DORA Regulation: What It Is and Its Impact on Businesses and Users

In an increasingly digitized world, the stability of the financial system depends directly on the robustness of its technological infrastructures, with the DORA regulation helping in this regard. Any interruption or failure in the digital services of a financial institution can have devastating consequences, not only for the organization itself, but also for the economy. Aware of this reality, the European Union has taken a step forward with the creation of the DORA (Digital Operational Resilience Act) Regulation, a regulation that seeks to strengthen the digital operational resilience of the financial sector.

This regulation establishes a unified regulatory framework for managing risks related to Information and Communication Technologies (ICT). It aims to ensure that all financial institutions and their critical technology providers are able to withstand, respond to and recover from all types of incidents. DORA places cybersecurity and digital resilience at the heart of business strategy. In this article, we will take an in-depth look at what the DORA Regulation is, who it affects, what its key pillars are and what implications it has for businesses and end users.

What Is The DORA (Digital Operational Resilience Act) Regulation?

Regulation (EU) 2022/2554, known as DORA (Digital Operational Resilience Act) or Digital Operational Resilience Act, is an EU legislative initiative designed to consolidate and harmonize digital operational resilience requirements across the financial sector in the Union. Published on December 27, 2022, DORA came into force on January 16, 2023 and mandatory for affected entities from January 17, 2025.

The main motivation behind DORA is the financial sector's growing dependence on digital infrastructures and the proliferation of increasingly sophisticated cyber threats. Until now, ICT risk management was governed by general guidelines and fragmented national regulations, creating an uneven regulatory landscape and leaving security gaps. DORA solves this problem by establishing a single, detailed set of rules covering everything from risk management and incident reporting to resilience testing.

DORA seeks to ensure that the European financial system can remain operational and resilient even in the face of severe operational disruptions. This implies that banks, insurers, investment firms and other financial players, as well as the critical technology providers that serve them, must implement robust measures to prevent, detect, contain, respond to and recover from ICT incidents.

The Five Pillars of DORA: Europe's ICT Risk Management Framework

The DORA Regulation is structured around five fundamental pillars that form a coherent and comprehensive ICT risk management framework. These pillars set out specific technical requirements that financial institutions must integrate into their daily operations.

1. ICT Risk Management: the central pillar of DORA. It requires financial institutions to have a robust, comprehensive and well-documented ICT risk management framework. This framework must enable them to proactively identify, classify, assess, protect against, prevent, detect, respond to and recover from ICT risks.
2. ICT Incident Management, Classification and Reporting: DORA harmonizes and simplifies incident reporting. It establishes a standardized process for entities to classify incidents according to their impact and report them to the competent authorities.
3. Digital Operational Resilience Testing: to verify the effectiveness of the measures implemented, DORA requires a rigorous and comprehensive testing program. 
4. Third-party Risk Management (ICT Providers): DORA recognizes that risk comes not only from within, but also from within its digital supply chain. It therefore establishes requirements for the management of ICT service providers.
5. Information Sharing and Cyber Intelligence: the regulation promotes collaboration and information sharing on cyber threats among financial institutions.

Digital Operational Resilience Act: The Role of Authorities and Compliance.

The effective implementation of the DORA Regulation depends to a large extent on the active and coordinated role of supervisory authorities, both at national and European level. DORA establishes a clear supervisory structure to ensure that financial institutions comply with their obligations and that the regulatory framework is applied consistently across the EU.

National Competent Authorities (Bank of Spain or the CNMV in Spain) are primarily responsible for supervising compliance with DORA by financial institutions operating in their jurisdiction. Their functions include:

• Assessment of Risk Management Frameworks: they review and assess entities' ICT risk management documentation, strategies, policies and procedures.
• Incident Monitoring: they receive and analyze reports of serious incidents, ensuring that entities take appropriate corrective action.
• Review of Resilience Testing: they oversee digital resilience testing programs and, in particular, the results of advanced penetration testing (TLPT).
• Sanctioning Powers: empowered to conduct inspections, require remediation of identified deficiencies and impose administrative sanctions and corrective measures in case of non-compliance.

At the European level, the European Supervisory Authorities (ESAs) play a crucial coordinating and regulatory development role. Together with the Joint Committee of the ESAs, they are responsible for:

• Development of Technical Standards: they develop the regulatory technical standards (RTS) and implementing technical standards (ITS) detailing the specific requirements of DORA, ensuring harmonized implementation.
• Critical Supplier Supervision Framework: One of the ESAs will be designated as the "lead supervisor" for each CTPP, coordinating a joint supervision team with experts from the national authorities.

Entities must actively demonstrate that they have integrated the requirements of the regulation into their governance, systems and processes. This involves being able to evidence their effectiveness and report transparently to supervisors.

Who Is Affected by The DORA Regulation? Overview of Regulated Entities

The scope of application of DORA is extremely broad and covers almost the entire EU financial and insurance sector. The regulation applies to more than 20 different types of financial institutions as well as ICT service providers.

Financial institutions covered by DORA include:

• Credit institutions (banks).
• Payment and e-money institutions.
• Investment services companies.
• Alternative investment fund managers and UCITS management companies.
• Insurance and reinsurance companies, as well as insurance intermediaries.
• Cryptoassets: cryptoasset service providers (under MiCA Regulation) and issuers of asset-backed tokens.
• Market Infrastructures: central counterparties (CCPs), credit rating agencies, benchmark administrators and data repositories.
• Crowdfunding: providers of crowdfunding services.

As mentioned above, DORA applies directly to ICT service providers that are designated as critical to the financial sector. This designation is made by the European Supervisory Authorities based on criteria such as the number of financial institutions they serve, the systemic importance of these institutions and the difficulty of replacing the provider.

The regulation contemplates the principle of proportionality, which means that the application of its requirements will be adapted to the size, business profile and risk level of each entity. Smaller entities are subject to a simplified framework.

DORA and Its Impact on Cybersecurity and Business Continuity Management

The DORA Regulation redefines the approach to cybersecurity and business continuity in the financial sector. Traditionally, these two disciplines have often been managed separately. DORA merges them under the unifying concept of digital operational resilience, recognizing that you can't have one without the other.

The most significant impact is the shift from a reactive to a proactive, risk-based approach. Entities must have a comprehensive strategy that spans the entire risk lifecycle, from prevention to recovery to learning.

Cybersecurity Impact:

• Board Accountability: elevates cybersecurity to a top priority issue for the board of directors.
• Threat Intelligence: forces entities to go further and develop threat intelligence capabilities to anticipate and prepare against attacks.
• Advanced Testing: requiring TLPT testing for critical entities introduces a level of rigor in security testing that is unprecedented in financial regulation.

Impact on Business Continuity:

• Focus on Critical Functions: requires detailed business impact analysis (BIA) to identify critical functions and establish clear recovery time objectives (RTO) and recovery point objectives (RPO).
• Response and Recovery Plans: Business continuity and disaster recovery plans must be more detailed, integrated with incident management and tested regularly.

Crisis Communication: robust communication plans must be in place to manage communication with customers and authorities during a major disruption.

Differences and Synergies Between DORA and Other EU Regulations (NIS2, GDPR, eIDAS, etc.).

DORA does not operate in a regulatory vacuum. It is integrated into the complex ecosystem of EU digital regulations, creating synergies and overlaps with other key regulations.

• NIS2 (Network and Information Security 2) Directive: horizontal directive establishing cybersecurity measures for critical sectors. DORA is a lex specialis for the financial sector, i.e. for financial institutions DORA prevails over NIS2. The requirements of DORA are more detailed and stringent than those of NIS2.
• GDPR (General Data Protection Regulation): DORA and GDPR are complementary. RGPD focuses on the protection of personal data and privacy, DORA focuses on the operational resilience of the systems that process that data.
• eIDAS (Electronic Identification, Authentication and Trust Services): establishes the framework for electronic identification and trust services (electronic signatures, seals, etc.). DORA relies on the services regulated by eIDAS to ensure the security and integrity of digital transactions and communications.
• AML6 (6th Anti-Money Laundering Directive) and KYC (Know Your Customer) Standard: focus on the prevention of money laundering. The digitization of KYC processes depends on resilient ICT systems. DORA ensures that the platforms used for customer identification and transaction monitoring are secure and available.
• MiCA (Markets in Crypto-Assets): regulates the issuance and provision of services related to cryptoassets. DORA applies to crypto-asset service providers covered by MiCA, ensuring that these new digital entities meet the same standards as traditional finance.

Digital Operational Resilience Regulation (DORA), Driver of Secure and Resilient Digital Transformation.

The Digital Operational Resilience Regulation (DORA) should be seen as a strategic opportunity and a key driver for the digital transformation of the European financial sector, laying the foundations for a more secure, innovative and resilient financial ecosystem.

Companies that proactively address DORA will not only ensure compliance, but will also build a lasting competitive advantage. They will be better prepared to innovate, to adopt new technologies and to respond with agility to the challenges of the future.

DORA Implementation and Compliance: Challenges and Opportunities for Companies

Adapting to the DORA Regulation by January 2025 has presented both significant challenges and strategic opportunities for financial institutions and their vendors.

Challenges:

• Complexity and Cost: implementing DORA can be a complex and costly process. It requires investments in technology, internal process re-engineering and the hiring or training of specialized cybersecurity staff.
• Supply Chain Management: managing third-party risk is one of the biggest challenges. Entities need to review and renegotiate contracts with ICT suppliers to include the clauses required by DORA, in addition to implementing a monitoring system.
• Talent Gap: There is a global shortage of qualified cybersecurity professionals. Finding the talent needed to implement and maintain DORA compliance is a competitive challenge.
• Cultural Integration: DORA requires digital resilience to be a shared responsibility, from the board of directors to the last employee.

Opportunities:

• Improved Resilience and Trust: entities that embrace the regulation strengthen their security posture, reduce the risk of costly disruptions, and increase customer confidence.
• Competitive Advantage: strong operational resilience can become a key differentiator. Companies that prove to be safer and more reliable better attract and retain customers.
• Operational Efficiency: reviewing and optimizing ICT processes and systems to comply with DORA can lead to greater operational efficiency, better visibility of technology assets and more informed decision making.

Secure Innovation: by establishing a clear and robust security framework, DORA can act as a catalyst for innovation. Entities will be able to adopt new technologies with greater confidence, knowing that they have the right controls in place.

How a Trusted Service Provider Can Help You Comply With DORA

Qualified Trust Service Providers (QTSPs) like Tecalis, regulated by the eIDAS framework, are strategic allies for financial institutions for DORA compliance. They offer technology solutions that incorporate high levels of security, integrity and authenticity, addressing the requirements of the regulation.

A QTSP helps to comply with DORA in several key ways:

• Strong Client Authentication (SCA): to protect access to systems and data, DORA requires strong authentication mechanisms. QTSPs offer digital identity solutions and qualified certificates that enable secure multi-factor authentication.
• Data Integrity and Confidentiality: qualified electronic signatures and seals ensure that data and communications have not been altered and come from a verified source.
• Secure Communications: incident reporting and threat information sharing require secure communication channels. Certified electronic delivery services provided by QTSPs ensure the confidentiality, integrity and proof of delivery of these communications.
• Traceability and Non-Repudiation: QTSP solutions, such as qualified time-stamping, provide an immutable audit trail of transactions and operations, crucial for investigating incidents and demonstrating compliance to regulators.

Tecalis, as a QTSP, offers digital identity and e-signature solutions designed to help companies in the financial sector comply with DORA.

• Identity Verification (Video ID and Photo ID): Tecalis' digital identification solutions allow KYC and customer onboarding processes to be performed remotely and securely, complying with security standards and AML regulations. 
• Biometric Authentication: Tecalis offers multi-factor authentication systems using facial or fingerprint biometrics. They can be integrated into mobile banking applications or online platforms to provide a robust and frictionless layer of security for account access and transaction authorization.
• Qualified Electronic Signature (QES): Tecalis' electronic signature, Tecalis Sign, enables the signing of contracts and documents with the highest level of legal and technical security recognized in the EU. The use of QES guarantees the integrity of the document and the authenticity of the signatory.

The implementation of Tecalis solutions enables financial institutions to not only meet specific DORA requirements related to access security and data integrity, but also to automate and secure key processes, freeing up resources and improving operational efficiency while building a truly resilient digital environment.

Tags