decisions as DORA highlights what they need to do in one place, and leaves nothing out. What’s more, by complying with the provisions outlined in DORA, businesses will become more resilient to cyberattacks, unscrupulous vendors, and other threats. Other benefits of this European parliament legislation include:

  • More robust supply chains
  • Smoother exit strategies
  • Defensibility in the event of an attack
  • Protection from opportunist criminals

What are the consequences of noncompliance with DORA?

DORA puts the final responsibility to enact the right measures to mitigate cyber threats on board members and directors. It’ll be these people who are held accountable if a business fails to comply. Directors and boards now need to understand and know how to mitigate risks (reasonably identifiable circumstances). If they don’t, they could face:

  • Reputational damage
  • Shareholder litigation
  • Regulatory fines
  • Criminal sanctions

Download the full whitepaper today

We hope this blog was useful in providing a quick run-down on the Digital Operational Resilience Act (DORA. To find out more about DORA and how you can start to prepare, download your free whitepaper today

download the whitepaper red sift

PUBLISHED BY

Red Sift

7 Jun. 2022

SHARE ARTICLE:

Categories

Recent Posts

VIEW ALL
News

Introducing DNS Guardian: Stop impersonation and spam caused by domain takeovers 

Rahul Powar

tl;dr: We’re thrilled to announce DNS Guardian — a new feature in Red Sift OnDMARC that can swiftly identify and stop domain takeovers that lead to malicious mail. Back in February, we shared updates with the community about SubdoMailing – an attack discovered by Guardio Labs. The attack was a form of subdomain takeover,…

Read more
News

Meet Red Sift Radar: The Skilled Up LLM That Finds and Fixes…

Rahul Powar

After months of beta testing and feedback, we are excited to announce that Red Sift Radar, our skilled up LLM offering seamless integration with Red Sift OnDMARC, is now commercially available.  With Red Sift Radar, security teams can detect exposures, prevent configuration drift, and classify assets or suspicious activity without adding additional headcount. By…

Read more
News

G2 Fall 2024 Report: Red Sift OnDMARC Wins Big

Francesca Rünger-Field

We’re delighted to share that Red Sift OnDMARC’s winning streak continues. This Fall, we’ve once again been named a Leader in G2’s DMARC category, achieving recognition in both the overall Leader category and Europe for the first time. This recognition is based on our high Customer Satisfaction scores and strong market presence. Red Sift…

Read more
Cybersecurity

Resilience Rising | Episode 3 with Kevin White

Red Sift

In this episode of Resilience Rising, Sean Costigan, Managing Director of Resilience Strategy at Red Sift, and Kevin White, Senior Operation Consultant with Enhanced Information Solutions, explore the critical intersection of wastewater management and cybersecurity.  The two highlight the health and operational impacts of cyber threats on water utilities, emphasizing the vulnerabilities due to…

Read more
Certificates

Your guide to PCI DSS 4.0 Cryptographic Requirements

Rebecca Warren

The Payment Card Industry Data Security Standard (PCI DSS) is a globally recognized framework designed to protect cardholder data during processing, storage, and transmission by merchants and service providers. PCI DSS outlines a set of stringent security controls that organizations handling payment card information must implement to mitigate the risk of data breaches and…

Read more