What is the Digital Operational Resilience Act, and why does it matter?

The Digital Operational Resilience Act (DORA) is a game changer for financial organizations, providing a comprehensive rulebook that covers everything financial organizations need to do to become and remain digitally resilient against cyber threats. In this blog, we’ll provide a run-down of everything you need to know about DORA.

What is the Digital Operational Resilience Act?

The Digital Operational Resilience Act ( DORA) is European legislation that requires any financial organization in the European Union (and those that want access to it) to have safeguards in place to mitigate cyber-risks. The legislation requires these businesses to recognize and mitigate any reasonably identifiable circumstances that could lead to an event that could compromise the digital operational security of the firm.  

What is a reasonably identifiable circumstance?

Any common vulnerability, exposure, or well-known cyber threat could give rise to a reasonably identifiable circumstance. Something is a reasonably identifiable circumstance if the source it’s coming from is a trusted, independent expert that puts you on express notice that a common vulnerability, exposure, or significant cyber threat poses a risk to your business. 

What credible agencies should businesses be looking to for guidance on reasonably identifiable circumstances?

Why is digital operational resilience important in the financial services sector?

The interconnected nature of the financial services sector means that when something goes wrong within it, a ripple effect impacts those far and wide. Nowadays one of the most significant threats to the security, stability, and business continuity of the financial sector is the disruption caused by a cyberattack (such as ransomware infections or DDoS). 

Business Email Compromise (BEC) provides the starting point for 90% of targeted cyberattacks such as ransomware attacks, CEO fraud, vendor fraud, and more. So, there’s never been a more crucial time for the financial institutions to strengthen their digital resilience to prevent these. In doing so, they’ll protect business processes, business continuity, and sensitive data, and ultimately comply with DORA. 

When will the Digital Operational Resilience Act be enforced?

DORA is expected to be introduced this year (2022) and be fully enforced by 2024, so businesses need to start preparing now.

Who does the Digital Operational Resilience Act apply to?

There are two groups of businesses DORA applies to. The first is any organization that manages, transfers, holds, insures, invests, creates, protects, or raises money and those that grade investments. 

This includes:

  • Banks
  • Auditors and Audit Firms 
  • Investment Firms
  • Management Firms 
  • Credit Institutions
  • Insurance & Reinsurance Firms
  • Brokers
  • Credit Rating Agencies
  • Crowdfunding Services 
  • Trading Venues
  • Trade Repositories 
  • Crypto-Asset Providers

The second group of businesses DORA applies to is third-party vendors that supply ICT software (but not hardware). 

This includes:

  • ICT Vendors 
  • Provides Digital and Data Services
  • Cloud Computing
  • Software
  • Data Analytics 
  • Data Centers

Does the Digital Operational Resilience Act (DORA) apply to the UK and USA?

DORA has been introduced by the European Parliament and so it applies to the above businesses that are based in the EU. But it also applies to any business that has offices in the EU or wants access to the above businesses or clients in the EU market. For example, if a bank in the United States wants to do business with a bank based in the EU, or access clients in the EU, it must comply with DORA. So, this means that DORA is applicable worldwide.

Is Business Email Compromise (BEC) a reasonably identifiable circumstance?

The Federal Bureau of Investigations (FBI) has been warning of Business Email Compromise in its IC3 Internet Crime Report since 2015. The FBI is a trusted independent expert, with form for getting things right, and no skin in the game. So, businesses can safely accept that BEC is a reasonably identifiable circumstance that they’re required to mitigate. 

“Courts don’t expect you to see around corners, they expect you to read the writing on the wall. ​​Business Email Compromise (BEC) remains the most significant cyber threat by victim loss, and the starting point for the majority of attacks. So, BEC is a threat and it needs to be addressed.” Dr Rois Ni Thuama, PhD 

What are the benefits of the Digital Operational Resilience Act?

Thanks to DORA, businesses will be enabled to make better decisions as DORA highlights what they need to do in one place, and leaves nothing out. What’s more, by complying with the provisions outlined in DORA, businesses will become more resilient to cyberattacks, unscrupulous vendors, and other threats. Other benefits of this European parliament legislation include:

  • More robust supply chains
  • Smoother exit strategies
  • Defensibility in the event of an attack
  • Protection from opportunist criminals

What are the consequences of noncompliance with DORA?

DORA puts the final responsibility to enact the right measures to mitigate cyber threats on board members and directors. It’ll be these people who are held accountable if a business fails to comply. Directors and boards now need to understand and know how to mitigate risks (reasonably identifiable circumstances). If they don’t, they could face:

  • Reputational damage
  • Shareholder litigation
  • Regulatory fines
  • Criminal sanctions

Download the full whitepaper today

We hope this blog was useful in providing a quick run-down on the Digital Operational Resilience Act (DORA. To find out more about DORA and how you can start to prepare, download your free whitepaper today

download the whitepaper red sift


Red Sift

7 Jun. 2022



Recent Posts


Introducing DNS Guardian: Stop impersonation and spam caused by domain takeovers 

Rahul Powar

tl;dr: We’re thrilled to announce DNS Guardian — a new feature in Red Sift OnDMARC that can swiftly identify and stop domain takeovers that lead to malicious mail. Back in February, we shared updates with the community about SubdoMailing – an attack discovered by Guardio Labs. The attack was a form of subdomain takeover,…

Read more

Navigating the Information Security Landscape: ISO 27001 vs. SOC 2

Red Sift

As cyber threats evolve, so do the standards and frameworks designed to combat them. Two of the most recognized standards in information security are ISO 27001 and SOC 2. What sets them apart, and which one is right for your organization? Let’s delve into the key differences. Purpose and Scope: Global Framework vs. Client-Centric…

Read more

G2 Summer 2024 Report: Red Sift OnDMARC’s Winning Streak Continues

Francesca Rünger-Field

We’re delighted to announce that Red Sift OnDMARC has again been named a Leader in G2’s DMARC category for Summer 2024. This recognition is based on our high Customer Satisfaction scores and strong market presence. Red Sift appeared in 11 reports – 5 new ones since Spring 2024! – earning 5 badges: A few…

Read more

Google will no longer trust Entrust certificates from October 2024

Red Sift

Tl;dr: Google has announced that as of October 31, 2024, Chrome will no longer trust certificates signed by Entrust root certificates. While there is no immediate impact on existing certificates or those issued before 31st October 2024, organizations should start reviewing their estate now. On Thursday 27th June 2024, Google announced that it had…

Read more

Understanding the polyfill.io domain attack

Francesca Rünger-Field

tl;dr: The recent compromise of the polyfill.io domain has triggered a broad-reaching web supply chain attack, impacting over 100,000 websites across various sectors including finance, healthcare, non-profits, academia, and more. To ensure the security of your website, we strongly advise you immediately remove any reference to polyfill.io. Latest update: 27th June 2024 Sansec, a…

Read more