A Complete Guide to the Digital Operational Resilience Act (DORA)

As a modern financial institution, you depend on technology to offer an excellent service. It’s a crucial part of your operations, but it puts you at risk for cyberattacks and other digital threats. How do you protect your business against these incidents?

This is where DORA, or the Digital Operational Resilience Act, comes in.

But despite the benefits of DORA, many financial organisations are feeling on edge as the deadline approaches. There’s still some confusion around DORA’s regulations and what preparations need to be made to avoid penalties for non-compliance.

To solve this issue, we’ve put together this guide to help you understand what DORA is, its deadline, how to prepare, and the penalties for non-compliance.

What is DORA?

DORA is an EU financial regulation created to help financial organisations protect against ICT risks like data breaches and cyberattacks.

Traditionally, financial institutions protected themselves against operational risks by setting aside reserve funds. But this approach failed to fully address the complexities of operational resilience, especially in regard to ICT risk management.

DORA protects against ICT threats by mandating that all financial organisations that use technology to operate keep a robust digital resilience strategy in place.

This includes clear guidelines for risk management, incident reporting, resilience testing, and monitoring threats tied to external IT services (third-party vendors).

How to comply with DORA regulations

DORA covers a lot of risk factors and security procedures—it takes time and effort to make sure you’ve ticked every box for compliance. But the long-term benefits for your organisation are clear: increased operational resilience and better risk awareness.

Here’s everything you need to do to be in compliance with DORA rules:

1. Carry out ICT risk assessment and management

Running a risk assessment of your entire organisation (including its extended supply chain) is essential for DORA compliance.

You’ll also need to develop an ICT risk management framework to manage any weaknesses identified in your assessment.

This includes:

• Setting up strong ICT systems and tools to limit risks
• Finding a way to quickly detect unusual activity
• Monitoring threats and putting protection measures in place
• Establishing clear business continuity and disaster recovery plans

2. Report ICT-related incidents

Under DORA, you need to report all minor and major ICT-related incidents to the relevant authorities.

This means setting up a procedure for tracking and logging incidents. You must classify each event based on guidelines set out by the European Supervisory Authorities (ESAs), including the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA).

DORA also requires that you send initial, intermediate, and final reports about the incident to your users and clients.

3. Conduct digital operational resilience testing

Regular resilience testing of your ICT systems is another DORA requirement. These measures help ensure your systems are capable of handling not only current cyber threats, but any that might arise in the future. If any weaknesses are detected, the rules state that you must take counteractive measures to protect your organisation.

4. Assessing ICT third-party risks

DORA mandates that you monitor the risks associated with third-party vendors. This includes making sure your third-party providers (like cloud service providers and managed IT services) include important details of their services—including where your data is processed—in your contract.

When your vendors meet compliance and security standards, the risks of IT disruptions are greatly reduced.

5. Sharing information and intelligence

While it’s not strictly a requirement, sharing insights about ICT risks and incidents among trusted communities and other financial entities is highly encouraged. It raises awareness of operational risks and helps build reliance in the financial sector.

What happens if you fail to comply with DORA?

Unfortunately, failure to comply with DORA can lead to severe penalties. Although the exact repercussions vary between EU countries, common fines for firms include up to 2% of total annual global turnover. Individuals, on the other hand, can face fines of up to €1 million.

Other potential penalties include public reprimands, withdrawal of authorisation, remedial measures, and even criminal charges.

When is the deadline for DORA?

The deadline for DORA is January 17, 2025—right around the corner.

DORA was first announced in 2020, when the COVID-19 pandemic highlighted significant flaws in financial institutions’ cybersecurity resilience.

The implementation period for the act began in January 2023, giving organisations and their third-party providers two years to take the necessary actions to comply.

How does DORA affect data backups?

DORA sets specific rules for backing up and restoring critical data. These regulations can be found in Article 12 (Section 3).

To comply, financial entities must be able to:

• Restore backups to a separate location physically (a different hardware or site) and logically (a separate system setup or configuration)
• Safeguard data from unauthorised access by storing it securely and immutably (cannot be altered or corrupted)

This requirement also applies to any cloud-based platforms being used by financial organisations. For example, critical data stored in Microsoft 365 or Google Workspace must be protected according to these guidelines.

Many organisations don’t realise that it’s their responsibility  – not Microsoft’s or Google’s—to back up critical information stored on these platforms.

Financial entities must work with trusted third-party cloud backup providers to be in compliance with DORA’s data protection regulations.

Backup Microsoft 365 and Google Workspace with BackupVault

If you need a backup solution you can count on to protect your valuable data and stay compliant with DORA, BackupVault is here to help.

With automatic Microsoft 365 and Google Workspace cloud backup, you enjoy a robust defence against ransomware, cyberattacks, user error, phishing scams, and more.

DORA compliance has never been simpler. Contact us for more information.