DORA – what you need to know and how to prepare – a guide for the financial sector and ICT providers

The financial sector in the European Union is facing another major regulatory change – the DORA (Digital Operational Resilience Act) regulation. All indications are that if your company operates in this sector or provides technology services to financial entities, it’s a good idea to start preparing for it now. Read the post below and learn what DORA is, what implications it has, and what steps you can take to be fully prepared.

What is DORA and why is it important?

DORA (Digital Operational Resilience Act) is an EU piece of legislation that ushers in a new era of cyber-security management in the financial sector. Born out of the need to secure the digital financial landscape, DORA is designed to strengthen resilience to digital incidents and, as a result, better safeguard customers and their data and assets. What’s more, given the ever-increasing role of technology in financial services, DORA’s regulations don’t stop with traditional financial institutions, but also extend to information and communications technology (ICT) providers.

How does DORA differ from other regulations in the financial sector, such as RODO or the NIS/NIS2 directives?

While regulations such as RODO focus mainly on data protection, and the NIS/NIS2 directives establish a general framework for cyber security, DORA goes a step further. It clarifies how financial institutions should manage their information and communication systems and gives supervisors the tools to deeply inspect those systems. This is the first such comprehensive approach that directly links the financial sector to the ICT sector.

Who is covered by the DORA regulation?

The biggest news in DORA is that the regulations extend not only to financial giants like banks and insurance institutions, but also to FinTechs, crypto companies and, just as importantly, ICT service providers. If you are a technology provider to the financial sector, you can no longer stand on the sidelines. DORA makes you a part of the financial ecosystem, with all the duties and responsibilities that entails.

DORA’s main components and requirements

We outline the key elements and requirements of this innovative piece of legislation that every financial institution and ICT service provider should know and implement.

1. Cyber risk management strategy:

One of the main requirements of DORA is to create and implement an effective cyber risk management strategy. This is not just about the technical aspects, but also about understanding and planning responses to potential risks for the entire organization. This strategy should be integrated into the overall risk management strategy and be updated regularly.

2. Obligation to conduct regular penetration tests:

DORA commits to regular, unannounced penetration tests. These tests are designed to identify potential vulnerabilities in information and communication systems before they can be exploited by unauthorized parties. They should be conducted both internally and by external auditing firms.

3. The need to report security incidents:

All security incidents must be reported to the appropriate regulatory authorities within a specific, short timeframe. Prompt and transparent communication is key to incident management and can help avoid further problems, both for the organization and its customers.

4. Guidelines for ICT vendor contracts:

DORA introduces detailed guidelines on what should be included in contracts between financial institutions and ICT service providers. This means that providers must meet certain security standards and be ready for audits and monitoring by financial institutions and regulators.

DORA schedule – vacatio legis and key dates

The DORA regulation introduces a 24-month vacatio legis, which is a transition period for entities subject to the new regulations. Vacatio legis is the time during which entities have the opportunity to adjust their operations and procedures in accordance with the requirements of DORA. This period is intended to make it easier for financial institutions and ICT service providers to thoroughly understand and implement the new regulations.

The official entry into force of DORA took place on January 16, 2023. This means that as of that date, an official adjustment period begins, during which organizations are required to update their procedures in accordance with DORA.

The deadline for any compliance activities is January 17, 2025. By then, entities should already have fully implemented mechanisms and procedures that comply with the regulation.

DORA and the Polish financial market – from directives to new requirements

The Polish financial market already had various regulations related to risk management and information security.

Previous regulations in Poland:

• PSD2: It focused on opening the market to new players, as well as enhancing the security of financial transactions.
• Recommendation D: Issued by the Financial Supervisory Commission, focuses on managing operational risk, including IT risk.

What does DORA change for Poland?

• Tightening standards: DORA introduces more detailed and stringent guidelines, especially in the context of cyber risk management.
• Expanding scope: Not only financial institutions, but also ICT service providers are being covered by the new regulations.
• Harmonization with the EU: Polish institutions will have to adapt to EU-wide standards, which may make it easier for them to expand into other European markets.

DORA brings a new quality to the Polish financial sector, bringing with it a number of challenges but also opportunities. Regulations to date have been an important foundation, but DORA represents a comprehensive approach to managing risk and security in a digital world.

How to prepare? Practical tips for complying with DORA

Preparing for the new regulations introduced by DORA is a task that may seem complicated, but is entirely doable. We will provide some practical tips to help both financial institutions and ICT service providers get through the process.

Analysis and evaluation of existing systems

The first step should be a detailed analysis and evaluation of systems and procedures already in place. Discovering potential gaps in security and risk management will allow for more targeted action.

Options for adapting existing procedures

• Update security policies: Review and possibly update existing policies and risk management procedures.
• Staff training: Staff awareness is important, so investing in cyber security training is essential.
• Integration with new tools: There are tools on the market that can facilitate adaptation to DORA.

Introduction to tools

• SIEM (Security Information and Event Management) systems: Enable the collection and analysis of data from various systems to help with security monitoring.
• SOAR (Security Orchestration, Automation, and Response) platforms: Automate incident responses for faster response and risk minimization.

The implementation of these tips and tools will facilitate compliance with DORA requirements and contribute to an overall improvement in the security level and operational efficiency of the institution. It is also an opportunity to build a stronger, more competitive organization.

How does ITH support adaptation to DORA in the financial sector?

ITH audits infrastructure from a technical and formal-legal perspective, in addition, ITH offers a wide range of services that can help financial institutions comply with DORA requirements.

Network security

• Managed Firewall: DORA-compliant, gateway-level protection.
• Network as a Service: Flexible management of network infrastructure in accordance with DORA requirements.

Security audits and tests

• IT security audit: A thorough analysis for potential threats and vulnerabilities.
• Infrastructure vulnerability scans: Regular testing in accordance with DORA penetration testing requirements.

Data management

• Backups: Rapid data recovery, which is in line with DORA’s requirements for operational continuity.

Each of these services is designed to support the financial sector in fully adapting to the new regulations. Utilizing these services can significantly ease the process of adapting to DORA requirements, while also increasing the level of security within the organization.

What do you need to know and how to prepare for DORA? – Summary

The DORA regulation is not just another set of rules to follow. It’s a compilation of best practices, standards and obligations designed to raise the level of cyber security across the financial sector. Failure to comply will not only expose an organization to the risk of legal sanctions, but will also undermine its reputation and trust in the industry.

Organizations must therefore be proactive, starting with reviewing and updating their risk management strategies, implementing regular penetration testing, and formalizing procedures for reporting incidents and managing relationships with ICT vendors. Each of these steps requires close cooperation between IT, security and management departments, as well as understanding and acceptance at the highest levels of management.

DORA is an opportunity to raise standards, increase resilience to cyber threats and build lasting, secure relationships with partners and customers. Ultimately, it is an investment in the long-term stability and success of the company.