Quick background and general information
What is DORA?
A simple way of thinking of Digital Operational Resilience Act (DORA) is that it’s like GDPR but for digital products and services instead of personal data and privacy. It’s specifically developed for the financial sector and aims to ensure that companies providing financial services can withstand, respond to, and recover from all types of information and communication technology issues and threats.
Information and communication technology, basically digital products and services, is a central term in DORA and normally referred to as ICT or ICT Services.
To whom does DORA apply?
DORA applies to a wide range of companies within the financial sector in the EU. In addition, DORA also applies to ICT third-party service providers that offer digital services and data services to these financial entities. This includes providers of cloud services, software, data analysis services, and data centers.
Does DORA apply to my company?Most probably yes, if:
your company falls under the financial supervisory authority in your country (in Sweden, Finansinspektionen)
you are a provider of critical infrastructure, or digital services or products to financial companies
What if DORA does not apply directly to my company but to my customers?
If you are a key service for your customers, they will be responsible for managing potential risk to the services you provide. They need to both handle the risk proactively and be prepared to report incidents in a quick, comprehensive and correct manner in case your service has interruptions or issues that affect their operations. Therefore, we strongly recommend that you proactively help your customers, by:
understand which parts of DORA apply to you
make sure to meet the requirements imposed on your product and organization
proactively reach out to your customers and show them that you are on top of DORA and help them by providing data about your company and product that they will need to their third-party provider information register
Key Requirements for DORA Compliance
To become DORA compliant, financial companies need to:
Implement robust ICT risk management frameworks
Report major ICT-related incidents to relevant authorities
Conduct regular digital operational resilience testing
Manage third-party ICT risks effectively
Share threat intelligence information with other financial entities
Naturally, these are only very high level steps and there are a lot of nuances and details in each step and each step might be more or less relevant and comprehansive for your organization. The bad news are that you will have to spend some time getting acquainted with DORA and implementation will need both time and resources from you.T here are some good news however, done right, DORA will provide you with a great foundation for proactivly and systematically manage cyber security in your organization. Also, once you spend some time getting to know the regulation it’s actually not that complicated and hard to implement DORA requirements. It’s also a very good foundation for a ISO 27001, if getting compliant and certified would be relevant for your company.
Timeline for Implementation
DORA is comes into effect in January 2025.
Relationship with ISO 27001 and NIS 2
ISO 27001: ISO 27001 is a great starting point for DORA compliance, and DORA builds upon many principles found in ISO 27001. Organizations that are certified or have implemented ISO 27001 principles have a head start and a huge advantage in becoming DORA compliant. The same goes the other way: implementing DORA will make it easier and faster to implement ISO 27001.
NIS 2: The Network and Information Systems (NIS 2) Directive and DORA are both EU directives and complement each other. While NIS 2 applies to a broader range of critical sectors, DORA is specifically tailored to the financial sector. Companies providing financial services in critical sectors complying with DORA will likely need to meet NIS 2 requirements as well. Complying with one does not in any way guarantee compliance with the other. There is, however, a lot of overlap, which makes compliance with both easier to accomplish once you are compliant with either one.
