EU resilience regulation DORA has financial CISOs waiting for answers

It just over seven months, the Digital Operational Resilience Act (DORA) enters into force in the EU — and not every organization is prepared.

The regulation, which will apply as of January 17, 2025, covers the financial sector, but the regulation’s reach extends beyond traditional players such as banks, investment firms, and insurance companies, to also include crypto-asset providers, data reporting providers, and cloud service providers — actors who may not be as used to dealing with comprehensive regulations such as DORA. 

“It is a very comprehensive regulation that is also supplemented by a number of regulatory technical standards and implementation standards,” says Pernilla Rönn, cyber security manager at Stockholm-based technology consultancy HiQ. 

In October this year, the EU cyber security directive NIS2 will be implemented, including more sectors than the previous version of the Network and Information Security (NIS) directive did, as well as stricter requirements for risk management and reporting. Still, for the financial sector, DORA includes tougher rules that apply over NIS2. 

Short reporting requirements, significant fines

Organizations that do not live up to DORA requirements can be subject to GDPR-class sanctions with fines that can amount to, for example, 2% of an organization’s total annual worldwide turnover or three times the profit that the financial entity has made as a result of the rule violation.

As for the incident reporting requirements, they are also stricter than the GDPR. There, incidents must be reported within 72 hours, but those entities subject to DORA must report incidents classified as serious within four hours and no later than 24 hours after they are detected. 

“This is something that worries, above all, the smaller players who are struggling with how to solve it. Do they have to be staffed 24/7? The larger players who are used to tough regulations cope better,” says Rönn.

And even though the time to prepare for DORA is running out, not all technical regulations have been determined by the EU yet. They have been coming out in batches with the last one due in July. 

Questions remain

Much about DORA’s impact, scope, and details remain unclear. This week the Financial Supervisory Authority, which will become the supervisory authority, organized a forum for questions about what will apply going forward, but there are questions the authority still cannot answer. 

“There is so much that is not ready — that the Financial Supervisory Authority could not answer,” Rönn says, including “such things as, for example, how the reporting of incidents should be registered, whether there will be templates. Everyone must do the same and you have to wait to see what the methods will look like.” 

Tighter security is paramount

So what should CISOs whose organizations will be subject to DORA do while waiting for answers? 

“What everyone can do is think about what exactly is their golden egg, their critical assets and start from that. Identify which agreements support it and which suppliers you depend on,” Rönn says. 

The regulation contains some new concepts such as critical or important function, which causes some organizations confusion over what a function is and how to determine what is critical or important. But instead of getting stuck in the complicated formulations and trying to interpret them, it is important to take actions that increase the security of your systems, emphasizes Rönn. 

“You cannot skip any requirements but adapt the business. And remember that what the regulation is looking for is that each individual actor should strengthen their resilience,” she says. 

Be able to justify decisions

Just as with the GDPR, DORA compliance is about being able to justify why you chose certain measures and how you reasoned. 

Although there are uncertainties surrounding the new and demanding regulation, Rönn believes it is a step forward for cyber security. 

“But the step is different,” she says. “The banks have been regulated but not other financial actors in the same way. Now they are trying to find a common regulation and strengthen the entire sector. And even though it is complex and difficult to interpret, the spirit [of the directive] is good.” 

Rönn says that one positive facet of DORA in particular is that it also covers third-party providers, as attacks have sometimes gone that way. 

“And it is also positive that there are many requirements for tests and to learn from them in the new regulation, which has not been included in other regulations,” she says. 

Related reading:

• EU’s DORA regulation explained: New risk management requirements for financial firms
• Countdown to DORA: How CISOs can prepare for EU’s Digital Operational Resilience Act